Effective: October, 2013
Revised: January 2016
Email is an expedient communication vehicle to send messages to the Columbia University community. The University recognizes and
has established the use of email as an official means of communication. However, use of an email system at the University requires adequate security measures to protect the Data (as such term is defined in the Columbia University Information Security Charter (the “Charter”) [http://policylibrary.columbia.edu/information-security-charter]
that is transmitted.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The The effective date of this Policy is November 1, 2013. This Policy and other Information Security Policies replace (A) the following University Policies:
and (B) the following CUMC Policy:
III. Policy Text
A. Approved University Email Systems
All email used to conduct University business must be transmitted via an Approved University Email System. For purposes of this Policy, an “Approved University Email System” is Cubmail, Lionmail, any CUIT or CUMC IT Email System and any other Email System that has been risk assessed and approved by the applicable Information Security Office.
B. Prohibited Actions
No User of University email may take any of the following actions:
Use any Email System other than an Approved University Email System, to conduct University business or to represent oneself or one’s business on behalf of the University. Examples of Email Systems that are not approved include a personal email account or a personal Columbia Alumni Association account (i.e., firstname.lastname@example.org).
C. Provisions Relating to Emails Containing Sensitive Data or Confidential Data
Each User shall ensure that Sensitive Data or Confidential Data is transmitted by email only if the following conditions are met:
D. Provisions Relating to Email Within the Columbia Covered Entity
For purposes of this Policy, the “Columbia Covered Entity” is CUMC and any other operation at the University that has been designated to be included in the University’s Covered Entity. An “Approved OHCA Email System” is any CUIT Email System other than Lionmail, any CUMC IT Email System and any other Email System used within the CU/Hospital OHCA that has been approved by the CUMC Information Security Office.
The following provisions relate only to email transmitted by Users within the Columbia Covered Entity:
“This electronic message is intended to be for the use only of the named recipient and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic email address noted above, and delete and destroy all copies of this message.
E. Communicating PHI to Patients
F. Privacy Expectations
The University observes the Privacy Expectations described in the Columbia University Acceptable Usage of Information Resources Policy http://policylibrary.columbia.edu/acceptable-usage-information-resources-policy with respect to email.
For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the Office of the General Counsel may authorize the reading, blocking or deletion of Data. In particular, in the context of a litigation or an investigation, it may be necessary to access Data with potentially relevant information. Any such action taken must be immediately reported to the Office of the General Counsel and the applicable Information Security Office.
The University may record information about certain data elements of email messages in the course of monitoring or maintaining its email systems. These data include, but are not limited to: (a) the identity and address of the authenticated sender, (b) the address of the recipient, (c) the size of the message, (d) the transmission time, (e) the headers of the email, (f) the subject of the message, (g) the number of attachments and (h) certain features that are used to identify spam.
CUMC uses a Data Loss Prevention (DLP) solution that filters outbound email messages and attachments to identify the presence of character patterns resembling Sensitive Data, examples of which could include social security numbers, credit card numbers, patient record numbers or certain identifiable data elements that constitute EPHI. Upon detecting a character pattern that might reflect the presence of Sensitive Data, the DLP appliance blocks the email and
automatically sends a message to the sender instructing him/her to re-send the contents in encrypted form or to take comparable appropriate action. The filtering consists of automatic scanning for prescribed character patterns and does not permit reading the contents of the email.
IV. Cross References to Related Policies and Other
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
Acceptable Usage of Information Resources Policy -http://policylibrary.columbia.edu/acceptable-usage-information-resources-policy
Important Information about Provider/Patient Email - http://www.cumc.columbia.edu/hipaa/docs/cumcimptinfo_provider.pdf
Information Security Charter - http://policylibrary.columbia.edu/information-security-charter
Patient Request for Email Communications - http://www.cumc.columbia.edu/hipaa/pdf/Patient_Request_for_Email_Form.pdf