Skip To Main Content
Site Name Here
MenuSearchA-ZSeven Schools One UniversitySeven Schools One University

Menu

  • Give
  • Apply
  • Visit
Close Menu
About
  • Administrative Offices
  • Campus Maps
  • Core Values
  • Fast Facts
  • Travel and International Services
  • Other USM Schools
  • Policies and Procedures
  • Strategic Plan
  • Sustainability
  • Middle States
  • MPowering the State
  • News
  • University Leadership
  • UMB Experts Guide
Academics
  • Academic Calendar
  • Academy of Lifelong Learning
  • Blackboard
  • Libraries
  • Office of the Provost
  • SURFS
  • UMB Program Explorer
Admissions
  • Financial Aid
  • International Students
  • Military and Veterans
  • Office of the Registrar
Research
  • Breakthroughs Can’t Wait
  • Offices and Contacts
  • Resources for Investigators
  • Services for Investigators
  • UMB Research Profile
University Life
  • Arts and Culture
  • Bookstore
  • Emergency
  • Housing
  • Museums
  • Parking and Transportation Services
  • Rooms Available on Campus
  • SMC Campus Center
  • Student Organizations
  • Student Policies
  • URecFit and Wellness
  • UMB shuttle
  • Welcome to Baltimore
  • One Card
Info For
  • Current Students
  • Faculty and Staff
  • Alumni and Donors
  • Community Members
Resources
  • The Elm
  • Calendar
  • myUMB
  • Directory
  • Blackboard
  • SURFS
  • Emergency
  • UMB Shuttle
Seven Schools One University

Search

Close Menu
Common Searched Terms
  • Graduation 2025
  • Campus Tour
  • Jobs at UMB
  • Parking
  • Tuition Remission
  • Registrar
  • Qualtrics
  • Human Resources
  • URecFit and Wellness
  • Tuition
  • Help Desk

A–Z

Close Menu
    Policies and Procedures

    Information Technology Policies

    1. UMB Home
    2. About UMB
    3. Policies and Procedures
    4. Library
    5. Information Technology
    6. Information Technology Policies
    • UMB HomeAbout UMBPolicies and ProceduresLibraryInformation TechnologyInformation Technology Policies
    • Information Technology Policies
    • Information Technology Procedures

    UMB Electronic Messaging and HIPAA Compliance

    X-99.09(A)  |  Information Technology  |  Approved   |  Last Reviewed April 30, 2024

    Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS

    Applies to: Faculty, Staff

    Policy Statement

    The HIPAA Security Rule mandates that covered entities develop and implement policies and procedures to safeguard Electronic Protected Health Information (ePHI). The purpose of this policy is to establish rules and requirements for maintaining HIPAA compliance when using email to send Protected Health Information (PHI).

    While email is a commonly used communication tool, it has been proven to be an insecure means of sending information. This causes great concern when an email message contains confidential information, such as PHI. The use of electronic mail, when used prudently, can greatly enhance communication between a physician and his/her patient. However, when used carelessly it can open the provider to potential legal and compliance problems. This policy attempts to balance the need for electronic communications between physicians and patients while maintaining the privacy and security of the content.


    Scope

    HIPAA applies only to covered entities. A covered entity might be a hospital, a physician practice, or any other provider who transmits health information in electronic form.


    General Rules and Standards within the HIPAA Security Rule

    A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards or implementation specifications.

    The policy applies to transmission of any personal health information (PHI) as defined by HIPAA regardless of transaction type.

    Implement a mechanism to encrypt and decrypt electronic protected health information.

    Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.


    General Email Use Requirements

    All covered entities must develop policies pertaining to electronic communication with patients and providers containing PHI.

    PHI should never be sent in clear text format, any electronic communications containing PHI must be encrypted.

    All UMB employees that require the use of email to communicate PHI must do so through a UMB managed email account, i.e. @umaryland.edu, @umm.edu.

    Personal email accounts (Google, AOL, Comcast, Hotmail, etc.) are NOT to be used when communicating ePHI. Automatically forwarding email to a non-UMB account (auto-forwarding) or receiving messages in an UMB account while also automatically forwarding a copy of the email message to a non-UMB account (storing and forwarding) is NOT permitted.

    UMB CITS has implemented a secure messaging system that provides encrypted email communications between patients and covered entities. The UMB secure messaging system provides the following:

    Confidentiality and privacy of the information exchanged.

    Integrity and confirmation of the information exchanged.

    Availability and delivery of the information exchanged.

    Each entity that chooses to use the UMB secure messaging system will be required to work with CITS Infrastructure Services to configure the secure messaging system to your specific requirements, i.e. detect specific patient identification numbers. Email that is required to be sent securely will be handled as follows:

    Outbound mail that contains “secure” in the subject field will automatically be encrypted with RSA Email DLP encryption.

    Outbound mail that causes a DLP filter violation will automatically be encrypted with RSA DLP encryption.

    If neither of the above requirements are met the email will be TLS encrypted.

    The system has the capability to apply other actions to emails that are detected to contain personally identifiable information such as notify the user or an alternate individual of the violation.


    General Provisions

    The UMB IT Security Officer in cooperation with the HIPAA security office for a covered entity shall be responsible for reviewing the configuration of the secure messaging system and certifying that emails are secure in accordance with this policy.

    The UMB IT Security Officer in cooperation with the HIPAA security office for a covered entity will ensure that all processes and/or technical solutions relating to assignment and management of information access privileges are documented and retained. The UMB IT Security Officer in cooperation with the HIPAA security officer for a covered entity will work with individuals from the covered entities to ensure the various related implementation tasks are completed and are in full compliance with this policy.

    The UMB IT Security Officer will work with the appropriate individuals to ensure that this policy, as well as related policies and procedures, will be updated and kept current with HIPAA privacy and security rules.


    • Back to Information Technology Policies

    University of Maryland Baltimore

    The University of Maryland, Baltimore is the founding campus of the University System of Maryland.

    620 W. Lexington St., Baltimore, MD
    21201 | 410-706-3100

    • The Elm
    • Calendar
    • Emergency
    • Mobile UMB
    • UMB Shuttle
    • myUMB
    • Directory
    • IT Help Desk
    • Facilities Work Request
    • Jobs
    • Middle States
    • Strategic Plan
    • Sustainability
    • Clery Report
    • UMB Hotline
    • Facebook
    • Twitter
    • Instagram
    • LinkedIn
    • YouTube
    The University of Maryland, Baltimore prohibits sex discrimination in any education program or activity that it operates. Individuals may report concerns or questions to the Title IX Coordinator. Read the UMB Notice of Non-Discrimination.
    © 2024-2025 University of Maryland, Baltimore. All rights reserved.
    • Privacy Policy
    • Web Accessibility
    • Web Feedback
    • Non-Discrimination