Respecting privacy and Protected Health Information when using external e-mail

It is important to remember the following points regarding privacy and protected health information (PHI). These points are especially important to keep in mind when working with external e-mail accounts and services.

  • External e-mail accounts do not meet the privacy requirements for PHI and may not be used for patient communication. If patients contact you by external e-mail, then you should use the secure e-mail options that are provided by both the Hospitals and the School of Medicine to continue the correspondence. If you are not aware of the process for sending secure email, the instructions can be found here (for UNC Hospitals) and here (for the School of Medicine).

  • UNC Health Care policy does not allow PHI to be communicated using external e-mail accounts. Our policies specifically prohibit the automatic forwarding of e-mails to external accounts to avoid inadvertent violations of our policy and federal law. 

  • Unless encrypted and password protected, any instance of PHI transmitted online is considered a breach, even if there is no evidence that the PHI was inappropriately accessed.

  • External e-mail accounts protect your account from spam. However, these accounts are subject to the secondary spread of viruses.

  • In addition to the 18 patient identifiers of personal health information identified in the HIPAA regulations, patient and employee personal identifying information is also protected by the NC Identity Theft Protection Act, the Federal Trade Commission Red Flag Rules, and other statutes.


  • This information on privacy is provided to protect our patients and our employees.  In a recent court case, a judge sentenced a health care worker to one year in prison for posting PHI on Facebook. The employee received this sentence even though the federal attorney prosecuting the case only asked for a 30-day sentence.