Emailing Protected Health Information (PHI) and/or Restricted/Sensitive Data

To provide for compliance, security, and efficient support services when conducting University of Florida (UF) business via electronic mail, please be sure to adhere to the following guidelines when emailing PHI and/or restricted/sensitive data:

• All UF employees must use a university provided or approved electronic mail service when conducting University business via electronic mail.

• NEVER automatically forward UF emails to an external (non-UF) account.

• Emails sent to an external address (non-UF) containing PHI or other restricted/sensitive data (including emails transmitting information related to clinical research studies) must be manually encrypted (click here for instructions).

• Emails stating “NOT FOR DISTRIBUTION – INTERNAL RELEASE ONLY” should not be forwarded outside of UF or shared with anyone beyond the intended audience.

• When emailing information internally (username@ufl.edu), only send the minimum amount of patient information necessary, and avoid sending mass emails to large numbers of staff when restricted, sensitive or patient data is included.

• Immediately report any instances of emails containing PHI or other restricted/sensitive data that get sent unsecured to an external non-UF address outside of the UF System.

• Always verify the address before sending an email.

• Emails sent internally between accounts ending in “ufl.edu” are secure and do not need encryption.

• Social Security Numbers, even in a truncated form, must be encrypted when transmitted either within or outside the ufl.edu system.