For sending PHI through digital communications, email can be used only with a set of specific, prescribed actions when there is a direct business need. This recipe addresses two distinct use cases for sending critical data through email communications: to collaborators internal or external, and to subjects and patients or their representatives. With either use case, your email account should not be used to store or archive PHI, only for transmission.
Prerequisites
Directions
Business and Research Email Communications With PHI
Log in to your IU Exchange email
Enter the recipient's contact information for your email
Verify the information is correct
Encrypt your email if sending to external collaborators with the bracketed, case sensitive: [Secure Message]
Note: emails do not need to be encrypted if sending to those internal to IU, or an external member of IU Health, IU Health Physicians, Eskenazi Health, or the Regenstrief Institute.
Write the body of your email, including the PHI and only the minimum information necessary
Optional: consider asking the recipient not to respond to this email to avoid having the PHI proliferate and end up back in your inbox
Verify for a second time that the recipient information is correct
Send the email
Delete the email from your sent box
Remove the email from your email service's trash.
Note: if you receive a response that returns the PHI to your inbox, make sure to go through the deletion process again.
Patient and Research Subject Email Communications With PHI
Advise the patient or research subject (or representative) of the risks associated with sharing identifiable and protected health information via unencrypted email communications
Receive consent to contact the patient or research subject in this manner by having them complete a "Indiana University Authorization for Unsecure Electronic Communication” form, which at a minimum must:
include the risks of using unsecured electronic communication
include the specific purpose or reason for the electronic communication
Follow the steps above from the Business and Research Email Communications with PHI section to send the email unencrypted.
Other Considerations
For extremely sensitive information, such as HIV status, mental health, substance abuse, etc., consider if your circumstances or needs are truly exceptional enough to warrant sending PHI this way.
- Never archive emails with PHI, and only store them as long as there is a business need.
Misdirected emails are treated as a breach of information incident and must comply with IUISPP-26, "Information and Information System Incident Reporting, Management, and Breach Notification," which requires you to immediately report the incident to the University Information Policy Office (UIPO).
You cannot send PHI through general Instant Messaging platforms from a personal device, or through a personal email account.
Do you want to send an attachment too large for email? Consider using Secure Share to send the attachments.
Additional Resources