Policies,Administrative,UWHC,UWHC-wide,Medical Records

E-Mail Transmission of Protected Health Information (6.31)

E-Mail Transmission of Protected Health Information (6.31) - Policies, Administrative, UWHC, UWHC-wide, Medical Records


Page 1 of 3

Administrative (Non-Clinical) Policy
 UWHC only (Hospital Administrative-entity wide)  UWMF only (entity wide)
 UWHC Departmental (indicate name)  UWMF Departmental (indicate name)
 UWHC and UWMF (shared)
Policy Title: E-Mail Transmission of Protected Health Information
Policy Number: 6.31
Effective Date: November 1, 2015
Chapter: Medical Records
Version: Revision


To establish a process for all employees and staff to utilize when communicating within UW Health or
with outside healthcare providers about patients via e-mail. These principles relate only to e-mail that
includes protected health information (PHI) and do not address appropriate use of e-mail in general.

Protected Health Information is defined as individually identifiable health information that is transmitted,
or maintained in any form, including oral, written or electronic.


Providers and UWHC staff will take reasonable measures to safeguard the content and transmission of
PHI via e-mail communication.

All e-mail users should understand that e-mail is inherently insecure, so should use due care when
communicating PHI or any other sensitive subject matter.

Under no circumstances will e-mail be used in conjunction with other technologies (e.g. network enabled
patient care devices, portable computing devices, etc.) without first reviewing the security of those
technologies and their use of e-mail with UW Health Information Services (UW Health IS).

A. Use of Business E-Mail to Limit Risk.
To assure that e-mail messages containing individually identifiable PHI are stored only on
equipment within the control and security of UWHC or other entities within the UW Affiliated
Covered Entity (ACE):
1. UWHC clinicians, staff and students must use e-mail addresses provided by their
employer or school. Use of personal or home e-mail addresses to transmit PHI or
business related communication is prohibited.

Page 2 of 3

2. Similarly, business e-mail addresses may not be configured to automatically forward to a
personal e-mail address. For individuals who have multiple business e-mail accounts, it
may be acceptable to forward one address to another, if both addresses are housed on e-
mail systems that are managed by an entity within the ACE. Requests may be submitted
for review through the Help Desk at 265-7777.
3. E-mail may be used to send individually identifiable PHI only within UW Health or with
other business partners with whom UW Health has established a secure connection. To
determine if such a secure connection exists, contact the Help Desk at 265-7777.
4. UWHC clinicians, staff and students who access their business e-mail from home must
insure that other household members do not have access to professional e-mail. Any
copies that are printed at home must be shredded.
B. Proper Choice and Configuration of E-mail Client Programs.
1. UWHC clinicians, staff and students must use only employer or school provided e-mail
clients to read and send e-mail. E-mail clients that are not provided by a UW Health
employer or the University, such as Yahoo, Hotmail and Google, are not acceptable
because they may physically copy the e-mail to equipment owned and operated outside of
UW Health or UW-Madison.
2. Staff who obtain e-mail from UWHC should use the Outlook e-mail client, Outlook Web
Access, or a portable device supplied and supported by UWH Information Services.
C. Using E-mail to Communicate Minimally Identifiable PHI to Non-Patient Recipients Outside of
UW Health (see Administrative Policy & Procedure 6.32-Provider-Patient E-Mail Policy for
guidance regarding communicating with patients via e-mail).

The use of the internet to transmit data is similar to sending a postcard through the mail. While in
transit, the entire message can be "seen" as the message moves from site to site. E-mail sent to
addresses outside of UW Health travels over the internet. To mitigate this security risk and
protect the privacy of patient information, when communicating with clinicians outside of UW
Health via e-mail (e.g., referral physicians), only minimally identifiable patient information
should be included in any portion of the message.

Therefore, whenever possible, the following should be observed when communicating with non-
patient recipients outside of UW Health:
1. The sender should confirm that the disclosure of the patient information is authorized
under state and federal laws, and where appropriate, patient authorization to disclose the
information to the recipient has been obtained. Disclosures outside of UW Health may
require documentation (see Administrative Policy 4.13-Using and Disclosing Protected
Health Information).
2. The sender does not include the patient name or other obvious identifiers in the
message. The sender should include only the following information to identify the
patient: Initials, birth date and/or Medical Record Number.
3. Whenever possible, the sender and recipient should communicate in advance regarding
the process so the recipient knows to expect the e-mail and is able to link the minimally
identified information to the correct patient.
D. Consultation with Information Services and Compliance for New or Alternate Uses.
1. In some cases, alternate arrangements for use of e-mail can be made with Information
Services and/or the Compliance and UW Health Privacy Officer.
2. IS may be able to facilitate secure connections for exchange of e-mail with some close
business partners. Requests for consideration may be submitted through the Help Desk at
3. IS will assist other departments who wish to leverage the convenience of e-mail in
conjunction with other technologies, such as network enabled patient care equipment,

Page 3 of 3

portable devices, and other technologies. Use or testing of e-mail with other technologies
should not commence until the security of the proposal is evaluated by IS and/or the
Compliance and UW Health Privacy Officer.

Sr. Management Sponsor: SVP, Chief Information Officer
Author: Compliance and UW Health Privacy Officer

Review/Approval Committee(s): Administrative Policy and Procedure Committee; Medical Board


Ronald Sliwinski
President, University of Wisconsin Hospitals
Chief of Clinical Operations

Revision Detail:

Previous revision: July 2012
Next revision: November 2018