Overview

Use of any 3rd-party email service by UCSF faculty, staff and learners is not approved by UCSF. This is due to:

• The Campus' focus on healthcare
• The potential for accidental exposure of electronic protected health information (ePHI) and personal identifying information (PII) 
• The high level of risk associated with this practice, which (1) exposes the University and you to unacceptable liability and (2) has the potential to seriously damage the University’s reputation in the event of a security breach

The University provides a centralized email system for faculty, staff and learners. It is highly recommended that you make it your primary email system.

Summary of issues

The following summarizes some of the issues that explain why the use of 3rd-party email systems is not approved at UCSF.

State and federal laws

California has laws governing the privacy of electronic information and requiring notification of unauthorized exposure of PII.

Both the Centers for Medicare and Medicaid Services (CMS) and the United States Department of Health and Human Services (DHHS) also have requirements and penalties associated with accidental disclosure of electronic health information. UCSF may face fines for delays in notification of breaches of health information.

Some 3rd-party email systems do not guarantee timely reporting of information breaches. This potentially exposes the University to liability if it is discovered later that a breach has occurred.

HIPAA requires retention of ePHI for a minimum of 6 years. Some 3rd-party email systems may not guarantee retention of electronic documents for this period of time.

UC policy

UCSF Policy 650-16 requires encryption of all electronic email that contains restricted information, defined as including information that should not be publicly disclosed.

Use of a 3rd-party email system by someone at UCSF could potentially preclude encryption of this type of information and thus be in violation of UCSF Policy 650-16.