Policy Manual


Communicating Protected Health Information Via Electronic Mail (Email)      

Type: Procedure                 Category: Information Technology                 Level: Community Care 

Parties: Care Development of Maine employees and contractees

Printer Friendly Version: http://apps.comcareme.org/policymanual/default.aspx?code=6.MEP.41&nonav=yes

Supporting References: HIPAA Security Rule

Parent Effective Date Approval Level Revision Dates Last Reviewed
6.ME.38  12-12-2005  Management Team    12-12-2005
Related Document Code Related Document Name Type

Procedure:  .



This Policy document describes procedures that govern an individual's use of Community Care's email system. It also defines the steps that must be taken by Community Care clients who wish to engage in email with Community Care. This procedure applies to the informational uses of email and does not cover the ethical, legal and regulatory issues.


1. Communicating PHI via Email Internally

a.       As a general rule, unencrypted email should not be used to communicate PHI. Email is inherently less secure than other forms of communication. However, email of PHI will be permitted at Community Care if certain safeguards are implemented.

b.      Community Care will implement the following safeguards when communicating PHI in or attached to an email message:

1.      Email communications containing PHI about Community Care clients will be transmitted only on the Community Care email system and cannot be forwarded to an email account outside Community Care.

2.      PHI will not be transmitted in the subject line of the email message.

3.      The fact that the message or an attachment to the message contains PHI will be reflected in the subject line of the email message.

4.      The email message will include Community Care's confidentiality notice.

5.      If a document that contains PHI is attached to the message, the User should verify before transmitting the email message that he/she has attached the proper attachment.

6.      Before transmitting the email message, Users should double-check the message and any attachments to verify that no unintended information is included.

7.      Users who communicate PHI via email will comply with all other Community Care policies and procedures.

c.      Any User who is unsure whether an email message or attachment contains PHI should contact his/her supervisor or the HIPAA Privacy Officer before initiating the email communication.

2. Communicating PHI with Clients

a.       Clients have the right to request that Community Care communicate with them via email.

b.      If a client requests email communications containing their PHI, the individual receiving the request must obtain a written request for email communications and provide the client with guidance on using Email via the Internet. If a client requests email communications containing their PHI, the individual receiving the request must obtain a completed Client Request for Email Communications form from the client AND must provide the client with the Important Information about Provider/Client Email form prior to processing the client's request.

c.      Community Care reserves the right to deny a client's request to communicate with him/her via email. For example, Community Care may deny a client's request for email communications if a provider with an existing clinical relationship with the client believes email communications with the client should not occur.

d.      If the client's initial request to communicate via email is granted by Community Care, the client will be required to complete the following prior to engaging, for the first time, in provider/client emails with Community Care:

a.       Respond to a test email with answers to a question specific to that client (i.e., the clients date of birth, father's name, mother's name, etc.) to verify the client's email address and identity; and

b.      Confirm the client's understanding of the risks of engaging in email communications with his/her providers.

e.      Request for email communications will be placed in the client folder for a minimum of six (6) years. Approved requests are valid regardless of the time period as long as a hard copy is maintained.

f.       An approved request will be effective for only the provider identified on the request. The client must complete a separate request for each provider with whom he/she wants to communicate via email, and must revoke each request to discontinue email communications.

3. Ownership of Electronic Mail

a.       The email system at Community Care belongs to Community Care.

b.      Community Care workforce will adhere to this policy when sending PHI and Community Care email policy when sending email that doesn't contain PHI.

c.      Community Care reserves the right to override individual passwords and access the email system at any time for valid business purposes such as system maintenance and repair and security investigations.

4. Retention of Email

a.       Community Care requires archives of email for the purposes of record recovery and regulatory compliance.

b.      Questions about retention activities should be directed to the Security Officer.

5. Definitions

User means any employee or other person authorized by Community Care to read, enter or update information created or transmitted via the electronic mail system.

Protected Health Information (PHI) means information, including demographic information that may identify the client, that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual.

Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Community Care, is under the direct control of Community Care, whether or not Community Care pays them.