Thomas Jefferson University

Main menu:

Information for Employees


Zix automatically detects employee emails with protected health information (PHI) and encrypt them, providing security as the emails travel across the internet and keeping Jefferson up to date with the latest regulatory guidance. 

The key things for you to know about email encryption are:

  • Encryption Only Protects Email in Certain Ways: Email encryption protects emails while they move across the internet but does not protect email sent to the wrong address or saved copies in the sent folder on personal phones or PCs.  Because of this, users should only send email that contains PHI from Jefferson systems or via the JeffMail webpage.
  • Automatic Encryption: The Zix system will automatically identify employee emails that appear to have PHI and encrypt them without requiring any special action on your part.   If you want to be sure a message will be encrypted, you have the option to include the word “secure,” followed by a space, in the subject line.
  • Recipient Experience: When the Zix system encrypts an email, the recipient will receive an email notice that they have been sent a secure message.  The recipient can then read the email by following the instructions in the notice to access a secure website.  An explanatory webpage with an FAQ is available online for patients who receive Zix encrypted messages. 
  • Patient Communications and the Medical Record: Communications to patients via encrypted are permitted by some departments, however all emails to and from the patient must be printed and scanned into the medical record. Please see the Email Security Policy and your department's procedures for details.
  • Patient Email Disclaimer. A disclaimer will be automatically added to all outbound emails in order to help ensure patients do not use email communication for emergency or urgent communications with healthcare providers and to provide information to those who are not the intended recipient. The disclaimer will read as follows:
  • The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
  • CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.”
  • Transparent Encryption: Many hospitals and academic institutions have also implemented email encryption systems.  Messages sent to individuals at those institutions can often be delivered securely while still looking like a normal email when received, saving the recipient time because they will not have to log into the Zix web page to access the message.  Jefferson’s email encryption system will now preferentially use this transparent encryption method whenever possible for all users.
  • Encryption Notice: In order to make it clear that transparently encrypted messages are still being sent as safely as possible, those messages will have a short notice added to them that says “This message was sent securely using ZixCorp.”
  • Encryption Keyword Behavior: Some Jefferson users have requested a way to ensure a particular message is delivered via the Zix web page rather than via transparent encryption in order to meet recipient’s expectations and needs.  To accommodate this need, messages that are encrypted because “secure” followed by a space is included in the subject will always be delivered via the Zix web page rather than taking advantage of transparent encryption.
  • Jefferson to Jefferson Communications: Messages sent from one Jefferson email account to another are protected without requiring the sender or receiver to take any additional steps.

For more information on Jefferson email encryption, please see the FAQ section below or contact the Solutions Center at 5-7975.

Employee Frequently Asked Questions

Secure Messaging is the automatic process of:

  • Identifying outbound email messages that contain electronic Protected Health Information (ePHI)
  • Encrypting the email messages that have been identified as containing ePHI
  • Sending encrypted email messages using ZixCorp's Best Method of Delivery™

The content of all outbound messages are scanned and compared against two lexicons, or dictionaries.

  • Identifier lexicon has a criteria of identifier information
    example: Social Security numbers, patient record numbers
  • HIPAA lexicon contains HIPAA terminology
    example: a health condition/disease

The content of the email message must meet a criteria defined in both lexicons for encryption to occur.

  • Example 1: Message will be encrypted if message or attachments contain a Social Security number and a name of a disease.
  • Example 2: Message will not be encrypted if message or attachments only include a Social Security number.
  • Example 3: Message will not be encrypted if message or attachments only include a name of a disease.

It is not practical to encrypt a subject line of an email message. Therefore, any email messages that contain PHI in the subject line will be rejected and returned to the sender.

What do you do if this happens?

  • Review the subject line
  • Make necessary updates such that ePHI is not included in the subject
  • Resend the email message

With the adoption of HIPAA, it is required that all communications containing ePHI be secured. To help implement this important security measure, we are using secure messaging services to help protect Jefferson email messages and ensure that ePHI remains confidential.

Please note that because Jefferson email (JeffMail) can be accessed from personal devices such as laptops and smartphones, Jefferson cannot ensure that emails containing ePHI sent from these devices are kept secure.  Zix encryption also does not prevent an unprotected copy of your email from being stored on the device used to send it. Users must adhere to the Mobile Computing: Smartphone and Tablet Security Policy or all devices uses to send university related email.  It is required that all personal devices accessing JeffMail be password protected and encrypted to prevent unauthorized access in the event your device is lost or stolen.

Generally, the encryption process will happen transparently without requiring any user input. Please refer to "What is Secure Messaging?" above for more details.

Jefferson has also created a special keyword encryption policy. This policy allows you to type the word 'secure,' followed by a space, into the email's subject line and the content of the email message will automatically get encrypted once it is sent. This way you can ensure that your email will be encrypted without relying on ZixCorp's identifier or HIPAA lexicons.

If the recipient does not retrieve the message within 14 days of when it was sent, they will receive an expiration notification email. The original message will be deleted from the secure Web site.

The message expiration date for this system is 14 days from the date the message is sent, and applies to all messages received and sent. This pre-set date appears in the header section of the message as well as in the Expiration Date column in the Inbox and Sent Message views. This is the maximum number of days a message will be held in the system. Once the expiration date has been reached, the message contents and attachments are securely deleted.

Attachments are supported as part of the Compose, Forward and Reply actions. Users click on the Attach Files button and select the file(s) they wish to attach to the message. There is no limit to the number of files that can be attached to a message; however, the total size of all files attached to a message cannot exceed 10MB.

Users with registered Jefferson/Zix email accounts are restricted to sending messages to email accounts. For example, a patient can log into ZixPort and send a secure message to their Jefferson provider; however, the patient cannot send a ZixPort secure message to a non-Jefferson email address.

Users are logged out of the system after 15 minutes of inactivity.

Jefferson/Zix email accounts are never purged from the ZixPort.


Read More