Protecting HIPAA PHI in E‐Mail ‐ Did you know…?

Please see the attached flyer for more information: SECURE.Protecting HIPAA PHI in Email.20200714

Protecting HIPAA PHI in E‐Mail ‐ Did you know…?

Did you know that all emails containing PHI sent outside the organization must be encrypted, unless the patient (or research subject) specifically request it to not be? In this case, you must advise the patient that there are risks to their information being inappropriately accessed or disclosed when sent unencrypted. If the patient agrees to assume that risk, you must document this in their Epic record and may then proceed to send the email unencrypted as requested. *Only the patient can agree to this risk* Third parties cannot accept this risk on behalf of the patient.

Email Encryption

Emails sent to the following domains are automatically encrypted:

• @cuanschutz.edu (CU Anschutz)
• @ucdenver.edu (CU Denver)
• @cumedicine.us (CU Medicine)
• @denverhealth.org (Denver Health)
• @nationaljewish.org (National Jewish Health)
• @childrenscolorado.org (The Children's Hospital of Colorado)
• @uchealth.org (UCHealth)

For emails ending in any other domain (i.e., @ABChospital.org), you must take extra steps to encrypt messages containing PHI.

To send encrypted email, add one of the following words in all capital letters to the SUBJECT line.

• ENCRYPT (CHCO)
• SECURE (University, UCHealth)