Due to a recent incident that resulted in the accidental disclosure of the email addresses of over 1000 patients, we are providing the following guidance as a reminder to staff on the proper considerations that must be taken into account prior to sending an email to multiple research participants.
Even when the content of an email does not contain protected health information (PHI), research participant email addresses are considered PHI and should not be disclosed to other email recipients. Depending on the incident, this could result in a HIPAA breach requiring government and media notice, as well as potential exposure to fines.
When sending an email to multiple research participants, all of the following are required:
- Send from your @med.umich.edu email address only. Per policy, PHI must only be communicated from the Outlook Exchange server.
- Only use blind carbon copy (BCC). “To” and/or “CC” field exposes email addresses to all recipients of the email.
- Ensure no PHI is in the communication. If the email message contains PHI in the body of the email or in an attachment, it should NOT be sent to multiple recipients. An email message that must contain PHI is required to be encrypted and should only be sent to the intended recipient. An email can be encrypted by including [SECURE] anywhere in the subject line of the message.
If you have questions or need assistance with email communications involving multiple research participant recipients, work with your departmental leadership and the Department of Communication or the Michigan Medicine Compliance Office Privacy Team.
More information regarding this guidance and more can be found by visiting Michigan Medicine Corporate Compliance: Communicating PHI.