Published: March, 2010
Revised: March, 2023

I. Introduction

Email is an expedient communication vehicle to send messages to the MMG community. The MMG recognizes and has established the use of email as an official means of communication. However, use of an email system at the MMG requires adequate security measures to protect the Data (as such term is defined in the MMG Information Security Charter (the “Charter”) https://www.monstrousmediagroup.com/isc.

Capitalized terms used herein without definition are defined in the Charter.

II. Policy History

  • The effective date of this Policy is March 30, 2010.
  • Reviewed and/or revised March 14, 2023.

III. Policy Text

A. Approved MMG Email Systems

All email used to conduct MMG business must be transmitted via an Approved MMG Email System. For purposes of this Policy, an “Approved MMG Email System” is Google Suite, Gmail, any email client connected securely to MMG Google Suite Email System and any other Email client that has been risk assessed and approved by the applicable Information Security Office.

B. Contingency Plans
  1. No User of MMG email may take any of the following actions:
  2. Send or forward an email through a MMG System or Network for any purpose if such email transmission violates laws, regulations or MMG policies and procedures;
  3. Use any Email System other than an Approved MMG Email System, to conduct MMG business or to represent oneself or one’s business on behalf of the MMG unless approved by MMG and/or are a staff member of MMG. Examples of Email Systems that are not approved include a personal email account (i.e., anything@monstrousmediagroup.com).
  4. Send nuisance email or other online messages such as chain letters;
  5. Send obscene or harassing messages;
  6. Send unsolicited email messages to a large number of Users unless explicitly approved by the appropriate MMG authority; or
  7. Impersonate any other person or group by modifying email header information to deceive recipients.
C. Provisions Relating to Emails Containing Sensitive Data

Each User shall ensure that Sensitive Data is transmitted by email only if the following conditions are met:

  1. Except as provided in Section D below, all email communications of Sensitive Data are encrypted before being transmitted.
  2. Sensitive Data are not transmitted in the “Subject” line of an email.
  3. Before transmitting an email that contains Sensitive Data, the User double-checks the message and any attachment to verify that no unintended information is included and that the proper document is attached.
  4. Before transmitting an email that contains Sensitive Data, the User double-checks the identity of the recipients.
D. Provisions Relating to Email Within the MMG Clientele Healthcare Component

For purposes of this Policy, an “Approved MMG Email System” is any MMG Email System other than Google Suite, any MMG IT Email System and any other Email System used within the MMG/Healthcare Clientele Component that has been approved by the MMG Information Security Office.

The following provisions relate only to email transmitted by Users within the MMG Health Care Component:

  1. Unencrypted ePHI communications may be transmitted internally if sent on an Approved MMG Email System.
  2. No automatic forwarding, redirection or automated delivery of email outside the MMG Clientele Healthcare Component may be used.
  3. Email messages containing ePHI must include the following confidentiality notice: “This electronic message is intended to be for the use only of the named recipient and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic email address noted above, and delete and destroy all copies of this message. Thank you.”
  4. Any User who is unsure whether an email message or attachment contains Sensitive Data must contact his/her supervisor or the Office of HIPAA Compliance before initiating the email communication.
E. Communicating Protected Health Information (PHI) to Patients via Email
  1. Patients have the right to request that the MMG/Healthcare Clientele Component communicate with them via email.
  2. Subject to Section 3, all email communications with patients must be transmitted in encrypted form on an Approved MMG/Healthcare Clientele Component Email System. The subject line of the email communication must include #encrypt and must not include any PHI.
  3. At the request of a patient, email communications may be sent in unencrypted form, provided that the Office of HIPAA Compliance is contacted for guidance prior to sending the first unencrypted communication to the patient.
  4. The MMG/Healthcare Clientele Component reserves the right to deny a patient’s request to communicate with him/her via email. For example, a patient’s request for email communications may be denied by the MMG/Healthcare Clientele Component if a provider with an existing clinical relationship with the patient believes email communications with the patient should not occur.
  5. Patients should be encouraged to use an electronic personal health record to communicate with their health care providers.
F. Privacy Expectations

MMG observes the Privacy Expectations described in the MMG Acceptable Usage of Information Resources Policy https://www.omahamediagroup.com/isc with respect to email.

 

For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the Office of the General Counsel may authorize the reading, blocking or deletion of Data. In particular, in the context of a litigation or an investigation, it may be necessary to access Data with potentially relevant information. Any such action taken must be immediately reported to the Office of the General Counsel and the applicable Information Security Office.

MMG may record information about certain data elements of email messages in the course of monitoring or maintaining its email systems. These data include, but are not limited to: (a) the identity and address of the authenticated sender, (b) the address of the recipient, (c) the size of the message, (d) the transmission time, (e) the headers of the email, (f) the subject of the message, (g) the number of attachments and (h) certain features that are used to identify spam.

MMG uses a Data Loss Prevention (DLP) solution that filters outbound email messages and attachments to identify the presence of character patterns resembling Sensitive Data, examples of which could include social security numbers, credit card numbers, patient record numbers or certain identifiable data elements that constitute ePHI. Upon detecting a character pattern that 4 might reflect the presence of Sensitive Data, the DLP appliance blocks the email and automatically sends a message to the sender instructing him/her to re-send the contents in encrypted form or to take comparable appropriate action. The filtering consists of automatic scanning for prescribed character patterns and does not permit reading the contents of the email.

IV. Cross References to Related Policies

The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.

Appendix A

Related Policies

Policies: https://www.monstrousmediagroup.com/isc