If you have any questions, please call the Helpdesk at 516-470-7272 or E-mail ISHelpDesk@northwell.edu
What is Secure Messaging?
Secure Messaging is the automatic process of: Identifying outbound email messages that contain Protected Health Information (PHI), Personally-Identifiable Information (PII), or other sensitive information. Encrypting, automatically or on request, the email messages that have been identified as containing PHI or other sensitive information. Sending encrypted email messages using ZixCorp's Email Encryption Services. Please note that the above applies only to Email sent to external recipients. Email sent to other Northwell Health employees does not leave the Northwell Health network and does not need to be encrypted.
Why are we implementing Secure Messaging?
With the adoption of the HIPAA guidelines, it is required that all communications containing PHI be secured. To help implement this important and practical security measure, we are using secure messaging services to protect our email communications and ensure all PHI remains confidential.
What type of messages should be encrypted?
Any messages containing PHI, PII or any information that can be considered sensitive should be encrypted.
What is PHI and PII?
Under HIPAA, Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to an individual. Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
What if PHI is in the email message Subject Line?
It is not practical to encrypt the Subject Line of an email message. Therefore, any E-mail messages that contain PHI or SSN in the Subject Line will be rejected and returned to the sender. You will need to remove this information from the subject line and resend the message. You will receive notification if your message was rejected.
How do I send a Secure Message?
There are three options:
- Automatic encryption: All messages sent to external recipients (e.g. Gmail) are checked for PHI and automatically encrypted. You will receive a notification every time your message gets flagged as sensitive and encrypted. To avoid receiving the notification and relying on the system to accurately identify sensitive content, please try to use one of the options outlined below.
- Subject line keyword (preferred): Please put the word "phi" or "secure" anywhere in the subject line if you would like to encrypt your message. The keywords are not case sensitive. You may also use "phirr" or "securerr" if you would like to request a read receipt. The recipient will receive a secure message notification and will need to visit our secure Email portal to read and reply to your message. The recipient will need to register with our secure message portal the very first time they receive a secure message. You can see the Email Recipients page for screenshots of the secure message notification and retrieval process.
- Outlook plug-in: This plugin will appear in the toolbar your Outlook client (screenshot below) and will allow you to quickly encrypt any message by clicking on the "Encrypt ZixSelect" button instead of "Send" when sending the message. The message will be encrypted regardless of keywords or content. Please be aware that this plugin is available for the desktop version of the Outlook client only, and will not work with mobile devices or Outlook Web Access on RAP. Subject line keyword based encryption is encouraged to ensure consistent message encryption regardless of client. Also, using the subject line keyword will ensure that any replies sent to the recipient will remain encrypted. The Outlook 2007 plugin should already be installed on your computer. If you don't see it, contact the helpdesk to have it installed or download it here.
What if the recipient does not retrieve the message?
If the recipient does not retrieve the message before the expiration date, you will receive an expiration notification message. The original message will be deleted from the secure Web site. The recipient will have 45 days to retrieve the message before it expires. Several reminders will be sent to the recipient before the message expires.
What if the message was sent to an organization that also uses Zix?
Messages sent internally, to colleagues, do not need to be encrypted. If there is a chance that your message will be forwarded to someone outside Northwell Health, please encrypt the message. Messages sent to external recipients who also happen to be using Zix, will be encrypted and decrypted transparently, meaning the recipient will see the message in their Inbox and will not need to use the portal. Hundreds of organizations Northwell Health communicates with are Zix clients, and there are over 30 million users in the ZixDirectory.