UW–Madison is committed to maintaining the privacy, confidentiality, and security of patients’ and research subjects’ protected health information. This policy sets forth requirements and safeguards which must be undertaken when UW–Madison faculty and staff use email to transmit protected health information.
UW–Madison protects and safeguards protected health information when communicating via email to prevent access by unauthorized individuals or entities. External email communication containing protected health information must be encrypted wherever possible, and also noted in medical records when relating to clinical treatment, recommendations, or follow-up. Further, where encryption is not used, UW–Madison faculty and staff must inform patients and research subjects about the risks of communicating protected health information through unsecured email and must take reasonable measures to safeguard the content and transmission of such email.
UW–Madison encourages faculty and staff, before communicating protected health information via email, to consider whether a better method exists for communication of the information. More secure alternatives might include utilizing messaging tools available within an electronic medical record system, utilizing collaboration tools endorsed by UW–Madison Cybersecurity, or sharing information through folders in local network drives. Faculty and staff should consult with the UW HIPAA security coordinator for their unit of campus with questions about secure alternatives.
UW–Madison strictly prohibits the email transmission of HIV test results and/or treatment records information involving mental health care or alcohol or drug addiction.
Communicating with Patients by Email
Health care providers may not send external emails to patients via email except according to the specific standards set forth in this policy. Providers are encouraged to use other secure means of communication first. Similarly, patients should be encouraged to use patient portals provided by their health care providers for sending secure electronic communications to their providers. This ensures that such communications are secure, addressed in a timely fashion, and appropriately documented within the appropriate electronic health record.
Commonly used patient portals in the Madison, Wisconsin, area include:
uwhealthmychart.org (for UW Health)
myuhs.uhs.wisc.edu (for University Health Service)
chart.myunitypoint.org (for UnityPoint Health-Meriter)
myhealth.va.gov/ (for the VA – Veterans Affairs)
ghcscw.com/ghcmychart#/ (for Group Health Cooperative of South-central Wisconsin)
- If a patient initiates email correspondence with a health care provider, the health care provider should encourage the use of a patient portal as described above. If a patient refuses to utilize a patient portal, before corresponding directly with a patient by email, both the patient and the health care provider must agree to the use of email as a form of communication and agree upon appropriate limits on the use of email to facilitate their communication. The UW health care provider must explain the security risks involved with communicating protected health information using email and may do so using the text provided in the following section.
Language in substantially similar form to that below should be added to a health care provider’s email signature line to remind the patient of the security limitations of email:
NOTICE TO PATIENTS: Email communications are not considered to be private or secure. There are many ways that both authorized and unauthorized users may have access to email communications. Patients are strongly cautioned against sending sensitive, detailed personal information to providers via email. Email should also not be used to convey information of an urgent nature. For urgent matters, patients should call their provider’s clinic.
- Standards for Email Communications with Patients.
- Criteria for Use. Any health care provider wishing to communicate via email with patients must establish criteria for determining when to use email as a method of communication with patients. Such criteria should include a consideration of the health care provider’s patient base, including those patients’ unique needs, physical limitations, and communication style. The criteria should balance the need for ease and efficiency of communication and the consequent delivery of health care against the need for examination of the patient and/or face-to-face communication, the documentation needs for billing compliance purposes, and the triaging capabilities available through e-Visit and Video-Visit technology.
- Response Time. Each health care provider who uses email to communicate with patients must establish a standard response time for a material response to be sent to the patient. In no event may this standard exceed three business days. In the event that a material response is not reasonably possible within this time period, an email must be sent to the patient acknowledging receipt of the patient’s email and informing the patient of:
- The reason a response is not forthcoming within the standard time period; and
- When a material response may be expected; or
- Advising the patient on a preferred/alternative method of communication and/or treatment delivery.
- Out of Office. When a health care provider who has agreed to receive emails from patients is away from the office (conference, vacation, etc.) an auto-reply must be set in advance which notifies all correspondents that the health care provider is not available to answer email.
Communicating with Research Subjects by Email
- All communications with research subjects must occur in accordance with UW–Madison institutional review board (IRB) guidance and with any approved research protocol applicable to the involved research.
- Current IRB guidance can be found in the Investigator Manual.
Communicating PHI to Any Party by Email Inside “wisc.edu” or Inside of the UW ACE
- Emails containing protected health information may be sent internally to addresses that end in “wisc.edu.” Additionally, external emails containing protected health information may be sent to email addresses within domains controlled by the UW ACE. These email messages do not require the senders or recipients to apply additional security controls in order for the messages to be deemed secure. Contact the HIPAA privacy or security officers with questions about which domains are currently controlled by the UW ACE.
- Electronic Storage. UW–Madison faculty, staff, and students who store email messages containing protected health information may only do so using storage solutions managed and/or approved by UW–Madison or UW Health for storage of protected health information. Contact your HIPAA security coordinator or submit a “Joint Security & Privacy Review Request” (“JSPR Request”) for assistance with secure storage solutions. JSPR Requests may be submitted electronically using the form available at go.wisc.edu/hipaasecurity.
Communicating PHI by Email Outside of the UW ACE or the UW HCC
- Emails containing protected health information sent to domains outside of the control of the UW ACE or the UW HCC must be encrypted. Contact your HIPAA security coordinator with questions about email encryption.
- UW–Madison Email Addresses. UW–Madison faculty, staff, and students within the UW HCC may only use email addresses provided by UW–Madison for work purposes (for faculty and staff) and when emailing protected health information for educational purposes (for students). Use of personal or third-party email addresses to transmit protected health information is strictly prohibited.
- Use of Automatic Email Forwarding by Rule.
- UW–Madison faculty, staff, and students in the UW ACE are strictly prohibited from using automatic forwarding by rule to direct all email from their UW–Madison email addresses to third-party email accounts outside of the UW ACE.
- UW–Madison faculty, staff, and students in the UW HCC but not in the UW ACE are strictly prohibited from using automatic forwarding by rule to direct all email from their UW–Madison email addresses to third-party email accounts outside of the UW HCC.
- UW–Madison may avail itself of security controls available through its approved and licensed technologies to ensure compliance with these auto-forwarding limitations. HIPAA security coordinators will collaborate with the HIPAA privacy and HIPAA security officers to develop procedures to enforce these auto-forwarding limitations and will periodically review reports of auto-forwarding throughout the UW HCC to ensure protected health information remains within the UW ACE or within the UW HCC as required.
- Exceptions to the prohibition on auto-forwarding may only be granted with the approval of the HIPAA privacy and security officers.
- UW–Madison faculty, staff, and students in the UW HCC who access email remotely or on a mobile device must ensure that other unauthorized individuals do not also have access to the email. They should also enable device encryption (which may require adjustments to factory settings on devices) and enroll the device in a mobile device management solution in accordance with procedures developed by their unit of the UW HCC. Emails containing protected health information and accessed remotely should not be printed outside of facilities of the UW HCC. When emails containing protected health information are printed (in order to meet the requirements of Section IV, below), they should be printed within facilities of the UW HCC or the UW ACE and then immediately forwarded for scanning and incorporation into the appropriate patient’s medical record.
- Forwarding of provider-patient email communications to a third party (outside of the UW HCC or UW ACE) is prohibited without the written authorization of the patient or the patient’s legally authorized representative.
UW–Madison recommends all of the following information be exchanged through patient portals rather than through provider-to-patient emails. However, in the event provider-to-patient email occurs, copies of the following email correspondence must be forwarded to the appropriate medical records/health information team and placed in the patient’s medical record:
- Notification of test results
- Treatment or follow-up recommendations
- Patient reports about their progress, response to treatment, etc.
- Informed consent process discussions about a treatment or procedure
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.