|10. I need to email patient or research participant PHI to an off-campus email, what should I do?
Before You Hit Send…
If emailing off-campus is necessary and permissible under your department or clinic rules, be sure your email is sent via a secure method and goes only to individuals authorized to receive the PHI. Secure methods include (1) using the patient portal and (2) putting [secure] in the subject line, using the brackets. Messages between ouhsc.edu email addresses are automatically encrypted, as are messages between an OUHSC.edu email address and an HCA email address, so these messages are secure as well.
Sending PHI via unsecured email – even to research sponsors or other providers – is a violation of HIPAA policy and can easily lead to a breach. The Office for Civil Rights may impose monetary penalties for HIPAA breaches, especially those that result from deliberate disregard for patient privacy. Check your email recipients and confirm that the method you are using to send PHI to a non-OUHSC or non-HCA email address is secure – if in doubt, contact OUP IS or IT Security . Finally, be sure you are NOT using auto-forwarding or redirecting your messages to accounts outside of the University email system.
Relevant HIPAA Policies and forms can be found at the University’s HIPAA website (https://apps.ouhsc.edu/hipaa/). (OU Physicians employees should also refer to MR 36 for specific OUP policy on emailing patients.)
If you have questions about these or any other HIPAA topics or would like to schedule a department training, please contact any of us; we are eager to help!
Return to FAQ List