Email Usage Policy
Published: March 2010
Revised: March 2018
Email is an expedient communication vehicle to send messages to the OMG community. The OMG recognizes and has established the use of email as an official means of communication. However, use of an email system at the OMG requires adequate security measures to protect the Data (as such term is defined in the OMG Information Security Charter (the “Charter”) https://www.omahamediagroup.com/isc.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
- The effective date of this Policy is March 30, 2010.
- Reviewed and/or revised March 14, 2018.
III. Policy Text
A. Approved OMG Email Systems
All email used to conduct OMG business must be transmitted via an Approved OMG Email System. For purposes of this Policy, an “Approved OMG Email System” is Google Suite, Gmail, any email client connected securely to OMG Google Suite Email System and any other Email client that has been risk assessed and approved by the applicable Information Security Office.
B. Contingency Plans
- No User of OMG email may take any of the following actions:
- Send or forward an email through a OMG System or Network for any purpose if such email transmission violates laws, regulations or OMG policies and procedures;
- Use any Email System other than an Approved OMG Email System, to conduct OMG business or to represent oneself or one’s business on behalf of the OMG unless approved by OMG and/or are a staff member of OMG. Examples of Email Systems that are not approved include a personal email account (i.e., email@example.com).
- Send nuisance email or other online messages such as chain letters;
- Send obscene or harassing messages;
- Send unsolicited email messages to a large number of Users unless explicitly approved by the appropriate OMG authority; or
- Impersonate any other person or group by modifying email header information to deceive recipients.
C. Provisions Relating to Emails Containing Sensitive Data
Each User shall ensure that Sensitive Data is transmitted by email only if the following conditions are met:
- Except as provided in Section D below, all email communications of Sensitive Data are encrypted before being transmitted.
- Sensitive Data are not transmitted in the “Subject” line of an email.
- Before transmitting an email that contains Sensitive Data, the User double-checks the message and any attachment to verify that no unintended information is included and that the proper document is attached.
- Before transmitting an email that contains Sensitive Data, the User double-checks the identity of the recipients.
D. Provisions Relating to Email Within the OMG Clientele Healthcare Component
For purposes of this Policy, an “Approved OMG Email System” is any OMG Email System other than Google Suite, any OMG IT Email System and any other Email System used within the OMG/Healthcare Clientele Component that has been approved by the OMG Information Security Office.
The following provisions relate only to email transmitted by Users within the OMG Health Care Component:
- Unencrypted ePHI communications may be transmitted internally if sent on an Approved OMG Email System.
- No automatic forwarding, redirection or automated delivery of email outside the OMG Clientele Healthcare Component may be used.
- Email messages containing ePHI must include the following confidentiality notice: “This electronic message is intended to be for the use only of the named recipient and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic email address noted above, and delete and destroy all copies of this message. Thank you.”
- Any User who is unsure whether an email message or attachment contains Sensitive Data must contact his/her supervisor or the Office of HIPAA Compliance before initiating the email communication.
E. Communicating Protected Health Information (PHI) to Patients via Email
- Patients have the right to request that the OMG/Healthcare Clientele Component communicate with them via email.
- Subject to Section 3, all email communications with patients must be transmitted in encrypted form on an Approved OMG/Healthcare Clientele Component Email System. The subject line of the email communication must include #encrypt and must not include any PHI.
- At the request of a patient, email communications may be sent in unencrypted form, provided that the Office of HIPAA Compliance is contacted for guidance prior to sending the first unencrypted communication to the patient.
- The OMG/Healthcare Clientele Component reserves the right to deny a patient’s request to communicate with him/her via email. For example, a patient’s request for email communications may be denied by the OMG/Healthcare Clientele Component if a provider with an existing clinical relationship with the patient believes email communications with the patient should not occur.
- Patients should be encouraged to use an electronic personal health record to communicate with their health care providers.
F. Privacy Expectations
OMG observes the Privacy Expectations described in the OMG Acceptable Usage of Information Resources Policy https://www.omahamediagroup.com/isc with respect to email.
For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the Office of the General Counsel may authorize the reading, blocking or deletion of Data. In particular, in the context of a litigation or an investigation, it may be necessary to access Data with potentially relevant information. Any such action taken must be immediately reported to the Office of the General Counsel and the applicable Information Security Office.
OMG may record information about certain data elements of email messages in the course of monitoring or maintaining its email systems. These data include, but are not limited to: (a) the identity and address of the authenticated sender, (b) the address of the recipient, (c) the size of the message, (d) the transmission time, (e) the headers of the email, (f) the subject of the message, (g) the number of attachments and (h) certain features that are used to identify spam.
OMG uses a Data Loss Prevention (DLP) solution that filters outbound email messages and attachments to identify the presence of character patterns resembling Sensitive Data, examples of which could include social security numbers, credit card numbers, patient record numbers or certain identifiable data elements that constitute ePHI. Upon detecting a character pattern that 4 might reflect the presence of Sensitive Data, the DLP appliance blocks the email and automatically sends a message to the sender instructing him/her to re-send the contents in encrypted form or to take comparable appropriate action. The filtering consists of automatic scanning for prescribed character patterns and does not permit reading the contents of the email.
IV. Cross References to Related Policies
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
- Acceptable Usage of Information Resources Policy
- Information Security Charter