Email Policies

* This document was provided by UCI Health Sciences Compliance Office. (Revised 1-15-2008)

Note - UCI Health provides access to email via handheld devices based on the above security policy. Implementation of these security requirements will be implemented as possible. Access issues and security problems can be reported to the Service Desk. UCI Health Information Services is not liable for lost data in the event a handheld device is erased (either due to user error or by security features that are implemented). If you are not sure of the impact of these measures please contact the Service Desk.

Scope

This policy applies to all "Handheld Computing Devices" including, but not limited to: Digital Organizers, Personal Digital Assistants, Smart Phones, Wireless email Devices (Blackberry, Treo, etc.), and any other portable device used to store or access protected health information or other sensitive data. This policy does not apply to any devices, such as laptop computers, which are specifically covered under other policies. Any removable media used in conjunction with a handheld computing device should be safeguarded according to the appropriate policies on digital media. Compliance with this security policy is a requirement for all handheld computing devices storing or accessing protected health information on the University of California Irvine network.

General Guidelines

Handheld computing devices provide increasing levels of power, portability, and convenience to their users. Security measures used to safeguard protected health information should be reasonable and appropriate to the sensitivity of the information and the risk of a disclosure. Cumbersome security measures that discourage full compliance should be avoided.

Users are encouraged to secure handheld computing devices that they control using network controlled or centrally managed software that provides a client/server model for policy change and enforcement on handheld computing devices.

When possible and appropriate, any health information should be stored on handheld computing devices in a de-identified form; where names, date of birth, social security numbers or other clear identifiers as outlined in the HIPAA regulations are not included with the information stored on the device.

Handheld Requirements

The following are specific technical requirements that must be satisfied by every handheld computing device storing or accessing protected health information or other sensitive information, including those purchased with personal funds. These requirements are general enough that any appropriate handheld computing device should be capable of compliance. Handheld computing devices used to process protected health information or other sensitive information must:

• Require a power-on password. "Quick" passwords that are activated by pressing a sequence of function keys on the device are acceptable.
• Be configured to log-off or power down no longer than fifteen (15) minutes after the last user activity.
• Use encryption for all protected health information or other sensitive information that is stored on external media such as memory cards.
• Require a minimum password length of four (4) characters or keys.
• Provide a device reset (data erasure) if an incorrect password is entered more than eight (8) consecutive times, when technically feasible.

Equipment Disposal

Prior to disposal or transfer, all handheld computing devices and associated memory cards must be completely cleared of all data.

Exceptions

Exceptions to this policy will be strictly limited and are subject to approval by UCI Health Information Services.

Reporting

Loss, theft, or any unauthorized use of a handheld computing device that has been used to store or access protected health information or other sensitive information constitutes a disclosure and must be reported to the departmental HIPAA Coordinator immediately.

Sanctions

Failure to comply with this policy may result in administrative sanctions in accordance with existing University policies, up to and including separation from the University.

UCI Health provides central funding for messaging services. This funding is revisited periodically to assess the evolving needs of our users and the organization. Typically senior staff, faculty and management for the UCI Health and UC Irvine School of Medicine will decide upon levels of support, service and functionality. Policy is then put into place based on funding and staffing. This dictates our ability to provide services.

Due to these policies and funding decisions we typically do not offer granular support options such as mailbox recovery or folder recovery because of the cost of these levels of service. Users who delete their data by accident have options to recover the data for up to 14 days after it was deleted. (See Deleted Items) If you find that (after 14 day retention period) data is missing we will not recover the information due to the impact such actions can have on staffing and available resources. 

*Note-If the deletion of data impacts UCI Health business or operations you can have the department chair or senior manager request a data recovery exception by contacting the Service Desk.  The ticket must state what the impact of the data loss is and why the data wasn't recovered within the standard 14 day window.  The ticket will be processed as a 14 day recovery request.  The decision as to whether the recovery is possible will be decided upon by senior UCI Health Information Services management. 

UCI Health Information Services does not allow forwarding of emails as a standard practice. This kind of messaging service is not part of our operation and if it is needed you may need to ask the Postmaster about your needs.

UCI Health Information Services will support creation of addresses for alumni for the School of Medicine graduates as well as retirees. These two services are limited to specific circumstances and we will only support them if directed to by the appropriate groups.

MedAlum addresses will be created for graduated students based on their graduate year and username. This process is maintained by the School of Medicine Medical Education department. You can request information from them on this service.

For retirees we will coordinate getting your data off of our system and on to the appropriate email system if this is requested by UCI Health Human Resources. Separation notices must reflect this request. UC Irvine Office of Information Technology (OIT) will be able to provide more information about this service and how it works. Please contact them at 949-824-2222.

All UCI Health employees who transact business related to patients, Medical Center research, operations and business should use the HIS email system. UCI Health is required by federal and state regulations to provide a safe and secure messaging environment for our clients. We have services to encrypt information as it is transmitted as well as standard message encryption methods.

For example:

Information Encryption is done via our Voltage Identity Manager system. This system will encrypt a message so that the contents are restricted from being viewed by anyone except the users at the destination email address. You may transmit secured information to a destination and specify the address of the person who can view the message.

Message Transmission Encryption is done via Secure Socket Layer protocols. This method of encryption is done by using certified source certificates. These certificates are located on our email system and provide a end-to-end secure tunnel for your messages to be transmitted in.

If you elect to use a campus email mailbox or a department level mailbox that is located outside of the HIS system you may need to assess the legal ramifications of doing so. HIS maintains complaince with local, state and federal law enforcement discovery processes. Retention of such data must also comply with UCOP standards and policies. Not being able to provide a timely and precise discovery for investigations could lead to a default judgment against UC Irvine. UCI Health policy is to maintain all business related and patient related data in a manner consistent with these rules so we request that all mailboxes reside on our messaging system.