SendSafe Secure Email

SendSafe Secure Email

By the end of the course, you will be able to: Recognize the importance of encrypting email Identify items for encryption Encrypt email Manage blocked email Advise recipients on retrieving encrypted email

What is SendSafe Secure Email ( SendSafe )? NYULMC s email encryption system to secure email sent to non-medical Center email addresses Significantly reduce the risk of protected health information (PHI) and other Medical Center information from being exposed to unauthorized individuals during transmission Proactively comply with the Healthcare Insurance Portability and Accountability Act (HIPAA)

What is encryption? Encryption involves the use of computer software that makes electronically stored or transmitted data unusable, unreadable, or undecipherable to unauthorized individuals.

When do you encrypt email? Always encrypt email that contains Protected Health Information (PHI) and is being sent to a non-medical Center email address. PHI is individually identifiable health information that is transmitted or maintained orally, electronically, or on paper. Individually identifiable health information is any information that relates to: Physical or mental health of an individual Health care services received by an individual Patient billing information To be considered individually identifiable information, the information must either: Identify the individual Reasonable to believe that it could be used to identify the individual

Patient Identifiers Name Address Telephone number Fax number Social security number Medical record number Health plan number Account number Dates Photos Certificate/license number Vehicle identifiers Biometric identifiers Device identifiers Email address Web URL IP address Other unique identifiers

When do you encrypt email? You must encrypt emails that contain PHI and are being sent outside the Medical Center. Consider encrypting other Medical Center information to reduce the risk of exposure to unintended individuals. Examples include but are not limited to: Research data Donor information Intellectual property Marketing ideas Financial information Student records or grades

When do you encrypt email? Be cautious when replying to or forwarding emails that contain PHI. Replying to or forwarding an email that contains PHI to the same person or others with a non-medical Center email address still requires encryption. If the reply or forwarded email contains PHI: Delete the portion of the email that contains PHI Start a new email with no PHI Encrypt the email Requires encryption

What does being sent to a non-medical Center email address mean? Medical Center email is any email address that ends with: @ nyumc.org @ med.nyu.edu Non-Medical Center email addresses include, but are not limited to: @ gmail.com @ yahoo.com Other hospitals @ nychhc.org @ mskcc.org Consultants or vendors @ pwc.com @ deloitte.com Government Agencies @ hhs.gov @ wellpoint.com New York University @ nyu.edu

How to send an encrypted email Step 1: Open your Medical Center email and write a message as you normally would Step 2: Identify that your email contains PHI Step 3: Type [safe] in the Subject line of your email Step 4: Proceed to send email as you normally would

Automatic Email Block The Medical Center system will automatically block unencrypted email that appear to contain specific combinations of: Patient name Medical record number Date of birth, and/or Social security number Any numbers that resemble a social security number *Automatic blocking will only occur if the email is sent to a non-medical Center email address. * Automatic blocking does not change your responsibility to identify and encrypt PHI.

How to Manage Blocked Email If the system detects PHI or a Social Security Number (SSN) and automatically blocks your email, you will receive an email notification of the block in your email inbox within seconds of clicking the send button.

How to Manage Blocked Email To: John Doe Attachments: Dear Colleague: Your email with the subject line Requested patient information appears to contain protected health information (PHI) that may include patient name, medical record number, date of birth, and social security number (SSN). Your email was automatically blocked from delivery to a non- Medical Center address. If it is necessary for you to send an email containing PHI or SSN to a non- Medical Center address, you must encrypt the email by including the word safe in square brackets, [safe], anywhere in the subject line of the email. To learn more about email encryption, visit the SendSafe Secure Email FAQs page or complete the SendSafe online tutorial available on idevelop. Thank you for your cooperation, NYULMC Internal Audit, Compliance & Enterprise Risk Management *Do not respond to the email ComplianceDLP@nyumc.org, as this is not a monitored email address. If you have questions please refer to the SendSafe webpage.

How to Manage Blocked Email To: Attachments: John Doe Review the original email in your sent mailbox or the message as an attachment in the blocked notification Dear Colleague: Your email with the subject line Requested patient information appears to contain protected health information (PHI) that may include patient name, medical record number, date of birth, and social security number (SSN). Your email was automatically blocked from delivery to a non- Medical Center address. If it is necessary for you to send an email containing PHI or SSN to a non- Medical Center address, you must encrypt the email by including the word safe in square brackets, [safe], anywhere in the subject line of the email. To learn more about email encryption, visit the SendSafe Secure Email FAQs page or complete the SendSafe online tutorial available on idevelop. Identify items that appear to be PHI Remove PHI or encrypt email by typing [safe] in the Subject line *Do not ignore a blocked email notification because your email will remain undelivered until you respond Thank you for your cooperation, NYULMC Internal Audit, Compliance & Enterprise Risk Management *Do not respond to the email ComplianceDLP@nyumc.org, as this is not a monitored email address. If you have questions please refer to the SendSafe webpage.

Help, My Email Does Not Contain PHI or SSN Automatic blocking may occur if: Text or characters in your email may happen to match PHI in our system Email contains a 9 digit number that resembles a social security number Examples: Telephone numbers where a digit was left out: 212-12-1234 Account number made up of 9 digits that resemble a SSN: 123.12.1234 Foreign phone numbers Name (first or last) and a 9 digit string that resembles a SSN What to do? 1. Confirm that neither the main body nor attachments contain actual PHI 2. If there is no PHI, remove items that resemble PHI, if possible 3. If the items that resemble PHI are necessary for your email, then encrypt the email and send How to encrypt? Type [safe] anywhere on the Subject line of the email

Remote Access It is easy to encrypt email, but do not send PHI to your personal email account in order to access information remotely. If you need to access PHI remotely, you should save your work on the network drive and access PHI through atnyulmc. If you need to transport PHI and cannot access atnyulmc, contact Medical Center IT for an Iron Key, a fully encrypted USB flash drive.

Prepare email recipients Email Notification Registration: Create a Password & Select Delivery Option Message Retrieval Recipient Resources: Quick Reference Guide for Email Recipients http://compliance.med.nyu.edu/sendsafe

Recipient receives email notification

First time recipients, click on link to register

Prompt to create a password

Settings is defaulted to SendSafe Secure On-Line Email Default option is already selected

With default settings, recipients can read their messages, access their inbox, and reply to messages securely

Available Resources Office of Internal Audit, Compliance & Enterprise Risk Management website: http://compliance.med.nyu.edu/sendsafe Frequently Asked Questions Medical Center Training Manual Quick Reference Guide for Medical Center Email Senders Quick Reference Guide for Email Recipients Registration Process Quick Reference Guide for Email Recipients PDF Attachment For technical inquiries, open a MCIT ticket or contact the Help Desk at 212-263-6868.

Let s Review

SendSafe Quiz Question 1 of 7 You are a Medical Center employee. You use your Medical Center email to send PHI to a NYULMC colleague s Medical Center email. Do you need to encrypt the email? A. Yes B. No 25

SendSafe Quiz Question 1 of 7 You are a Medical Center employee. You use your Medical Center email to send PHI to a NYULMC colleague s Medical Center email. Are you required to encrypt the email? A. Yes B. No 26

SendSafe Quiz Question 2 of 7 You are a billing staff member. An insurance payor requests additional information to process a claim. You respond to the request by using Medical Center email. Are you required to encrypt the email? A. Yes B. No 27

SendSafe Quiz Question 2 of 7 You are a billing staff member. An insurance payor requests additional information to process a claim. You respond to the request by using Medical Center email. Are you required to encrypt the email? A. Yes B. No 28

Always encrypt email that contains PHI and is being sent outside the Medical Center. The information should only include the minimum necessary PHI for treatment, payment, or health care operations. 29

SendSafe Quiz Question 3 of 7 You are a specialist provider. After rendering a consultation to a patient, you write a consultation letter to the referring physician, scan the letter into PDF format, and send the PDF as an email attachment to the referring physician at another hospital. Are you required to encrypt the email? A. Yes B. No 30

SendSafe Quiz Question 3 of 7 You are a specialist provider. After rendering a consultation to a patient, you write a consultation letter to the referring physician, scan the letter into PDF format, and send the PDF as an email attachment to the referring physician at another hospital. Are you required to encrypt the email? A. Yes B. No 31

SendSafe Quiz Question 4 of 7 You will be attending an out-of-state conference for the next two days but need to work on a project that has a spreadsheet with patient names, date of birth, and diagnoses. To work remotely, you send the spreadsheet to your personal Yahoo email account. Since you can easily encrypt email, is it okay to do this? A. Yes B. No 32

SendSafe Quiz Question 4 of 7 You will be attending an out-of-state conference for the next two days but need to work on a project that has a spreadsheet with patient names, date of birth, and diagnoses. To work remotely, you send the spreadsheet to your personal Yahoo email account. Since you can easily encrypt email, is it okay to do this? A. Yes B. No 33

SendSafe Quiz Question 5 of 7 Most of the patients who are seen at your office participate in MyChart, the Medical Center s secure online patient access to medical information in the Epic electronic health record. An established patient who does not participate in MyChart requests that your office send his lab results to his personal email. Are you required to encrypt the email? A. Yes, but B. No 34

SendSafe Quiz Question 5 of 7 Most of the patients who are seen at your office participate in MyChart, the Medical Center s secure online patient access to medical information in the Epic electronic health record. An established patient who does not participate in MyChart requests that your office send his lab results to his personal email. Are you required to encrypt the email? A. Yes, but B. No 35

MyChart Encourage patients to participate in MyChart for secure online access to their medical information. If it is necessary to email PHI, always type [safe] anywhere in the Subject line to encrypt the email. For more information about MyChart, visit https://mychart.nyulmc.org/mychart. 36

SendSafe Quiz Question 6 of 7 A patient sends an email message that contains PHI to your Medical Center email. After reading the email, you click Reply and type Thank you in the body of the message. Are you required to encrypt the email? A. Yes B. No 37

SendSafe Quiz Question 6 of 7 A patient sends an email message that contains PHI to your Medical Center email. After reading the email, you click Reply and type Thank you in the body of the message. Are you required to encrypt the email? A. Yes B. No 38

Replying to an Email that contains PHI When you click on Reply you are transmitting the entre message, including the PHI on the patient s email, outside the Medical Center. You may choose to delete the portion of the email that contains PHI, start a new email to thank the patient, or encrypt the email by typing [safe] anywhere in the Subject line. 39

SendSafe Quiz Question 7 of 7 Your unencrypted email that contains a patient s name and social security number was automatically blocked from delivery to a non-medical Center email address. The information included in your email is necessary to perform your job duties, and for this reason, you must send this email with PHI. Are you required to encrypt the email? A. Yes B. No Auto-blocked email 40

SendSafe Quiz Question 7 of 7 Your unencrypted email that contains a patient s name and social security number was automatically blocked from delivery to a non-medical Center email address. The information included in your email is necessary to perform your job duties, and for this reason, you must send this email with PHI. Are you required to encrypt the email? A. Yes B. No Auto-blocked email 41

Thank you for completing this training