Tulane University Technology Services
Services HelpU 24.7 Teaching & Learning Reserve Equipment Software

Information Security @ Tulane

  		• Information Security Home
  		• Security Strategy
  		• Recent Security Alerts
  		• Policies & Guidelines
  		• Law & Regulations
  		• Security Awareness
  		• Security Training
  		• Security Reading Room
  		• Software Download
  		• Hurricane & Disaster Recovery Plan
  		• Contact Us
    		 Guidance on the Use of Email Containing Protected Health Information (PHI) and Sensitive Information (SI)

    In view of the HIPAA Privacy/Security Policies and GLB Act, the following guidelines should be observed when applicable regarding correspondence related to PHI and SI being sent via e-mail.

    As a base of reference, it should be understood that Tulane.edu and HCAhealthcare.com email addresses represent two separate entities which are delivered over the Internet regardless of the physical location of the buildings. Consequently, sending PHI and SI in clear text between these two entities constitutes the violation of Tulane and HCA HIPAA Privacy, Security Policies and Tulane GLB Security Policy. The use of Email containing PHI and SI should adhere to the following guidelines:
    1. The staff of the Tulane University should not transmit PHI and SI over the Internet (including e-mail) and other unsecured networks unless it has been encrypted and password protected, and the Security Officer approves the process used. (Tulane University HIPAA Privacy Policy GC-007, Tulane University Hospital & Clinic Policy Information Systems Security Policy IS.002).
    2. E-mail between Tulane.edu and HCAhealthcare.com is delivered over the Internet, and should abide by the guidance in step 1.
    3. E-mail communication of PHI and SI within Tulane email system (Tulane.edu) is permitted.
    4. E-mail communication of PHI and SI within HCAhealthcare email system (HCAhealthcare.com) is permitted.
    5. Great care should be taken when sending an email with PHI and SI to ensure that the recipient address is the intended recipient.
    6. Any PHI and SI transmitted by email should be limited to the minimum information necessary to meet the recipient’s needs.
    7. Email messages containing PHI and SI must not be forwarded to non-Tulane email addresses either individually or by an automated forwarding mechanism.

    Tulane University Technology Services is researching an approach for Secure Email delivery whereby the contents of outgoing email are inspected based on a set of content and identity policies that are defined by the user. Once the email is identified as likely to contain confidential information or addressed to recipients whose email needs privacy protection, the message is automatically directed through a secure, encrypted message channel. Until a secure email delivery solution is in place, you can use PGP or WinZip to encrypt the email attachment or Microsoft Outlook client with digital certificate to encrypt and digitally sign your email before sending it.