Send PHI via email

For sending PHI through digital communications, email can be used only with a set of specific, prescribed actions when there is a direct business need. This recipe addresses two distinct use cases for sending critical data through email communications: to collaborators internal or external, and to subjects and patients or their representatives. With either use case, your email account should not be used to store or archive PHI, only for transmission.

Prerequisites

• Secure your own environment.

• An IU Exchange email account.

• A device secured with IT-12, and IT-12.1 policies (i.e. an IU managed workstation).

Directions

Business and Research Email Communications With PHI

1. Log in to your IU Exchange email

2. Enter the recipient's contact information for your email

   1. Verify the information is correct

3. Encrypt your email if sending to external collaborators with the bracketed, case sensitive: [Secure Message] 

   1. Note: emails do not need to be encrypted if sending to those internal to IU, or an external member of IU Health, IU Health Physicians, Eskenazi Health, or the Regenstrief Institute. 

4. Write the body of your email, including the PHI and only the minimum information necessary

   1. Optional: consider asking the recipient not to respond to this email to avoid having the PHI proliferate and end up back in your inbox

5. Verify for a second time that the recipient information is correct

6. Send the email

7. Delete the email from your sent box

   1. Remove the email from your email service's trash.

Note: if you receive a response that returns the PHI to your inbox, make sure to go through the deletion process again.

Patient and Research Subject Email Communications With PHI

1. Advise the patient or research subject (or representative) of the risks associated with sharing identifiable and protected health information via unencrypted email communications

2. Receive consent to contact the patient or research subject in this manner by having them complete a "Indiana University Authorization for Unsecure Electronic Communication” form, which at a minimum must:

   1. include the risks of using unsecured electronic communication

   2. include the specific purpose or reason for the electronic communication

3. Follow the steps above from the Business and Research Email Communications with PHI section to send the email unencrypted.

Other Considerations

• For extremely sensitive information, such as HIV status, mental health, substance abuse, etc., consider if your circumstances or needs are truly exceptional enough to warrant sending PHI this way.

• Never archive emails with PHI, and only store them as long as there is a business need.

• Misdirected emails are treated as a breach of information incident and must comply with IUISPP-26, "Information and Information System Incident Reporting, Management, and Breach Notification," which requires you to immediately report the incident to the University Information Policy Office (UIPO).

• You cannot send PHI through general Instant Messaging platforms from a personal device, or through a personal email account.

• Do you want to send an attachment too large for email? Consider using Secure Share to send the attachments.

Additional Resources

• Email securemyresearch@iu.edu if you have other questions about sending PHI or other Critical data through email, or would like help determining another method of communication for extremely sensitive information.

• Find more information on the full IU Policy page for Electronic Communication and PHI Including Emails and Text Messages.