Emailing and Faxing PHI
We frequently use email and faxes to send Protected Health Information (PHI) to other health care providers, research colleagues, and administrators. The HIPAA Privacy Rule permits using and disclosing PHI in these ways – and requires us to use appropriate safeguards to protect the privacy of the PHI.
Before sharing PHI by email or fax, consider whether better methods exist for sharing the PHI involved (i.e., it may be more appropriate to use Secured Box Folders created by your HIPAA Security Coordinator or to exchange the PHI by phone or even postal mail).
If patients email you directly with treatment-related questions, steer them to uwhealthmychart.org (for UW Health), myuhs.uhs.wisc.edu (for UHS), or chart.myunitypoint.org/mychart/ (for UnityPoint Health-Meriter) to allow secure and prompt communication with clinical staff, as well as incorporation of relevant messages in their medical records.
- If your school/department permits you to email PHI, emails sent between wisc.edu and uwhealth.org emails may contain PHI. Contact your Privacy Coordinator with department-specific questions.
- Verify email addresses of the intended recipients of your messages. Pay close attention to frequent contacts’ addresses pre-populating as you type intended recipients’ email addresses!
- Use caution before emailing spreadsheets with PHI – because of the risk of causing multiple breaches of privacy at one time if a spreadsheet with PHI is attached to a misdirected or hacked email.
- Do not copy and paste text containing PHI from one message into another.
- You are prohibited from auto-forwarding your wisc.edu or uwhealth.org emails to any other email accounts.
- Be sure research-related use of email complies with the IRB’s email guidance.
- See HIPAA Policy 8.6 for more information.
- Always use a cover sheet that includes your name and contact information.
- Confirm fax numbers before sending a fax. If necessary – call the intended recipient to verify the number.
- Periodically double-check pre-programmed fax numbers and auto-fax settings to make sure they are correct.
- See HIPAA Policy 8.5 for more information.
If you misdirect an email or fax containing PHI, report the incident as soon as possible so the incident may be thoroughly investigated and addressed.
Our hipaa.wisc.edu web pages are retiring! Please visit and familiarize yourself with our new website at compliance.wisc.edu/hipaa. Send suggestions for improvements to email@example.com.
The next roll-out of annual HIPAA training for UW-Madison will occur in the Summer of 2018. Until that time, you will be deemed current with training if you completed the 2017-18 training. Contact your Privacy Coordinator with any training-related questions.