Secure Email

• Background
• How Secure Email Works
• To Send a Secure Email
• What to Expect as a Sender
• What to Expect as a Recipient
• SOM, ITS, and Medical Center Exchange Customer Considerations
• Customer Support
• Pre-Notification Sample Letter

Background

UCSF Medical Center IT, ITS, and the School of Medicine Information Services Unit (ISU) have collaboratively developed a system to send secure email. The system, UCSF Secure Messenger, is hosted by UCSF Medical Center IT, and is designed to help faculty, students, and staff comply with federal HIPAA Security regulations that go into effect April 21, 2005.

According to HIPAA regulations, any electronic communication that contains Protected Health Information (PHI) must be transmitted in a way that protects the confidentiality of patient information. When you send, receive or store any electronic document that contains UCSF confidential or patient information, you are responsible for ensuring the information is processed securely. Using UCSF Secure Messenger enables Microsoft Exchange email users in the Medical Center, the School of Medicine ISU, and ITS to send and track secured outbound emails.

How Secure Email Works
The UCSF Secure Email system transmits your outbound email message to the UCSF Secure Messenger website. Secure Messenger then sends your message recipient an email notification that there is a secure email message waiting at the UCSF Secure Messenger website. This notification also includes an embedded link to the UCSF Secure Messenger site. By following this link, the message recipient can retrieve the message after logging in to the site.

To Send a Secure Email
It's easy to use the UCSF Secure Messenger service to send secure email.

• Type ePHI:, PHI: or Secure: in the Subject line of your Outlook email message. (Be sure to include the colon and the space).
• Continue typing your subject line.
• Compose and send the email as you normally would.

For example, to send secure email regarding a patient’s appointment, the Subject line could read:

• ePHI: Regarding your appointment
• PHI: Regarding Your Appointment
• Secure: Regarding Your Appointment

After being sent, your message is securely stored in an encrypted or coded format until it is retrieved by the recipient.

What to Expect as a Sender
After you send your email, UCSF Secure Messenger sends you an email confirmation that it has sent your email as a secure message. The notification contains the following details:

• Recipient Address(es)
• Subject line text without the keyword trigger word (ePHI, PHI or Secure)
• Attachments (if any)
• Date and time sent

When your recipient retrieves the email from the UCSF Secure Messenger website, Secure Messenger sends you another email notification with the date and time your recipient retrieved the message. This second notification also includes recipient address(es), subject, attachment(s), and date and time sent.

Medical Center, the School of Medicine ISU, and ITS Microsoft Exchange customers can track secure messages via an account that has been created for you on UCSF Secure Messenger.

To access your UCSF Secure Messenger account:

• Click on the URL contained in the notification:
  https://smmcb01.ucsfmedicalcenter.org/messenger .
• Log in with your Outlook email address and Windows Active Directory password.
• Select Sent Items under the MESSAGES to review status of your sent mail .

What to Expect as a Recipient

When you send a secure email via UCSF Secure Messenger, your recipient receives a plain text, UCSF-branded email containing notification that a secure message has been sent from you. The notification contains:

• Your subject line without the trigger keyword (ePHI, PHI, Secure)
• A VIEW MESSAGE link

Your recipient retrieves the email by clicking on VIEW MESSAGE to link to the UCSF Secure Messenger website, and then logging on to the site.

The first time recipients receives a secure message from you, they are required to register by providing the following:

• Recipient’s First Name
• Recipient’s Last name
• Password
• Password re-entered
• Password hint phrase (to be used if registrant forgets her password)
• Users who have already completed the registration will be required only to enter their password when signing onto UCSF Secure Messenger.

This is what the message looks like.

School of Medicine ISU, ITS, and Medical Center Exchange Customer Considerations

Messages sent between UCSF Exchange Customers are already secure and therefore are not processed by the UCSF Secure Messenger service.

Recipients’ replies to secure messages from a UCSF Exchange account are received in decrypted form in the sender’s Outlook/Exchange mailbox. Replies are also stored securely in the sender’s Secure Messenger account mailbox.

Delivery and non-Delivery messages are received in the sender’s Outlook/Exchange mailbox.

UCSF Exchange customers can manage sent emails from their UCSF Secure Messenger mailbox.

Customer Support
School of Medicine ISU Customers who have questions about, or who are experiencing difficulty sending secure email via UCSF Secure Messenger, should contact Customer Support at (415) 502-1919. Support hours are Monday – Friday, 7 a.m. to 6 p.m.

The secure email notification non-UCSF email recipients receive directs the recipient to contact the UCSF email sender for assistance.

Senders who receive help requests from their recipients should contact their appropriate UCSF support service.

Pre-Notification Sample Letter
UCSF faculty, students and staff who plan to use UCSF Secure Messenger may want to send a pre-notification letter (See sample) to potential recipients first. Be sure to send this WITHOUT a UCSF Secure Email trigger.

Note that the sample letter contains a link to a survey questionnaire about the secure email service. Please encourage your recipients to participate in the survey so that we can improve the system.