Contact Information

Organization

THE COMMITTEE ON HUMAN RESEARCH

HIPAA AND HUMAN RESEARCH

Email and Fax Restrictions for Using PHI:

• Can I send PHI via Email from the UCSF campus?
• Can I send PHI via Email from the Medical Center?
• Can I send PHI via FAX?
• Can I use password protection for PHI attachments to Email?
• Should I include a confidential footer message in my emails?
• Will email eventually be secured at UCSF?

Can I send PHI via Email from the UCSF campus?

No. At this time, PHI cannot be sent via E-mail, as campus email is not secure. Even if you are sending PHI from your UCSF address to someone else with a UCSF email address, it is not secure.

For example, all email senders with the address “@xxxxxx.ucsf.edu” should not include PHI in their email unless it is encrypted. Even if you are sending email to someone in the Medical Center (which has a secure email firewall), it is still not secure.

Can I send PHI via Email from the Medical Center?

It depends on what address the email with PHI will be sent to. At this time, the only secure email servers are behind the Medical Center firewall. This means that as long as the email is sent from and to the @ucsf.medctr.org address, it may contain PHI.

From and to the Medical Center: Yes, but only from and to the Medical Center address (@ucsfmedctr.org. People with this address can send each other PHI attachments only from their @ucsfmedctr.org address to another @ucsfmedctr.org address.

From to outside the Medical Center: No. PHI cannot be directly emailed to any address other than “@ucsfmedctr.org.” Even if you are emailing PHI from the Medical Center to a UCSF campus email address, it will not be secure.

All PHI must be encrypted if leaving the medical center network. For example:

Can I send PHI via FAX?

Yes, but only to secured fax machines. Never fax information to an unsecured fax machine. A secured fax machine is one that is located in a restricted environment. Recommended best practices include:

Can I use password protection for PHI attachments to Email?

No. Simply password protecting an email attachment is not acceptable protection. You must encrypt the PHI document before emailing it. This is true even if you are sending it from campus to someone else within the campus.

Should I include a confidential footer message in my emails?

Yes. When sending email, you should always include confidentiality footers. It is required for emails that contain confidential, sensitive or protected health information. And. just as importantly, email can be sent to the wrong address or, if there is PHI, it can be sent accidentally without the required confidentiality footer, especially if you have a high volume of email correspondence.

Therefore, it is a good idea to automatically include the footer in every email rather than deciding piecemeal when to include or not include the footer, such as the one below:

This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

Will email eventually be secured at UCSF?

Yes. The USCF HIPAA security team is currently working with the SOM and others on how to implement a secure email solution sometime in 2004. Until this occurs, only encrypted PHI should go out via email. There will be campus wide announcements as well as an update on this website when the email becomes secure.

Please read The UCSF HIPAA Handbook for guidance on computer systems and electronic transmission of information. If you don’t have Adobe Acrobat, instructions for downloading it can be found at the education page of the HIPAA Implementation Website.