Document 12875364

To Encrypt or Not to Encrypt…That is the Question
Encryption is the process of encoding messages or information in such a way that only authorized parties can
read it.
Email security is a broad term that encompasses multiple techniques used to secure an email service.
(Vanderbilt email is secure but not encrypted) From an individual/end user standpoint, email security measures
include: Strong passwords; Password rotations; Spam filters; Desktop-based anti-virus/anti-spam applications.
How do I send an encrypted email?
You can send an encrypted email using File Transfer Application (FTA). FTA is an application allowing a user
to securely transfer a file (excel, Word, PD, etc.) by using encryption from one email user to another. The FTA
application can be used to transfer files among Vanderbilt workforce members and between Vanderbilt
workforce members and external party users. FTA is required for transmitting all data that contains PHI, RHI
or sensitive information. (Note: the email body is not encrypted only the attachment).
Test your knowledge:
1. All emails at VUMC are encrypted so any protected health information or sensitive information
including social security numbers, dates-of-birth, and a patient’s clinical information may be sent by
A. True
B. False
2. Which email must be sent via encryption?
A. Patient MR# 987654312 is scheduled for a colonoscopy at 8:15 with Dr. Clean.
B. Robin Hood, Date of Birth 1/11/1985 lab results indicate positive for Hepatitis C.
C. None of the above
D. All of the above
A patient insists that you send clinical information to their personal email account. What should you
do? (Select all that apply)
A. Encourage the patient to use My Health at Vanderbilt (MHAV)
B. Ignore the request and do not send
C. Explain to the patient that unencrypted emails are not secure. If the patient still insists document
your conversation and send
D. None of the above
For more information regarding File Transfer Application (FTA) visit the Information Privacy and Security Website:
IM 10-30.02:
IM 10-30.15:
"Breach Notification: Unauthorized Access, Use, or Disclosure of Individually Identifiable patient or Other
Personal Information"
"Electronic Messaging of Individually Identifiable Patient and Other Sensitive Information"
For more information go to: or e-mail the Privacy Office at
Created by the VUMC Privacy Office (936-3594)
Last Revised: 5/28/2015