HIPAA Core Policy: Internet and eMail Use

HIPAA Core Policy: Internet and eMail Use

This policy sets forth rules for the use of email and internet so that such activity does not negatively impact the confidentiality, availability, integrity, and reputation of UAB and UAB Health System and their assets and supports applicable federal and state laws.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To ensure that the use of email and internet activities do not negatively impact the confidentiality, availability, integrity, and reputation of UAB and UAB Health System and their assets and to ensure compliance with applicable federal and state laws.

2. PHILOSOPHY: It is UAB and UAB Health System's position that an authorized user's access to the Internet and/or email services for limited personal use is a privilege that, if not properly monitored and controlled, could result in harm to the organization or violations of certain federal and state laws.  The primary use of these services is for business and clinical purposes and thus need be appropriately protected.

3. APPLICABILTY: This standard applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Office of Benefits, and other UAB entities that may be added from time to time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital  at Acton Road,  Callahan Eye Hospital, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation owned and operated clinics, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as "UAB".


4.1. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.2. Sensitive Information or Data: Any information that may only be accessed by authorized personnel. It includes Protected Health Information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.3.  Email:  The electronic transmission of information through a mail protocol such as SMTP, POP, or IMAP.


5.1.  All email messages, documents, and correspondence and data obtained via internet use are considered UAB property.

5.2.  Users shall have no expectation of privacy in email and internet use.  UAB may monitor messages and internet use without prior notice.

5.3.  Users are responsible for reporting any suspected or confirmed violations of this policy to their department manager or either the UAB Information Security Office or the UABHS Office of Information Security.

5.4.  Users shall not misuse their Internet privileges, i.e., spending excessive time on the Internet for non-work related business or accessing inappropriate sites.

5.5.  Users shall not misuse their email privileges, i.e., sending and forwarding non-business related mass emails.

5.6.  Users shall delete chain and junk email messages without forwarding or replying to them. Electronic chain letters and other forms of non-business related mass mailings are prohibited.

5.7.  Personnel shall not use UAB/UABHS resources to view, record, or transmit materials which violate UAB policies. Inappropriate messages, pictures, and/or other visual images/materials include, but are not limited to:

5.7.1. Fraudulent messages - Messages sent under an anonymous or assumed name with the intent to obscure the origin of the message.

5.7.2. Harassment messages - Messages that harass an individual or group for any reason, including race, sex, religious beliefs, national origin, physical attributes, or sexual preference.

5.7.3. Obscene messages - Messages that contain obscene or inflammatory remarks.

5.7.4. Pornographic materials -This includes, but is not limited to pictures, audio/video files, literature, or newsgroups.

5.8.  Users shall not engage in spamming activities.  Electronic chain letters and other forms of non-business-related mass mailings are prohibited.

5.9.  Users shall not photograph, post, or transmit patient images, electronically or otherwise, without a signed consent.

5.10. Users shall not share sensitive information or protected health information (PHI) on public web sites (i.e., Google Apps, DropBox.com, GoogleDocs, iCloud, etc.).

5.11. Users shall not forward email containing sensitive information or protected health information (PHI) to public email systems such as Hotmail.com, gmail.com, or other public email system services.  In addition, users shall not forward sensitive information, PHI, or other UAB business information to their personal email accounts.  Personal email accounts shall not be used for official UAB business.

5.12. UAB reserves the right to block access to non-business-related material.

5.13. Email transmission of PHI when necessary shall be conducted with the highest level of security applied and only in situations where the email is necessary for the treatment of the patient, payment, and health care operations.  PHI and other sensitive information shall be encrypted during transmission over the Internet (outside UAB and UABHS networks).

5.14. Users shall honor all rules of copyright and personal property.

5.15. Users shall check their email regularly and delete unneeded email.

5.16. Users shall not knowingly download non-work-related executable files from the Internet.

5.17. Users shall not establish peer-to-peer connections to external parties for file sharing, downloading music and movies, and accessing adult materials.

5.18. Users shall not knowingly enable an external/remote party to gain unauthorized access or control of any device, application, or system to the data networks.

5.19. Users shall delete, without opening, suspicious, unsolicited email messages from outside UAB especially if they contain attachments with "exe" files.  If a user is receiving repeat emails of this nature, the activity should be reported to infosec@uabmc.edu.

5.20. The use of any software or service that hides the identity of the user or the location of the user while using the Internet is prohibited.

5.21. Only individuals with administrative responsibilities (i.e., Department Managers, Directors, etc.) or their designee may be granted access to the email account of their former employee or vendor.  This may require written approval from requestor's supervisor.

5.21.1. The account shall be used only for the retrieval of existing email and shall not be used to impersonate the former personnel or send email communications.

5.21.2. Access shall be granted for 30 days and any extension must be approved by a Chief Information Security Officer.

5.22. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.22.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators)

5.22.2. the HSIS Help Desk at 934-8888

5.22.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.22.4. UAB HIPAA Security Office at 996-3328

5.22.5. UAB IT Data Security Office at 975-0842

6. ENFORCEMENT: Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction.  In addition, UAB may report the matter to civil and criminal authorities as may be required by law.



To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.