: HOME  |  Privacy Policies  |  Frequently Asked Questions  |  Training

Privacy Forms - HCCs |  Privacy Information - Patients/Pacientes  

   Additional Information  |  Contact Information


YOU ARE HERE : HOME / HIPAA Frequently Asked Questions / PHI FAQ 9

 

10. HIPAA Policy Summary – Sending PHI in Email

The University’s Safeguards Policy covers three main areas of HIPAA compliance.  The focus of this summary is Technical Safeguards, specifically emailThe University is required to have in place reasonable safeguards to (1) limit access to e-PHI to authorized individuals and (2) protect against unauthorized disclosures of e-PHI.  These safeguards include, at a minimum, those below.  Each HCC, however, must put in place additional safeguards, based on the clinic or area technology used, operations, types of services provided, and nature or information maintained. All emails containing PHI should only be sent for Treatment, Payment or Healthcare Operation puorses. 

  1. Sending Email Containing PHI within the University or to OU Medical Center
    1. Email from an OUHSC.EDU, OU.EDU, or HCAHealthcare.com email address to an OUHSC.EDU, OU.EDU, or HCAHealthcare.com email address is secure.  However, content should be limited to the minimum necessary or a limited data set. (See IT's Secure Email Policy for a list of other secure connections)
    2. Within the University, PHI may be emailed only to another University Health Care Component unless you have patient Authorization to send to another University area or the disclosure is for treatment, payment, or operations.
    3. The recipient’s name and email address should be verified before the message is sent.
    4. No PHI may be included in the subject line.

  2. Sending Email Containing PHI Outside the University or OU Medical Center
    1. The message must be encrypted between the sender and recipient in a manner that meets HIPAA requirements (consult your IT professional if you are not sure), or the message must be sent using the University’s Secure Messaging or Secure Email program, an approved patient portal or the like. Contact IT for assistance.
    2. Content should be limited to the minimum necessary or a limited data set.
    3. The recipient’s name and email address should be verified before the message is sent.
    4. No PHI may be included in the subject line.

  3.  Responding to Email from Outside the University or HCA that Requests PHI*
    1. If you receive an email from a patient or other individual from a non-OU or non-HCA email address, you must:
      1. Inform the individual that you need to communicate by phone or in person,  if the individual has not set up a secure email/secure messaging account with the University or encryption is not used by sender and recipient (see sample response in Safeguards policy), or
      2. Respond via a secure method, observing the minimum necessary standard or by limited data set, if the email is received through one of the secure accounts or is otherwise encrypted.

*You should not send PHI by email, even if a patient or other individual requests the information be sent via email. If a patient insists on receiving PHI via unencrypted email, follow the steps outided in the Safeguards policy or contact the Privacy Official or OUP Medical Records Office for assistance. You should never send PHI in a manner that you are not comfortable is secure.

All email containing PHI sent by University Health Care Components should include a Confidentiality Notice.  A sample notice is included in the Safeguards policy, available on the University’s HIPAA webpage.

 

Revised: 5.25.17

 

Return to FAQ List

 

 
TOP ^  


The University of Oklahoma Health Sciences Center
OUHSC HOME / SEARCH / FEEDBACK

Office of Compliance
P. O. Box 26901
Oklahoma City, OK 73129
Phone: (405) 271-2511, (866) 836-3150
Fax: (405) 271-1076

    
Copyright © 2014 The Board of Regents of the University of Oklahoma, All Rights Reserved.
Disclaimer | Copyright