Use of Third Party E-mail Systems at UCSF
The practice of using a third party email service by UCSF faculty, staff and students is not approved by UCSF due to the Campus's focus on healthcare and the potential for accidental exposure of ePHI and PII. The high level of risk associated with this practice exposes the University and you to unacceptable liability and has the potential to seriously damage the University’s reputation in the event of a security breach.
The following are a summary of some of the issues associated with the use of third party e-mail systems at UCSF. The University provides a centralized email system for faculty, staff and students and it is highly recommended that you make it your primary email system.
- State and Federal Laws
California has several laws governing the privacy of electronic information and requiring notification of unauthorized exposure of PII. Both the Centers for Medicare & Medicaid Services (CMS) and the United States Department of Health and Human Services (DHHS) also have requirements and penalties associated with accidental disclosure of electronic health information. UCSF may face fines for delays in notification of breaches of health information. Some third party email systems do not guarantee timely reporting of information breaches, thus potentially exposing the University to liability if it is discovered later that a breach had occurred. HIPAA also requires retention of electronic Personal Health Information and some third party email systems may not guarantee retention of electronic documents for this period of time.
- UC Policy
UCSF Policy 650-16 requires encryption of all electronic email that contains restricted information, where restricted information is defined as including information that should not be publicly disclosed. The use of a third party system could potentially preclude the encryption of this type of information and thus be in violation of 650-16.