NTech OnlineArticlesDiscussion GroupsDownloadsLinksResourcesSpotlightUser GroupsVendor PartnersNTech Learning LabsLearning Lab Attendee SurveyTechnology RequestTechnology SurveyEFSP OnlineAsk A Question
 

Helping Tulsa Area United Way member Agencies
make the most of Technology

A project of the Tulsa Area United Way Capacity Building Fund
 

 

Sample HIPAA Based E-Mail Policy Introduction
Your Organization has adopted this E-mail Policy to comply with HIPAA and the draft regulations requirement to protect the security of electronic health information, as well as to fulfill our duty to protect the confidentiality and integrity of confidential health information as required by law, professional ethics, and accreditation requirements. All personnel of Your Organization must be familiar with the policy, and demonstrated competence in the requirements of the policy is an important part of every Your Organization employee's responsibilities.

Assumptions

  • The e-mail system is part of Your Organization's business equipment.
  • E-mail can be immediately broadcast worldwide and be received by many intended and unintended recipients.
  • Recipients can forward e-mail messages to other recipients without the original sender's permission or knowledge.
  • Users can easily misaddress an e -mail
  • E-mail is easier to falsify than handwritten or signed documents.
  • Backup copies of e-mail may exist even after the sender or the recipient has deleted his or her copy.
  • E-mail containing information pertaining to diagnosis and/or treatment of a person served is not a part of the medical record.
  • All e-mail may be discoverable in litigation.

Definition

Protected Health Information (PHI) includes all individually identifiable health information that is transmitted or maintained in any form or medium. This includes paper, electronic and oral information. In this context, “individual” is defined as the person who is the subject of the individually identifiable health information.

General Policy

Authority

Your Organization encourages the business use of e-mail to increase productivity. The e-mail system and all messages generated by or handled by e -mail, including back-up copies, are part of the business equipment of Your Organization, are owned by Your Organization, and are not the property of the users of the system. Consequently, e-mail users do not have a right to privacy in their use of the computer system or its e-mail component. Your Organization reserves the right to monitor, audit, delete, and read e-mail messages. The network administrator may override user passwords. Although it is the policy of Your Organization not to regularly monitor the contents of e -mail communications, it may monitor the contents and usage to support operational, maintenance, auditing, security, and investigative activities. Users should use e -mail with the knowledge that Your Organization may from time to time examine the content of e-mail communications. Nor can Your Organization guarantee that e-mail messages will be private. E-mail communications can be forwarded, intercepted, printed, and stored by others. Use of the e-mail system constitutes consent to this policy.

Appropriate E-mail Use

Generally, e -mail users should restrict their use of the e-mail system to proper business purposes relating to the services of the persons served and related administrative matters. A user may, however, use e-mail for personal purposes, under the following conditions: Personal use does not involve significant use of Your Organization's resources, such as work time, computer time, costs, and the like, and does not preempt any business activity or interfere with the user's or other's productivity. Transmission must not involve any illegal or unethical activity. Transmission must not involve or disclose any activity that could adversely affect Your Organization, its board and employees.

Transmission must not involve solicitation. Employees may not use Your Organization's e-mail system to solicit for outside business ventures, organizational campaigns, or political or religious causes. Users must not transmit confidential or proprietary information to unauthorized recipients. Protected health information (PHI) or confidential information should not be sent over the Internet unless the message is encrypted with a current encryption standards and/or a Virtual Private Network (VPN) is used which would encrypt the message. All e-mail concerning protected health information of the persons served will start with a confidentiality statement developed by the privacy officer. E-mail that includes PHI should include only the minimum necessary information to complete the communication transaction. Proprietary information is information that belongs to Your Organization.

Users must not transmit confidential or proprietary information to unauthorized recipients. Protected health information (PHI) or confidential information should not be sent over the Internet unless the message is encrypted with a current encryption standards and/or a Virtual Private Network (VPN) is used which would encrypt the message. All e-mail concerning protected health information of the persons served will start with a confidentiality statement developed by the privacy officer. E-mail that includes PHI should include only the minimum necessary information to complete the communication transaction.

Proprietary information is information that belongs to Your Organization. Users must not transmit obscene, offensive, harassing, or hostile messages to any recipient. No person shall enter, transmit, or maintain messages with derogatory or inflammatory remarks about an individual's gender, race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition. No person shall enter, maintain, or transmit any abusive, profane, or offensive language.

Because some information is intended for specific individuals and may not be appropriate for general distribution, users should exercise caution when forwarding messages. Users must not forward sensitive information, including information of the persons served, to any party outside the Your Organization system without the prior approval of the program manager or appropriate authorization. Senders may not engage in blanket forwarding of messages to parties outside the Your Organization.

Security

The e-mail system must employ user-IDs and associated passwords to isolate the communications of different users, unless there are unusual circumstances and then such shared IDs and associated passwords must be authorized. Users must never share passwords or reveal them to anyone else. Employees may not intercept or disclose or assist in intercepting and disclosing e-mail communications. Unless the sender has obtained the prior permission of the program manager, users should periodically purge from their personal e-mail storage areas messages that Your Organization no longer needs for business purposes.

Compliance

Users must immediately report violations of this policy to their program manager and to the privacy or security officer.

Enforcement

All program managers and supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment, professional discipline, or criminal prosecution, in accordance with Your Organization's Sanction Policy.

 

Back to resources...