HIPAA
Email Encryption
ETSU Faculty, Staff and Students may now communicate protected health information as needed via email so long as the email is encrypted using the procedure below. You no longer need to restrict the identifiers contained in the body of the email message though you should not include identifiers that are not necessary. You no longer need to password encrypt the attachment itselfthe message and the attachment will encrypt when the instructions below are followed.
For the time being, please continue to adhere to the current HIPAA Email policy for email communications with patients.
ENCRYPTED EMAIL: Typing the word encrypt in the subject line of the email will trigger Microsoft 365 to encrypt the email message and attachment.
I. Internal Email Communications (etsu.edu to etsu.edu)
-
Simply type the word encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
-
Do not include protected health information in the subject line as the subject line itself is not secure
-
Encrypted messages sent internally will show up in the ETSU inbox and look completely normalno actions have to be taken to decrypt/read the message
-
When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as the trigger wordencryptremains in the subject line
II. External Email Communications (etsu.edu to external address)
- Simply type the word: encrypt anywhere in the subject line to encrypt the contents of the message and the message attachments
- Do not include protected health information in the subject line as the subject line itself is not secure
- Encrypted messages sent from an etsu.edu address to an external address will show up in the recipients mailbox and require extra stepsrecipient will have to follow instructions to access contents of the encrypted message within a secure portal session
- When the recipient takes subsequent action with an encrypted email (e.g. replies or forwards it) the subsequent emails will remain encrypted so long as all actions are taken within the secure portal session
If you have any questions or concerns about using encrypted email to communicate protected health information, please do not hesitate to contact ITS (itshelp@etsu.edu) or the HIPAA Compliance Office (HIPAA@etsu.edu). We hope you will find this new capability useful and convenient. Thank you for your continued commitment to protecting the privacy and security of ETSU patients health information.
External Encrypted Email Explained
Suppose an etsu.edu user sends an encrypted email to an external MSHA email address by typing the word encrypt in the subject line. The MSHA recipient will receive an email that says: You've received an encrypted message from username@etsu.edu. To actually read the content of the message the MSHA recipient has to click a link and verify they are who they say they are by entering a code that Microsoft auto generates for them. The actual message content then opens inside a secure portal session. Actions taken by the MSHA recipient inside the secure portal will remain encrypted.