Thomas Jefferson University

Main menu:

Information for Employees

Zixcorp

In mid to late-May, Jeff IT will be implementing email encryption using a product called Zix.  Once integrated with JeffMail, Zix will automatically detect employee emails with protected health information (PHI) and encrypt them, providing security as the emails travel across the internet and keeping Jefferson up to date with the latest regulatory guidance. 

The key things for you to know about email encryption are:

  • Encryption Only Protects Email in Certain Ways: Email encryption protects emails while they move across the internet but does not protect email sent to the wrong address or saved copies in the sent folder on personal phones or PCs.  Because of this, users should only send email that contains PHI from Jefferson systems or via the JeffMail webpage.
  • Automatic Encryption: The Zix system will automatically identify employee emails that appear to have PHI and encrypt them without requiring any special action on your part.  The Zix filters and workflow rules are consistent with TJUH’s Zix rules in order to provide a transparent experience for patients and other external email recipients.  If you want to be sure a message will be encrypted, you have the option to include the word “secure” in the subject line.
  • Recipient Experience: When the Zix system encrypts an email, the recipient will receive an email notice that they have been sent a secure message.  The recipient can then read the email by following the instructions in the notice to access a secure website.  An explanatory webpage with an FAQ is available online for patients who receive Zix encrypted messages. 
  • Patient Communications and the Medical Record: Communications to patients via encrypted email are acceptable, however all emails to and from the patient must be printed and scanned into the medical record.
  • Jefferson to Jefferson Communications: The Hospital also uses Zix email encryption; messages sent between the University and Hospital will be securely encrypted without  change in the experience for the sender or receiver.   When sending to another university or hospital, Zix may provide the same experience if the other institution is also a Zix customer.
  • Patient Email Disclaimer. A disclaimer will be automatically added to all outbound emails in order to help ensure patients do not use email communication for emergency or urgent communications with healthcare providers and to provide information to those who are not the intended recipient. The disclaimer will read as follows:
  • “The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
  • CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.”

For more information on Jefferson email encryption, please see the FAQ section below or contact the Jeff IT Service Desk at 3-7600.


Employee Frequently Asked Questions

Secure Messaging is the automatic process of:

  • Identifying outbound email messages that contain electronic Protected Health Information (ePHI)
  • Encrypting the email messages that have been identified as containing ePHI
  • Sending encrypted email messages using ZixCorp's Best Method of Delivery™

The content of all outbound messages are scanned and compared against two lexicons, or dictionaries.

  • Identifier lexicon has a criteria of identifier information
    example: Social Security numbers, patient record numbers
  • HIPAA lexicon contains HIPAA terminology
    example: a health condition/disease

The content of the email message must meet a criteria defined in both lexicons for encryption to occur.

  • Example 1: Message will be encrypted if message or attachments contain a Social Security number and a name of a disease.
  • Example 2: Message will not be encrypted if message or attachments only include a Social Security number.
  • Example 3: Message will not be encrypted if message or attachments only include a name of a disease.

It is not practical to encrypt a subject line of an email message. Therefore, any email messages that contain PHI in the subject line will be rejected and returned to the sender.

What do you do if this happens?

  • Review the subject line
  • Make necessary updates such that ePHI is not included in the subject
  • Resend the email message

With the adoption of HIPAA, it is required that all communications containing ePHI be secured. To help implement this important security measure, we are using secure messaging services to help protect University email messages and ePHI. Please note that because Jefferson University email (JeffMail) can be accessed from personal devices such as laptops and smartphones, Jefferson University cannot ensure that emails containing ePHI sent from these devices are kept secure. Jeff IT recommends that all personal devices accessing JeffMail be password protected to prevent unauthorized access in the event your device is lost or stolen.

Please note that because Jefferson University email (JeffMail) can be accessed from personal devices such as laptops and smartphones, Jefferson University cannot ensure that emails containing ePHI sent from these devices are kept secure.  Zix encryption also does not prevent an unprotected copy of your email from being stored on the device used to send it. Users must adhere to the Wireless and Portable Device Security Policy or all devices uses to send university related email.  It is required that all personal devices accessing JeffMail be password protected and encrypted to prevent unauthorized access in the event your device is lost or stolen.

Generally, the encryption process will happen transparently without requiring any user input. Please refer to "What is Secure Messaging?" above for more details.

The University and Hospital have also created a special keyword encryption policy. This policy allows you to type the word secure into the email's subject line and the content of the email message will automatically get encrypted once it is sent. This way you can ensure that your email will be encrypted without relying on ZixCorp's identifier or HIPAA lexicons.

If the recipient does not retrieve the message within 14 days of when it was sent, they will receive an expiration notification email. The original message will be deleted from the secure Web site.

The message expiration date for this system is 14 days from the date the message is sent, and applies to all messages received and sent. This pre-set date appears in the header section of the message as well as in the Expiration Date column in the Inbox and Sent Message views. This is the maximum number of days a message will be held in the system. Once the expiration date has been reached, the message contents and attachments are securely deleted.

Attachments are supported as part of the Compose, Forward and Reply actions. Users click on the Attach Files button and select the file(s) they wish to attach to the message. There is no limit to the number of files that can be attached to a message; however, the total size of all files attached to a message cannot exceed 10MB.

Users with registered TJU/Zix email accounts are restricted to sending messages to @jefferson.edu and @jeffersonhospital.org email accounts. For example, a patient can log into ZixPort and send a secure message to their Jefferson provider; however, the patient cannot send a ZixPort secure message to a non-Jefferson email address.

Users are logged out of the system after 15 minutes of inactivity.

TJU/Zix email accounts are never purged from the ZixPort.

Read More