Fast Facts about HIPAA and Email
This information applies to ALL members of the UW-Madison Health Care Component and ALL members of SMPH
As members of the UW-Madison Health Care Component, we frequently use email to exchange Protected Health Information (PHI) with other health care providers, research colleagues, and administrators. HIPAA permits this if we use appropriate safeguards to protect the privacy and security of the PHI. Our IT Professionals on campus apply some of the necessary safeguards behind-the-scenes through our email system, and we need you to do your part by following our policies and procedures:
Only use institutional wisc.edu, uwhealth.org, or va.gov email addresses when emailing for work purposes.
You may NOT auto-forward your email to a personal email account or use third-party email services for work-related purposes. Doing so violates UW and UW Health policies and results in frequent HIPAA breaches, some of great magnitude – because each instance of emailing an individual’s PHI without authorization or a valid business associate agreement is considered an unauthorized disclosure of PHI to the company hosting the third-party account.
Before exchanging PHI by email, consider whether a better method exists:
- Can the PHI be exchanged through shared folders on local network drives?
- Should it be sent as an InBasket Message directly in an electronic medical record?
- Should a Secured Box Folder be established if you will be sharing large volumes of PHI repeatedly with the same person or group? Please note that Box folders are not, by default, secured for PHI. Learn more about requesting Secured Box Folders here.
If patients email you directly with treatment-related questions, you are encouraged to steer them to appropriate patient portals where message can receive prompt attention by a member of their care team.
- uwhealthmychart.org (for UW Health),
- uhs.wisc.edu (for UHS), or
- myunitypoint.org (for UnityPoint Health-Meriter)
- va.gov/mhv-portal-web/home (for the VA)
If you must exchange email containing PHI with a patient, take the steps outlined in Section III.A. of the HIPAA Email Policy.
Be sure research-related use of email complies with the IRB’s email guidance and with the use of email as you have described it in your research protocol.
Also, remember that HIPAA applies to research data even for studies which are exempt from IRB review!
If you have questions about topics related to HIPAA Privacy or HIPAA Security, contact the HIPAA Privacy or HIPAA Security Officers or the HIPAA Coordinators for your health care component unit.
If you have questions about Certificates of Confidentiality, maintaining confidentiality of records in the event of a Public Records Request, or abiding by confidentiality obligations in a contract – please contact the UW-Madison Office of Legal Affairs.