Skip to content Skip to site navigation Skip to service navigation

HIPAA Security: Email and Other Electronic Messaging of ePHI Policy

I. Scope & Applicability

This policy applies to Stanford University HIPAA Components (SUHC) electronic protected health information (ePHI) that is transferred using email or other electronic messaging systems (e.g., text messaging, instant messaging).

If ePHI is sent using an information system that is managed by, or receives technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH), then the policies and procedures of those respective entities apply.

II. Policy Statement

SUHC will implement reasonable and appropriate measures to guard against unauthorized access to and protect the integrity and confidentiality of ePHI that is being sent, received, or stored using an email or other electronic messaging system (“electronic messaging”).

III. Principles

  1. Appropriate Electronic Messaging of ePHI. Transmission of any electronic message containing ePHI must be in accordance with SUHC Privacy Policies governing PHI use and disclosure. For example, SUHC will obtain a HIPAA-compliant authorization when required prior to disclosing PHI. SUHC will make reasonable efforts to limit the PHI in an electronic message to the minimum necessary to accomplish the purpose of the communication.
  2. Secure Electronic Messaging. Any electronic message that contains ePHI will be sent using a secure electronic messaging system that has been approved by the Stanford University Chief Information Security Officer. Read more information regarding secure email requirements and service.
  3. Storing Electronic Messages that Contain ePHI. Electronic messages that contain ePHI must be stored in a secure manner. Read more information on secure storage requirements and services.
  4. Sensitive Test Results. To comply with California state law, electronic messaging may not be used to convey to individuals the results of tests related to HIV status, sexually transmitted diseases, presence of a malignancy, presence of a hepatitis infection, or substance abuse.
  5. Electronic Messages to Multiple Recipients. When there exists the potential to reveal or infer PHI in an electronic message that is intended for delivery to multiple recipients, SUHC will take additional precautions as follows:
    1. Distribution Lists.
      1. SUHC will not send ePHI to a distribution list whose membership includes anyone outside of the Stanford Affiliated Covered Entity.
      2. It is possible to infer PHI when general health information is associated with a recipient’s name or other identifier. To prevent inference of PHI when sending an electronic message that does not contain PHI but includes information related to a specific type of health condition or treatment, SUHC will not disclose recipients’ identities in any portion of the message. For example, SUHC will suppress the names and email addresses of recipients to whom it may send an electronic message regarding a health condition or treatment option.
    2. SUHC-Hosted Group Discussion Forums.
      1. Treatment-, Education-, or Research-Specific Forums. When hosting a discussion forum that incorporates electronic messaging among participants and in which PHI might be revealed (e.g., in connection with a research study or support group), SUHC will:
        1. Provide a secure environment for the exchange of electronic messages among participants.
        2. Prior to an individual’s participation, obtain from that individual, as necessary to comply with the HIPAA Privacy Rule, a HIPAA-compliant authorization that covers the communication of PHI to all participants (refer to the applicable SUHC Privacy Policies for guidance); and
        3. Post a statement of expectation, such as the following, that participants will respect the confidentiality of PHI that might be revealed by other participants:

          Confidentiality Expectation: Please remember that participation in the [insert discussion group or program name] is confidential and that the messages, which may contain personal information, should not be sent to or viewed by others outside the [discussion group or program].

      2. Open Public Forums. When hosting an open public forum that incorporates electronic messaging among participants and in which PHI might be revealed, SUHC will provide a statement, such as the following, that informs participants that the forum is not secure and that sharing of PHI is not recommended:

        Notice of Risk: This is an open forum. It is not a secure environment for communicating information. Stanford University does not recommend that this forum be used to communicate sensitive or confidential information such as personal health information, financial information, or educational records.

      3. PHI in Subject Heading Lines. When sending an electronic message that contains ePHI, do not include in the subject heading line any ePHI, any condition or treatment information that may infer PHI, or any individual identifiers (e.g., patient names, medical record numbers).
  6. Confidentiality Statements.

    SUHC will include in any electronic message that contains ePHI a confidentiality statement such as the following:

    Confidentiality Notice: This [electronic transmission], and any documents, files, or previous [electronic] messages attached to it, may contain confidential information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this [electronic message] in error, please immediately notify us by reply [message] or by telephone at (XXX) XXX-XXXX, and destroy the original transmission and its attachments without reading or downloading them.

  7. Medical Records Maintenance. If ePHI related to a patient’s treatment is received in an electronic message, SUHC will include a copy of the electronic message in the patient’s medical record, if applicable.

IV. Procedures

Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.

V. Exceptions

Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.

VI. Related Documents

  1. SUHC HIPAA Security: Transmission of ePHI Policy

VII. Document Information

  1. Legal Authority/References
    Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.312(e)
  2. Contact for Questions Related to this Policy
    Stanford University Chief Information Security Officer
  3. Document Review History
    Version Date Modified Comments
    1.0 01/28/2005 Yes  
    1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian

This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.

Last modified April 14, 2023