Secure Email
Overview
To comply with HIPAA all email communication containing PHI must be kept confidential. Email leaving Creighton must be protected so that it cannot be read while in transit. To that extent, we've made this process easy for you with an email encryption solution from ZixCorp. There are no keys to exchange or cumbersome steps to remember. And it works seamlessly with our current email application, so there's no learning curve and no information to transfer.
Emails containing PHI will be sent securely. Recipients will go through a few simple steps to access messages and will also be able to respond securely.
If you have any questions, please contact the Service Desk at 402-280-1111.
FAQ
What is Secure Messaging?
Secure Messaging is the automatic process of:
* Identifying outbound email that contain Protected Health Information (PHI)
* Encrypting the email messages that have been identified as containing PHI
* Sending encrypted email using ZixCorp's Best Method of Delivery™
How is PHI identified?
The content of all outbound messages are scanned and compared against two lexicons, or dictionaries.
* Identifier Lexicon has a criteria of identifier information
[example: Social Security numbers]
* HIPAA Lexicon contains HIPAA terminology
[example: a health condition/disease]
The content of the email message must meet a criteria defined in both lexicons for encryption to occur.
* Example 1: Message will be encrypted if message or attachments contain a Social Security number and a name of a disease.
* Example 2: Message will not be encrypted if message or attachments only include a Social Security number.
* Example 3: Message will not be encrypted if message or attachments only include a name of a disease.
Are there any limitations of this product?
Yes, emails sent with a proper name and corresponding medical information will not be identified as PHI, in the eyes of this product and will not be automatically encrypted.
For example, and email containing a phrase such as "...patient William Phatner was referred to you for treatment of acute otitis externa..." will not get encrypted. This phrase, although it contains an identifier and HIPAA terminaology, would not trigger encryption as the solution will never see a patient's name alone as an identifier.
In cases like this, the sender should add the keyword flag to the subject line to force encryption.
What is a Keyword Flag?
A keyword flag is a predefined word that is added as the first word of the subject line to tell the Secure Email program to encrypt the message regardless of the contend. Use of the Keyword flag in the above example involving patient William Phatner, would have forced the message to get encrypted, which is the proper procedure to stay compliant with HIPAA standards.
Creighton has chosen the word "Secure" as the Keyword Flag. Adding the word "Secure" or "secure" (not case sensitive) as the first word of the subject line any email will get encrypted and sent securely to its recipient. Creighton also uses the Keyword Flag of "Secureport" (again not case sensitive) to force emails to be sent securely via a secure portal. The Secure portal can be used when sending emails to users of Macintosh computers or those who have told you they cannot open emails sent using the standard encryption method (this should occur very rarely). For more information on the use of the Keyword Flag, please contact Creighton's Service Desk at 280-1111.
What if PHI is in the subject line?
It is not practical to encrypt a subject line of an email. Therefore, any email messages that contain PHI in the subject line will be rejected and returned to the sender.
What do you do if this happens?
* Review the subject line
* Make necessary corrections
* Resend the email
Why are we implementing Secure Messaging?
With the adoption of the HIPAA, it is required that all communications containing PHI be secured. To help implement this important and practical security measure, we are using secure messaging services to protect our email and ensure all PHI remains confidential.
Sending a Secure Message
If lexicon policies are used exclusively, the encryption process will happen transparently without requiring any user input. Please refer to "What is Secure Messaging?" above for more details.
However, your organization may have also set up a special keyword encryption policy. In that case, you would just type the specific keyword (e.g. secure or confidential) anywhere in the subject of your email and the content of the email will automatically get encrypted once it is sent. Please contact DoIT's Service Desk to determine if Creighton will implement a specific keyword.
What if the recipient does not retrieve the message?
Some messages (those delivered to the Creigton University Secure Email Message Center) will automatically expire if they have not been read within 21 days. If the recipient does not retrieve the message before the expiration date, you will receive an expiration notification email. The original message will be deleted from the secure Web site.
A majority of the messages sent through Creighton's secure email solution will be delivered to the recipient's inbox and will never expire.
How can I access the Message Center (Portal) later to reread or send a secure message?
Whenever you receive a new secure email message it will ALWAYS arrive with a plaintext message in your normal inbox. The message will contain a link to the new message, you can simple click the link in the email to access your new message.
If you want to go back to the Message Center later to reread, reply, forward, or compose a new message you can do so by clicking the following link or typing the URL in the address box of most web browsers.
https://creighton-securemail.net/