Why and when should I encrypt email?
Use of KUMC's secure email system is intended to address the need for communicating protected health information (PHI) in a safe and secure manner and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, it can also be used to secure other sensitive information including, but not limited to, personal identity information (PII), financial or student information. You are required to use secure mail whenever you send a message that contains sensitive information such as PHI or PII to a recipient on the Internet. Check with your supervisor when in doubt.
How do I get setup to use secure email?
All staff, faculty and students with a kumc.edu email account can use the secure email system. There is no pre-registration or setup required.
University of Kansas Medical Center staff who use the ProofPoint secure email system should consider sending a notification email or letter (see sample) to potential recipients before sending them their first secure email. This will alert them that you will be using secure email to communicate with them and explain how they can correspond with you in a secure manner. Please note that, if you send the pre-notification message via email, you should send it as a normal, non-secure email.
Do I need special software on my computer to send a secure email?
No special software or installation of software is required or needed.
Who will decide if my mail is encrypted?
You make the decision about whether or not an email will be encrypted. The first step is to request and receive approval for use of the secure email system. Once you have been setup to use the secure email system, the email you send will only be encrypted if you follow these steps.
How do I encrypt messages?
To send an encrypted email using the secure email system, you simply need to add "[secure]" (without quotes) to the beginning of the subject line of the email or use the "Send Securely" button within Outlook. Be sure to include the brackets but do not include the quote marks. The subject of your e-mail message might look something like this:
[secure] Here are your lab results
Putting the word [secure] anywhere other than the beginning of the subject line will not encrypt the message.
** NOTE: The subject line of the email is not encrypted; therefore, you should not include sensitive information in subject line of the email.
Can recipients reply to my messages securely?
Yes, recipients of your secure messages can reply securely. Their reply to your email will be automatically decrypted by by the secure email system and will appear in your GroupWise mailbox as a normal, readable email. The process is seamless and the only indication that the message was originally encrypted will be the "[secure]" in the subject line.
Can patients or business associates outside KUMC initiate secure messages to me?
No, third parties cannot initiate an encrypted communication using KUMC's secure email system. The first email must be sent by someone within the KUMC community and then the recipient can reply to that email in a secure, encrypted manner.
How will secure mail recipients receive encrypted messages?
Recipients of a secure email from KUMC will receive a notice in their email inbox that they have received a secure message from you. The message will contain an encrypted attachment, which contains the actual message. The first time the recipient receives a secure message, they will be asked to create a passphrase that will be used to view or reply to their secure messages. After logging in with their self-assigned passphrase, the recipient can then view the email and use the "Reply" button to reply to the message. At this time, there is no expiration time set for the keys used to open the encrypted emails.
Is there a limit to how long a secure message is available to the recipient?
No, at this time there is no expiration time set for the keys used to open the encrypted emails.
Can I send a message while I travel?
Yes, you can send secure messages using the Outlook web access page located at https://mail.kumc.edu. This website provides most of the functionality of regular e-mail on campus. Again, an email will not be encrypted unless you place "[secure]" at the beginning of the subject line.
Is the subject line of the message encrypted?
The subject of the email is not encrypted; therefore, you should not include sensitive information in the subject line.
Can I send an attachment?
Yes, attachments up to 4 megabytes may be included and are encrypted.
How can I make sure my messages are being encrypted? Can I test the system?
We encourage you to familiarize yourself with the system by sending secure messages to your home e-mail address or business associates that you would like to communicate with securely. It will be very easy to tell if the message was encrypted because recipients will have to register their email address and use a password to access the message.
What will happen if I attempt to encrypt an email to someone with a KUMC email address?
Email sent within the KUMC Exchange system is secure and it is permissible to include protected health information (PHI) in e-mail from one KUMC email address to another KUMC email address. Therefore, email sent with "[secure]" in the subject line to someone with an "@kumc.edu" address will not be encrypted using the proofpoint system and will be sent just like any other email. Only email sent to a recipient on the Internet will be encrypted.
Can anyone use the secure email system?
Yes, anyone with a kumc.edu email address can use the secure email system. However, use of the system should be limited to those individuals with a need to exchange protected health information (PHI), personal identity information (such as social security numbers, names, addresses, etc.) or other sensitive financial, legal or research information with others over the Internet. The secure email system should not be used for personal business.
Who should I contact if I have questions about secure email?
Staff with questions about secure email that are not covered by this FAQ, should contact their organization's respective HelpDesk for additional assistance.