8.2.1.12 Email Transmission and Use Policy

Policy Statement

This Email Transmission and Use policy establishes the rules for using email to send, receive, or store electronic mail and informs email users of their responsibilities associated with such use.

Scope

This policy applies to all staff, faculty, students, contractors, and their associated contractors, as well as temporary workers and those who are provided email services managed by or for the University. 

Definitions

  1. University Business: Work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, other trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University. University business includes the use of a Portable Computing Device to access OU email, non-public University systems, networks, or data in the performance of work for the University.

University Business

All University Business that is conducted on email is to be done only through the OU-provided email system, which may include a University-approved patient portal and/or an OU-assigned email account.  University Personnel (faculty, staff, student employees, residents, trainees, volunteers) and affiliates who have OU email accounts shall not use personal email accounts or non-University email systems to conduct OU Business.

Auto-Forwarding or Auto-Redirecting Email Messages

University Personnel must not auto-forward or auto-redirect their OU email to non-University provided systems. Examples of non-University provided email systems include, but are not limited to, OMRF, VA, Gmail, Outlook/Hotmail, Yahoo, AOL, and email provided by other Internet Service Providers (ISP) such as Cox or ATT.

University Personnel may send OU email to authorized internal and external (subject to encryption requirements) recipients for authorized purposes.  For example, PHI may be sent only to authorized recipients and only for treatment, payment, or health care operations purposes.  Users may send ePHI to third parties with whom the University has a Business Associate agreement in place (contact Purchasing or the Office of Research Administration to confirm Business Associate status of a particular vendor or sponsor). 

Student records subject to FERPA may be sent only to University officials who have a legitimate educational purpose and others authorized by law.

Encrypted Transmission of Confidential or Regulated Email Outside OU

If confidential or regulated University information, such as PHI, FERPA, GLBA, PII, CUI, ITAR or confidential research data, must be transmitted over an external network (e.g., the Internet), the email communication channel and/or the email message must be encrypted.  Message encryption options include typing [secure] or [ouencrypt] in the email subject line, using the Secure Email plugin, or using a University-approved Patient Portal. (For additional policy regarding sending PHI via email, refer to HIPAA Privacy Safeguards policy. 

Third-Party Email Services

Third-party solutions that contain their own email delivery systems are outside of the University’s control; however, those that attempt to impersonate an offical University email account or address to send directly on behalf of the University must submit a request using the General Help Request form that includes: a) email address of the account, b) systems impacted, c) IP (intenal and external) addresses of the connecting services, and the service owner. 

Portable Computing Devices

To protect confidential and regulated University information that resides within the OU email system, University-owned Portable Computing Devices that connect to the OU Email environment, including webmail, are required to be encrypted and to have baseline security settings applied. See the OU Cybersecurity and End User Device security policies for these requirements.

Confidentiality Notice

Emails that contain confidential University information, such as PHI, or regulated data must include a confidentiality notice in the signature block, such as: Confidentiality Notice: The information contained in this message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution, or retention is strictly prohibited. If you are not the intended recipient or believe that you have received this message in error, please notify the sender immediately by reply email and permanently delete the original message.

Acceptable Email Use

The following activities are prohibited when using OU electronic messaging and communication services:

  • Sending unsolicited email or other electronic messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material.
  • Engaging in any form of harassment via email, telephone, or text messaging, whether through the content, frequency, or size of the messages.
  • Including any misrepresentations or misleading information in email header information.
  • Creating or forwarding chain letters or communications relating to Ponzi, pyramid, or other fraudulent or misleading schemes of any type.
  • Using unsolicited electronic messages, originating from within OU’s networks to advertise any service hosted by an Information Systems, unless specifically authorized in writing by the Office of Legal Counsel.
  • Posting the same or similar non-business-related messages to large numbers of Individual Users or other individuals.

Email Privacy

All OU email content and systems are owned by the University; as such, all user activity is subject to logging and review. OU email may be subject to release under the applicable law.  OU email is subject to open records requests. Refer to the OU Acceptable Use policy for additional information.

Phishing Preparedness

Phishing emails look sophisiticated and can be hard to separate from authentic messages.  Follow these best practices to be prepared to spot and prevent a phishing attack:

  • Don’t send passwords or any personal sensitive information over email, instead contact any institution requesting this informaiton directly.
  • Don’t reply to, click on links, or open attachments from senders you don’t know.
  • Don’t call the number in an unsolicted email or give sensitive information to a caller you don’t know personally.
  • Report impersonated or suspect email to OU IT Security by using the Report Phish button made available at https://portal.office.com.
  • Be cautious about opening attachments, even from trusted senders.

References

  1. National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.DS-2
  2. National Institute of Standards and Technology Special Publication 800-171, Controlled Unclassified Information
  3. HIPAA Standards for Safeguarding Customer Information, 164.308 (a)(ii)(B), 164.308 (a)(4)(i), 164.308 (a)(4)(ii)(C), 164.308 (b)(1), 164.312 (e)(1), 164.312 (e)(2).
  4. Gramm-Leach-Bliley Act (‘‘G–L–B Act’’), Section 501(b)
  5. Payment Card Industry Data Security Standard (PCI DSS)
  6. Family Educational Rights and Privacy Act (FERPA): 20 U.S.C.  §1232g; 34 CFR Part 99
  7. NIST Special Publication 800-53 rev 4, SC-8 Transmission Confidentiality and Integrity
  8. NIST Special Publication 800-53 rev 4, SC-13 Cryptographic Protection
  9. NIST Special Publication 800-53 rev 4, AC-4 Information Flow Enforcement
  10. NIST Special Publication 800-53 rev 4, AC-20 Use of External Information Systems
Print Article