X-99.09(A)

UMB Electronic Messaging and HIPAA Compliance

Information Technology

---

Responsible VP/AVP

Peter J. Murray, PhD, CAS, MS

---

Applies to Faculty, Staff

---

Policy Statement

The HIPAA Security Rule mandates that covered entities develop and implement policies and procedures to safeguard Electronic Protected Health Information (ePHI). The purpose of this policy is to establish rules and requirements for maintaining HIPAA compliance when using email to send Protected Health Information (PHI).

While email is a commonly used communication tool, it has been proven to be an insecure means of sending information. This causes great concern when an email message contains confidential information, such as PHI. The use of electronic mail, when used prudently, can greatly enhance communication between a physician and his/her patient. However, when used carelessly it can open the provider to potential legal and compliance problems. This policy attempts to balance the need for electronic communications between physicians and patients while maintaining the privacy and security of the content.

---

Scope

HIPAA applies only to covered entities. A covered entity might be a hospital, a physician practice, or any other provider who transmits health information in electronic form.

---

General Rules and Standards within the HIPAA Security Rule

A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards or implementation specifications.

The policy applies to transmission of any personal health information (PHI) as defined by HIPAA regardless of transaction type.

Implement a mechanism to encrypt and decrypt electronic protected health information.

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

---

General Email Use Requirements

All covered entities must develop policies pertaining to electronic communication with patients and providers containing PHI.

PHI should never be sent in clear text format, any electronic communications containing PHI must be encrypted.

All UMB employees that require the use of email to communicate PHI must do so through a UMB managed email account, i.e. @umaryland.edu, @umm.edu.

Personal email accounts (Google, AOL, Comcast, Hotmail, etc.) are NOT to be used when communicating ePHI. Automatically forwarding email to a non-UMB account (auto-forwarding) or receiving messages in an UMB account while also automatically forwarding a copy of the email message to a non-UMB account (storing and forwarding) is NOT permitted.

UMB CITS has implemented a secure messaging system that provides encrypted email communications between patients and covered entities. The UMB secure messaging system provides the following:

Confidentiality and privacy of the information exchanged.

Integrity and confirmation of the information exchanged.

Availability and delivery of the information exchanged.

Each entity that chooses to use the UMB secure messaging system will be required to work with CITS Infrastructure Services to configure the secure messaging system to your specific requirements, i.e. detect specific patient identification numbers. Email that is required to be sent securely will be handled as follows:

Outbound mail that contains “secure” in the subject field will automatically be encrypted with RSA Email DLP encryption.

Outbound mail that causes a DLP filter violation will automatically be encrypted with RSA DLP encryption.

If neither of the above requirements are met the email will be TLS encrypted.

The system has the capability to apply other actions to emails that are detected to contain personally identifiable information such as notify the user or an alternate individual of the violation.

---

General Provisions

The UMB IT Security Officer in cooperation with the HIPAA security office for a covered entity shall be responsible for reviewing the configuration of the secure messaging system and certifying that emails are secure in accordance with this policy.

The UMB IT Security Officer in cooperation with the HIPAA security office for a covered entity will ensure that all processes and/or technical solutions relating to assignment and management of information access privileges are documented and retained. The UMB IT Security Officer in cooperation with the HIPAA security officer for a covered entity will work with individuals from the covered entities to ensure the various related implementation tasks are completed and are in full compliance with this policy.

The UMB IT Security Officer will work with the appropriate individuals to ensure that this policy, as well as related policies and procedures, will be updated and kept current with HIPAA privacy and security rules.