E-Mail of PHI from Health Care Provider to Patient (107.005)

E-Mail of PHI from Health Care Provider to Patient (107.005) - Policies, Administrative, UWMF, UWMF-wide, HIPAA/Privacy


University of Wisconsin Medical Foundation

Policy Name: E-Mail of PHI from Health Care
Provider to Patient
Policy Number: Privacy 013
____ New __X__ Revised1
If Revised, Supersedes Policy: “Technical Support,
Connectivity Loss, PC Use, Email and Online
Effective Date: October 1, 2003
Approved By (Name): Title:

I. Purpose
The University of Wisconsin Medical Foundation (“UWMF”) maintains the privacy,
confidentiality, and security of patients’ Protected Health Information (“PHI”). The purpose of
this policy is to advise UWMF staff of the procedures, limitations, and safeguards necessary to
be undertaken when using email to transmit PHI and to communicate with patients.

II. Definitions

External E-mail is an e-mail message which travels across the public Internet. This type of e-
mail, if not first encrypted, is not secure nor is it protected in a confidential manner. External e-
mail should be considered similar to a “postcard” that might be read by anyone who comes in
contact with such a message.

Internal E-mail is an e-mail message that never leaves the confines of the UWMF proprietary
local server or the UW network. This would include any e-mail message sent to and from an
address which includes as its suffix “wisc.edu.” This type of e-mail is protected from intrusion
by outside users by security software and /or hardware firewalls. E-mail messages of this type
are generally not at risk for being intercepted by outside third parties nor at risk for being viewed
by such third parties.

UWMF staff means generally all clinicians, nurses, support, and administrative staff who
provide care in or are employed by UWMF managed clinics.

This policy supersedes and augments the UWMF IS Policy, “Technical Support, Connectivity Loss, PC Use, Email
and Online Policy”

III. Policy

UWMF staff protects and safeguards PHI when communicating with patients via external e-mail.
An external e-mail communication that involves PHI is labeled CONFIDENTIAL, is encrypted
wherever possible, and is noted in the patient's medical record. UWMF staff recognizes that
encryption is not always easily available to patients, and therefore, UWMF staff, when using
unencrypted external e-mail to communicate to patients, undertakes to inform patients about the
process and risks of communicating PHI by e-mail, and takes reasonable measures to safeguard
the content and transmission of such External E-mail. Under no circumstances is an HIV test
result and/or a mental health care / AODA treatment record information sent via e-mail.

It is also recognized that future federal regulations will require that e-mails containing patient
identifiable information be encrypted when traveling over the Internet. This policy shall be
modified as encryption technologies become available.

IV. Process & Procedure

A. Technical Protocols: Set Up and Management of Patient E-Mail Communications

1. Development of Criteria for Use [Optional]. Each UWMF health care provider
wishing to communicate via e-mail with patients is strongly encouraged to establish
criteria for determining when to use e-mail as a method of communication with
patients. Such criteria should include a consideration of the health care provider’s
patient base, including those patients’ unique needs, physical limitations, and
communication style. The criteria should balance the need for ease and efficiency of
communication and the consequent delivery of health care against the need for
examination of and/or face-to-face communication with the patient. The UWMF
health care provider should also consider his/her capacity to handle and manage e-
mail communication with her/his patients. If such criteria are developed, the UWMF
health care provider uses same to help inform the decision to initiate e-mail
correspondence with a patient as outlined in Section IV.B., below.

2. Dedicated Mailbox. UWMF health care providers who wish to communicate with
patients using email will establish either an office / clinic e-mail mailbox or an
individual physician e-mail mailbox which is dedicated to the transmittal and receipt
of patient e-mail. The UWMF I.S. Support Center facilitates the establishment of
this separate mailbox set up.

3. Process for Monitoring Patient Mailbox. The health care provider and staff
designated by the health care provider establish a daily schedule, excluding
weekends, for monitoring the designated patient mailbox e-mail account. Review
shall occur not less than one time per day, excluding holiday and weekend days. The
mailbox is monitored even if the health care provider hosting the mailbox is on
vacation or otherwise unavailable.

4. Triage. All incoming messages are triaged and forwarded to the appropriate UWMF
staff for prompt handling and response to the patient.

5. Response Time. Each UWMF health care provider who uses e-mail to communicate
with patients establishes a standard for a material response for to a patient e-mail. In
no event does this standard exceed three (3) business days. In the event that a
material response is not reasonably possible within this period of time, an email is
sent to the patient acknowledging receipt of the e-mail and informing the patient of:

i. the reason a response is not forthcoming within the standard time period; and
ii. when a material response may be expected; or
iii. providing advice to the patient on a preferred / alternative method of
communication and / or treatment delivery.

B. Patient Information & Consent
Before initiating e-mail correspondence with a patient, both the patient and the UWMF
health care provider specifically agree to the use of e-mail as a form of communication
and agree upon appropriate limits on the use of e-mail to facilitate their communication.
The UWMF health care provider gives the patient a copy of the “Provider / Patient E-
mail Information & Consent” (marked as Appendix A). If the patient initiates email
correspondence prior to an opportunity to discuss e-mail as an option, the UWMF health
care provider will e-mail or mail to the patient a copy of the Provider / Patient E-mail
Information & Consent. Receipt and signed acceptance of the Provider / Patient E-mail
Information & Consent is maintained in the patient’s chart to demonstrate agreement and
consent to communicate via e-mail.

C. Conduct for E-mail Communications with Patients

1. Response. The UWMF health care provider replies to a patient within the response
time she/he has previously set for her/himself. In no event shall this response time
exceed three (3) business days. Whenever a material response cannot be reasonably
sent within this period of time, a short reply should be sent to the patient in
accordance with the standards set out in IV.A., above.

2. Out of Office. When a UWMF health care provider is away from the office
(conference, vacation, leave of absence etc.), an auto-reply is set up in advance which
notifies the correspondent that the health care provider is not available to answer e-
mail. UWMF staff designated by the health care provider to monitor the patient
mailbox continues to monitor and triage said e-mails on a daily basis, and involves
another UWMF health care provider when such intervention becomes necessary in
the receiving health care provider’s absence.

3. Copies to Patient Chart. Copies of the following types of e-mail correspondence are
placed in the patient’s medical record:

i. Notification of test results;

ii. Treatment or follow-up recommendations;
iii. Patient reports about their progress, response to treatment, etc.; and
iv. Informed consent process discussions with the patient about a treatment or

4. E-mail Etiquette. UWMF staff recognizes that the use of e-mail creates a permanent
record of the communication. UWMF staff take care to engage in e-mail
communication which is clear and concise. UWMF staff actively consider the “tone
of voice” used in e-mail correspondence with patients. UWMF staff avoid the use of
jokes, slang, all capital letters, or phrasings that might be interpreted as angry,
sarcastic, dismissive, inappropriately casual, or unprofessional.

5. Attachments. UWMF staff recognizes that graphs, links, and attachments may be a
problem for some patients. UWMF staff sends simple text messages unless it is
known that the patient has the software to deal with complex messages.

D. General Security

1. Email Access At Home. When accessing email from home, the UWMF health care
provider ensures that other household members do not have access to e-mail which
contains PHI. If the UWMF health care provider prints patient e-mail from a
location other than in a UW Health site, then all such printed copies are either be
placed in the patient’s medical record, shredded, or disposed of in a manner which is
consistent with the UWMF privacy policy #005, “Disposal of PHI.”

2. Forwarding Patient E-mail to Third Parties Prohibited. UWMF staff do not
forward health care provider-patient e-mail communications to any third party
(outside of UW Health) without the written permission of the patient or the patient’s
legally authorized representative. Forwarding patient e-mail to a third party
constitutes a “disclosure” of PHI, and is subject to the requirements of the UWMF
privacy policy #001, “Use, Release, and Disclosure of Patient Protected Health

E. Communicating with Patients or Clinicians Inside “wisc.edu”

1. Electronic Storage. UWMF staff stores e-mail messages containing PHI only on
equipment which is within the control and security of UW Health or UW-Madison.

2. UWMF E-mail Addresses. UWMF staff only uses e-mail addresses provided by the
UW Health or UW-Madison entity. These e-mail addresses always end in
“wisc.edu.” Use of personal or home e-mail addresses to transmit PHI is strictly

3. E-Mail Client Servers. UWMF staff uses only UW health or UW-Madison
provided e-mail client servers to read and send e-mail. Use of web e-mail clients,
such as Yahoo, Hotmail, and Netscape Mail is prohibited because these e-mail clients

use POP to physically copy the e-mail to equipment owned and operated outside of
UW Health and/or UW-Madison.

4. Identifiable PHI Limits. Except as allowed for patient to physician / physician to
patient email pursuant to patient consent as outlined above and in Paragraph F, below,
UWMF staff uses e-mail to send identifiable patient information only if the e-mail is
sent within UW Health. This means the recipient must also be an authorized user of a
UW Health or UW-Madison entity provided “wisc.edu” e-mail address.

F. Communicating Outside “wisc.edu”
External e-mail sent to addresses outside of “wisc.edu” travels over the Internet.
Therefore, when communicating with clinicians outside of UW Health via e-mail (e.g.
referral physicians), identifiable patient information may not be included in any portion
of the message. In certain limited circumstances, however, it may still be desirable to
exchange e-mail containing PHI with another individual outside of “wisc.edu.” Such an
e-mail communication with a third party regarding a patient is considered a disclosure of
PHI under HIPAA, and occurs only if UWMF staff first completes all of the following

1. Authorized by State & Federal Law. The disclosure of PHI is authorized under
state and federal laws, and where necessary, written patient authorization to disclose
PHI has first been obtained. Please see UWMF privacy policy #001, “Use, Release &
Disclosure of Patient Protected Health Information,” and UWMF privacy policy
#010, “Authorization Use.” Please note the former policy to determine if the
disclosure needs to be tracked and/or accounted.

2. No Use of Patient Name. UWMF staff does not include the patient name or other
obvious identifiers in the message. UWMF staff may include only the patient’s
initials, birth date, and/or Medical Record Number as appropriate patient identifiers.

3. Pre-arrangement. The sender and recipient communicate in advance regarding the
e-mail process so the recipient knows to expect receipt of the e-mail containing PHI
and is able to link the minimally identified information to the correct patient.

G. Assistance. Additional assistance in determining the appropriateness of sending an e-
mail which contains patient PHI can be obtained from:
 Security Officer
 Director of Health Information
 Privacy Officer
 UWMF Counsel

H. Resources
 Use, Release & Disclosure of Patient’s Protected Health Information Policy
 Authorization Use Policy
 Accounting Form
 Tracking Log
 Disposal of PHI Policy

V. References
 45 CFR 164.501, et. Seq.

VI. Author & Review

Sponsor: Health Information Committee
Author: Claudia Jane Sanders
Review: Clinic Ops Privacy Work Group Health Information Committee
HIPAA Steering Committee UWMF Operations Committee
Senior Management
Committee Approval: Clinic Ops Privacy Work Group Health Information Committee
HIPAA Steering Committee UWMF Operations Committee
UWMF Senior Management
Approved: Peter Christman, EVP October 1, 2003

[See “Provider / Patient E-Mail - Information & Consent for Patients,” on Following Page]

Provider / Patient E-Mail - Information & Consent for Patients

You, ___________________ (patient) agree that I, ________________ (health care provider)
may communicate with you via e-mail. The address to use is: __________________________ .

Please remember the following when you use e-mail with me:

1. My response to your e-mail may not be immediate. Do not use e-mail for emergency

2. I will strive to respond within three business days. If you have not heard back within that
time, you should telephone the office and leave a message.

3. Include three items in the subject line:
 Your name
 Your medical record number
 A keyword or phrase about your message. Examples include: “Advice Request,”
“Prescription Refill Request,” “Status Report,” “Lab Report,” etc.

If you use e-mail provided by your employer, you should check with your employer about the
security/ownership/privacy policy at your workplace. Your employer has the legal right to your
e-mail if he or she chooses.

Replies from your provider will usually come to the e-mail addresses from which you sent the
original message. You should not expect to be able to initiate e-mail from one address and
receive the reply at a different address.

If you share an e-mail account with family members, then there is the possibility of revealing
confidential information to others.

In addition to me, your e-mail may be viewed by other hospital or clinic personnel and a copy
may be inserted in your medical record.

Most e-mail is not encrypted, and therefore not absolutely private. Unauthorized access by
outsiders is possible. Do not use e-mail for discussion of sensitive issues, for example mental
health issues, etc.

Please sign below to consent to the use of e-mail to communicate with you. Your signature
below will signify that you understand and agree to all of the above conditions on our use of e-
mail to communicate protected health care information. If you do not agree, we may not
communicate in this manner.

____________________________________ ___________________________________
Patient, Parent, or Guardian Signature Date

____________________________________ ___________________________________
Print Patient Name Print Parent / Guardian Name - Relationship