School of Medicine and Public Health HIPAA Security Policy 9.2 Electronic Communication

1.  Purpose

Special measures must be taken when using electronic communication that contains PHI to prevent access by unauthorized third parties. 

2.  Definitions 

2.1. Electronic Communication: Any mechanism that transfers information electronically including but not limited to email, instant messaging and file transfer protocol.

3.  Policy

3.1. All SMPH staff and students must use e‐mail addresses provided by their employer or by UW‐Madison for jobrelated communication. These email addresses always end in wisc.edu, uwhealth.org or va.gov. Use of personal or home email addresses for business purposes is prohibited 

3.2. Messages may never be automatically forwarded to any external email provider outside of the wisc.edu domain such as Gmail or Hotmail. 

3.3. All provider‐patient email is subject to UW‐Madison Policy 8.6: E‐Mail Communication Between Providers And Patients Guidelines.

3.4. Messages containing PHI sent to locations outside of the Affiliated Covered Entity must be encrypted using a mechanism approved by your departmental IT group when possible.

3.5. Upon termination of any staff member, student or other email account holder's relationship with the SMPH, the corresponding email account must disabled with respect to transmitting messages.  Auto‐reply messages may be sent to indicate the new email address when available.

4.  Departmental Procedures 

4.1.Each department will develop a written procedure that includes inventory of email and Web servers and clients used by account holders and methods for encrypting PHI during transmission.

5.  References

5.1. Related HIPAA Security Policies

• Portable Devices

5.2. UWHC Policy 6.31: E‐Mail Transmission of Protected Health Information

5.3. UWHC Policy 6.32: Provider‐Patient E‐mail

5.4. UWMF Policy MF013: E‐Mail of PHI from Health Care Provider to Patient