Skip to content
General Compliance Policies

SP-04 SOD Emailing Patient Information

Policy Number: SP-04
Effective Date: 12/2015
Revision Date: 3/29/2024

Purpose

To guide faculty, staff, and students on the use of electronic communications with external third parties such as dental/medical clinics, hospitals, and individuals.

General Policy

The University of Washington School of Dentistry (UWSOD or School) prohibits the e-mailing of protected health information (PHI) to external recipients unless the exchange is encrypted or meets qualifying conditions, detailed below.

Background

Email is a convenient, effective, and highly popular means of communication.

Privacy of patient records is protected by Washington State confidentiality law and by HIPAA. The physical and electronic records belong to the School.  The Associate Dean for Predoctoral Clinical Education and Operations or designee is the official record custodian for the School.

The electronic communication guidelines outlined in this policy must be followed by anyone at the School that is communicating PHI with a third party or private individual.  Failure to follow the policy may result in disciplinary or corrective action.

Implementation

I. Definitions

A.  Protected Health Information:  A subset, as defined by HIPAA, of individually identifiable health information maintained in health records and/or other clinical documentation in any form or media, whether electronic, paper, or verbal.

B. Third party organization whose email domain is on UW Medicine’s Approved List.  UW Medicine maintains a list of approved email domains that they have verified will support mandatory email encryption with uw.edu addresses.  See Appendix A for a list of approved email domains.

C. Third party organization whose email domain is not on UW Medicine’s Approved List.  Any third party whose email domain is not on the UW Medicine list of approved email domains. Electronically sharing PHI with such entities without encryption may result in a loss of patient privacy.

D. Private Individuals.  Any member of the public, i.e. patients or their representatives.

II. Communication Technology Components

1.     UWSOD Email Service.  Any email service that is currently in use at the UW School of Dentistry.

2.     Secure Messaging.  An online messaging service that enables secure (i.e. encrypted) transmission of information between a UW School of Dentistry user and a third party.

III. Usage Guidelines

This policy clarifies the following section of the SoD’s Compliance Handbook, page 11, under the header “Email, which reads: “Emailing PHI: Emailing confidential information, including protected health information (PHI) requires encryption. Confidential information, including PHI may not be sent between UW School of Dentistry workforce members and non-UW School of Dentistry workforce members without special encryption safeguards in place. Please contact IT & Computer Support before engaging in this type of communication.” It is no longer necessary to contact IT & Computer Support provided the user follows the appropriate standard listed below.

A. Communicating with third parties such as private practices, insurers, vendors, or other dental care professionals.

Statement Rationale
1. Unencrypted email must not be used to communicate any patient information, text, or images, with third party organizations whose domain is not on the UW Medicine approved list. When sent to most third parties, regular email contents and the attachments are sent in clear text, unencrypted.
2. Email can be used to communicate securely with any of the approved third party email domains documented by UW Medicine IT Services in their Approved Email Domains list (Appendix A) UW Medicine has confirmed that these documented email domains are safe for sending PHI using email.
3. Patient information/imaging upload portals (e.g. eMix) may be put in place by third party providers for the purpose of sharing patient information. These systems may be used by a UWSOD department with the approval of a UWSOD Department Chair, Director of Compliance and Director of IT. When approved, these systems are effective, secure and highly viable alternatives to standard email.
4. For any mail domains not documented as safe by UW Medicine IT Services, email communication with third parties must take place in a HIPAA compliant manner.  The UW School of Dentistry will provide a secure messaging solution that can be licensed and installed on a per user basis and used to establish secure messaging channels with third party providers. Secure messaging solutions provided by the School of Dentistry must be used when sending PHI to third parties whose email domain is not on UW Med’s Approved List.  This includes replying to outside referrals, etc.
5. Images containing Patient Information that have been exported from UWSOD PACs systems (e.g. MiPACS, Dolphin, etc.) to a PC or other device for the purposes of emailing or uploading to a third-party provider should be deleted from their temporary location on your device as soon as possible after communication has happened. Storing medical images on a PC or other device increases risk.
6. UWSOD users should not forward their uw.edu email to any third-party service (such as Gmail, Hotmail, etc) unless the domain is on the UW Medicine list of approved domains. Consumer email solutions do not adequately protect PHI.

B. Communicating with Private Individuals such as patients

Statement Rationale
1. Secure e-mail communication with individuals, either through an encrypted application or between secure domains (as mentioned above) is permitted. Secure messaging is the safest form of electronic communication.  Using your professional judgment, take reasonable steps to confirm the identity of the individual, and keep the amount of information you share to the minimum necessary.  If germane to clinical decision-making, electronically copy and paste exchanges into the patient’s axiUm chart in Contact Notes.
2. In cases where you or the patient initiate e-mail contact over standard, unencrypted methods to discuss details related to their care, include the following language to warn the patient that e-mail over the internet is not secure, then note this in the patient’s axiUm Contact Notes. Include the following language under your signature in any e-mail you send to patients:
 
“The above email may contain patient identifiable or confidential information. Because email is not secure, please be aware of associated risk of email transmission. If you are communicating with a UW School of Dentistry Provider or Researcher via email, your acceptance of the risk and agreement to the conditions for email communications is implied. See the Agreement for Electronic Correspondence at https://dental.washington.edu/compliance/hipaa/agreement-for-electronic-correspondence/.
 
Confidentiality Notice:  This e-mail message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient(s), please contact the sender by replying to the e-mail and destroy/delete all copies of this e-mail message. See our Notice of Privacy Practices at https://www.dental.washington.edu/compliance/hipaa.”
Federal guidelines for using email with patients are outlined in Appendix B

APPENDIX A

UW Medicine Approved Email Domains—also approved for UWSOD

​The list is regularly updated and can be viewed here.

HIPAA Guidelines re emailing patients

How to encrypt an outgoing email message in Outlook

Step 1. When in the email message, select File

Step 1 Encrypt Outlook email

Step 2. Select Encrypt

Step 2 How to encrypt an outlook email

Step 3. Select Encrypt Only

Step 3 how to encrypt an outlook email