HITS has enabled outbound email encryption for messages with sensitive data or potentially identifiable patient data going out to external email addresses when using the Michigan Medicine email system. This means that if an email message is being sent "outside" the system and it contains sensitive data or potentially identifiable patient data, the Michigan Medicine sender can now ensure that the message and its attachments will be encrypted.  For instance, messages with sensitive data sent to address like @gmail.com, @icloud.com, and even @umich.edu will be encrypted.

How email encryption works

Michigan Medicine's email system, Microsoft Exchange, uses a tool with an algorithm that determines the sensitivity of a message. If it meets certain criteria, the message will be encrypted before leaving the Michigan Medicine system. Typically, this is a number which may be construed as a medical record number or a social security number. It may also be a dollar amount or have some other characters which signal sensitive data.

• Senders are encouraged to manually put [SECURE] in brackets in the subject line if they know they are sending sensitive data (e.g. MRN, patient info, SSN, etc.). This will ensure encryption of the message and any attachments.
• Please note the following:
  
  • [Secure] may be written in lower case; it is not case sensitive; however, you must include the brackets.
  • The content in the subject line is not encrypted. Therefore, you should never put sensitive information, such as a Medical Record Number (MRN) or patient name in the subject line of the mail message.
• If the sender does not realize that the message and/or attachment(s) contain sensitive data or if the sender forgets to put [SECURE] in the subject line, the content assessment tool will act as a "safety net" and encrypt the message and attachments, sending it out securely.

In either case, the recipient of an encrypted message will receive the email with a "securedoc.html" attachment. The recipient will need to follow some steps to acknowledge the encrypted email before being able to open and read it. Those steps can be found in the how-to document: Encrypted Email Recipients External to Michigan Medicine

If messages are exchanged within the Michigan Medicine email system, these steps are not necessary.|

Impact of outbound email encryption

• With the implementation of outbound email encryption, there is a limit of 25MB per message, including attachments for sending and receiving email messages.
• Messages will expire after 180 days.
• The tool does not permit "Reply All" or "Forwarding" of an encrypted message.
  
  

Remember these guidelines

• Email communication between Michigan Medicine users should stay within its email system
• Use uniqname@med.umich.edu instead of uniqname@umich.edu
• Use the Global Address List (GAL) to select a Michigan Medicine user's email address instead of relying on the 
  
  

Downloading of images in Outlook

When emails come in from external senders, the images within the email message are not automatically downloaded. This is for security reasons (malicious code, offensive material, junk mail, etc.). If you wish to view the images, right-click and select Download Pictures.

Introducing Easy Open-Easy open allows the recipient to select the URL and acknoledge to open the encrypted email. No longer will it be required to download the message.

To exchange sensitive or patient data, the following options for secure data transfer are recommended over email: 

• MiChart Patient Portal (MiChart Patient Portal) - preferred method for communication between providers and patients; limit of 5 MB per message.
• For information on MiShare reference KB0023193
• Dropbox (using your Level-1) - for file storage; can accommodate unlimited amounts of data for individuals.