Outbound email encryption enabled March 2
Effective today, March 2, 2015, UMHS is enabling the encryption of outbound email messages so that email with potentially identifiable patient information or other sensitive data will be transmitted securely if it is sent outside the Outlook/Exchange med.umich.edu system.
Encryption for outbound email represents a major accomplishment for the Enterprise Encryption Initiative endorsed last fall by senior leadership. Each year, approximately 36,000 messages containing identifiable patient information or other sensitive data are sent externally, and these could be interpreted as HIPAA/HITECH incidents.
Now, if someone from UMHS chooses to use email to transmit a secure message outside of UMHS to an external email address, such as Gmail or Yahoo, as well as an @umich.edu address, the sender should write [SECURE] (as written in brackets) in the subject line. This will trigger the system to encrypt the message and send it securely. File attachments will also be encrypted. The data limit for outbound email is 25 MB.
Other secure data transfer methods outside of UMHS are available and strongly recommended:
(note: VPN login required to access internal links)
- MiChart Patient Portal (MyUofMHealth.org) – for communication between providers and patients.
- MiShare – for file exchange/transfer including image files (screen shots, pictures, or scanned images/PDFs); can accommodate over 25 MB of data.
- M+Box – for file storage; can accommodate over 25 MB of data.
If email is used, UMHS will now have a tool that will act as a safety net to catch those emails with identifiable patient information or other sensitive data going to a non-UMHS recipient if the sender does not tag the email as [SECURE]. The tool will scan for characters and sensitive information and then ensure that the message will be encrypted before leaving our system.
Receiving encrypted email messages from the Health System
When an external recipient receives an encrypted email message from UMHS, they will need to open a secure attachment and acknowledge the encryption before being able to open and read the message. If messages are exchanged within the UMHS Outlook system, from one med.umich.edu email address to another med.umich.edu email address, these extra steps will not be required. Here is what a recipient will see when receiving an encrypted message from UMHS.
- Email communication between UMHS users should stay within the Outlook/Exchange system.
- Always send messages for UMHS staff to their email@example.com address – not their firstname.lastname@example.org address.
- Use the Global Address List (GAL) within Outlook to select a UMHS recipient’s email address.
- Include [SECURE] in the subject line if you must send email with identifiable patient information or other sensitive data to an external email address.
Identifiable patient information under HIPAA is described in the UMHS Policy 01-04-340 – De-identification and Re-identification of Protected Health Information (PHI).