HIPAA Core Policy: Internet and eMail Use

HIPAA Core Policy: Internet and eMail Use

This policy establishes guidelines to be followed by employees, vendors, and contractors who access the Internet and/or email services using UAB/UABHS resources and information assets.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish guidelines to be followed by employees, vendors, and contractors who access the Internet and/or email services using UAB/UABHS resources and information assets.

2. PHILOSOPHY: Authorized individuals should be able to access the Internet and/or email services using UAB/UABHS assets for official business needs and purposes. Access to the Internet and email is a privilege and all personnel are responsible for ensuring they use these resources in an effective, ethical, and lawful manner.

3. APPLICABILTY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or "UAB/UABHS/UAHSF".


4.1. Definitions:

4.1.1. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.2. Sensitive Information or Data: Any information that may only be accessed by authorized personnel. It includes Protected Health Information, financial information, personnel data, trade secrets and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.


5.1. Users shall not misuse their Internet privileges, i.e. spending excessive time on the Internet for non-work related business or accessing inappropriate sites.

5.2. Users shall not misuse their email privileges, i.e. sending and forwarding non-business related mass emails.

5.3.Users shall delete chain and junk email messages without forwarding or replying to them. Electronic chain letters and other forms of non-business related mass mailings are prohibited.

5.4. Personnel shall not use UAB/UABHS resources to view, record, or transmit materials which violate UAB/UABHS policies. Inappropriate messages, pictures, and/or other visual images/materials include, but are not limited to:

5.4.1. Fraudulent Messages - Messages sent under an anonymous or assumed name with the intent to obscure the origin of the message.

5.4.2. Harassment messages - Messages that harass an individual or group for any reason, including race, sex, religious beliefs, national origin, physical attributes, or sexual preference.

5.4.3. Obscene messages - Messages that contain obscene or inflammatory remarks.

5.4.4. Pornographic Materials -This includes, but is not limited to pictures, audio/video files, literature, or newsgroups.

5.4.5. Users shall not engage in spamming activities.

5.4.6. Users shall not photograph, post, or transmit patient images, electronically or otherwise, without a signed consent.

5.4.7. Users shall not share sensitive information on public web sites (i.e. Google Apps).

5.4.8. Users shall not forward email containing sensitive information to public email systems such as Hotmail.com, gmail.com, or other public email system services.
5.5. UAB/UABHS recognizes its management’s responsibility to monitor and/or retain information regarding the use of its assets.

5.6. UAB/UABHS recognizes its management’s responsibility to block access to non-business related material.

5.7. Personnel shall transmit and access Protected Health Information in an encrypted form whenever the data travels over an open network.

5.8. Users shall honor all rules of copyright and personal property.

5.9. Users shall check their email regularly and delete unneeded email.

5.10. Users shall not knowingly download non-work related executable files from the Internet.

5.11. Users shall not establish peer-to-peer connections to external parties, for file sharing, downloading music and movies, and accessing adult materials.

5.12. Users shall not knowingly enable an external/remote party to gain unauthorized access or control of any device, application, or system to the data networks.

5.13. Users shall delete, without opening, suspicious, unsolicited email messages from outside UAB/UABHS especially if they contain attachments with “exe” files.

5.14. Only individuals with administrative responsibilities (i.e. Department Managers, Directors etc.) or their designee may be granted access to the email account of their former employee or vendor. This may require written approval from requestor’s supervisor.
5.14.1. The account shall be used only for business purposes and shall not be used to impersonate the former personnel.
5.15. UAB/UABHS employees who do not follow the above standards may be subject to disciplinary action up to and including dismissal.

5.16. Vendors or contractors who do not follow the above standards may be subject to breach of contract penalties.

5.17. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.17.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/securitycontacts.htm)

5.17.2. the HSIS Help Desk at 934-8888

5.17.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.17.4. UAB/UABHS HIPAA Security Office at 975-0072

5.17.5. UAB IT Data Security Office at 975-0842



7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI.


To view other HIPAA Core Polcies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.