All data and information resources of the SEHD are subject to University of Colorado's IT Security Program policy, APS-6005. The policy states:

If Highly Confidential information is stored on a workstation or mobile computing device or transmitted to an external network or organization, IT resource users shall encrypt or adequately protect that information from disclosure.

The most secure SEHD data are subject to the UCD Safeguards HIPPA policy. The policy discusses transmitting information via email, fax, and internet.

Email:

If PHI must be transmitted via e-mail, and the e-mail recipient is part of the internal e-mail system, i.e. UCD, UCH, CHC, or UPI, the e-mail does not need to be encrypted, given that the network is private. If the e-mail must be sent across the Internet to either a patient or another entity covered by HIPAA, encryption should be applied to the e-mail message. Personal e-mail accounts (ex. AOL, yahoo) may not be used to transmit e-mail containing PHI, due to the fact that these e-mail systems are not encrypted.

Fax:

Fax machines used for transmitting or receiving PHI must be in locations secured from the general public. Before sending out faxes, ensure that the destination phone number is correct and include appropriate cautions and disclaimers on the fax cover sheet. Faxes should always have cover sheets.

Internet:

Since the Internet is inherently insecure and there is a risk of data being intercepted, PHI shall not be transmitted over the Internet, including Internet e-mail, unless the data is encrypted. Industry-accepted methods of encrypting Internet traffic include, but are not limited to, secure sockets layer (SSL) encryption, virtual private networking (VPN), secure Citrix software, and secure shell (SSH).

Please visit OIT's email information page to learn more https://www1.ucdenver.edu/offices/office-of-information-technology/software/how-do-i-use/email-and-webmail