March 30, 2023
This page provides the frequently asked questions for sending Protected Health Information (PHI) and Confidential Information securely.
What type of information must be sent securely?
State and federal regulations require that emails containing protected health information and personal information be encrypted if they are sent outside our Mass General Brigham firewall.
It is strongly recommended that emails containing other Mass General Brigham Confidential Data also be encrypted using Send Secure.
Sending confidential information via email contains risks and should only be done when necessary and in accordance with policy and security requirements.
What is Send Secure?
Send Secure is an email service designed to protect Mass General Brigham Confidential Data contained in messages sent from a Mass General Brigham email address to a non‐Mass General Brigham email address.
If you must use email to communicate Mass General Brigham Confidential Data to a non‐Mass General Brigham address, you must send the message securely.
What is Mass General Brigham Confidential Data?
Mass General Brigham confidential data includes:
- Electronic protected health information (PHI)
- Personal information
- Intellectual property
- Employee information
MGB confidential data also includes any other non‐public information that would subject Mass General Brigham, the data owner, or the data subjects, to harm if the data was lost, stolen, or accessed by unauthorized individuals.
Does Protected Health Information (PHI) need to be sent securely?
Yes. Any email containing Protected Health Information must be encrypted and sent securely.
The recommended ways to send this information are to use Patient Gateway, the LMR application, or another clinical messaging system that may be in use at your specific site.
'Send Secure' is an alternative if you do not have access to these other methods.
What do I need to do to send a secured message?
Senders need to type the words "send secure" in the subject line of the email message.
- The 'send secure' code can be placed anywhere in the subject line.
- The code identifies the message as secure and encrypts the contents.
- When the recipient(s) opens the message, the sender will receive an automated read receipt.
Is the subject line of the message encrypted?
No, the subject line of an email message is not encrypted. Please DO NOT include any patient identifier in the subject line of your message. Examples of patient identifiers include first name, last name, and medical record number.
What if I use the incorrect code to send my secure email?
You will get an automated email receipt for all email messages sent with the correct secure email code.
- Check your sent items folder to review the text of your original message to confirm that the code was typed properly as send secure.
- If you do not receive the automated read receipt, it means your email message was not sent securely or never opened by the recipient.
- Information Systems recommends that you resend the message with the exact code and retain the automated receipt for auditing purposes.
What is the proper way to enter the secure email code?
The secure email code is "send secure". Ideally, this should be entered as two words, all lowercase with no bolding or quotations. However, the code is not case sensitive. If you type 'Send Secure', the email will be sent encrypted. Other scenarios are as follows:
- Your message will be sent securely if the two words are combined.
- Your message will be sent securely if there are multiple spaces between the two words.
- Your message will be sent securely if there is other text before or after the secure email code.
- Your message will not be sent securely if you put text in between the code words.
- For example, in the email's subject line write "send secure YourMessage" and not "send YourMessage secure".
Aren't all my emails secure?
Your mail is secure in the way that it is private and password protected. However, it is not encrypted when you send it outside of the Mass General Brigham network to a non‐Mass General Brigham email address.
To encrypt the text of your message that contains Mass General Brigham Confidential Data, please type "send secure" anywhere in the subject line of the message.
What's the size limit?
Send Secure has a mail message size limit of 10MB and an attachment file size limitation of 7.5MB
What’s the difference between laptop encryption and email encryption?
Laptop encryption encrypts data on the actual computer. It does not encrypt individual emails being sent outside the Mass General Brigham network.
Individual emails containing protected health information and personal information must be secured by including send secure anywhere in the subject line of the message.
If my laptop is encrypted, does that mean my email is automatically encrypted?
No. Individual emails must still be secured by including 'send secure' in the subject line of the message.
Are there other secure alternatives to send Protected Health Information?
Yes. Some sites use Patient Gateway to electronically send Protect Health Information to patients. Each site may have other options available. Check with your Site Security Officer on alternate ways to send Protected Health Information.
Send Secure is a good option for sites that are not using another means for conveying information securely.
What other entities have secure email with Mass General Brigham?
Some sites use Patient Gateway for secure communications. In addition, there are secure communication channels in place between Atrius, Massachusetts Eye & Ear Infirmary, and other entities.
Click here to see a full listing of secure channels. In these instances, there is no need to do any additional encryption.
Should I continue to use Patient Gateway if my practice uses that application?
Yes. Patient Gateway is the preferred method for providers to communicate electronically with patients and is fully compliant with state law.
For information about Patient Gateway, please contact your Service Desk or your LMR Analyst.
Are there other solutions for Provider-to-Provider communications?
Clinical messaging can be an efficient alternative to email for provider to provider communications. ChartLinx is a system that allows clinical messages to be sent securely between providers using LMR and GE Centricity. Clinical messages generated in ChartLinx are transferred securely, and there is no need to do any additional encryption.
Is Send Secure different from Secure File Transfer Service?
Yes. Mass General Brigham Research Computing offers a Secure File Transfer Service to exchange large files with collaborators both inside and outside of Mass General Brigham HealthCare via a web browser rather than ftp.
The service is a secure web based application with anti‐virus detection built in.
For more information on Secure File Transfer, please visit http://rc.Mass General Brigham.org/sFTP
Are there step‐by‐step instructions available?
Yes. Detailed instructions for both senders and recipients can be found in KB0018778.
What must the Recipient do to read the message?
When a recipient with a non‐Mass General Brigham email address opens the message, they will need to register and create a password in order to read the encrypted message.
This is a one‐time only registration process that takes a few minutes to complete. The registration process is similar to setting up an account with Amazon.com or a banking website.
How do senders get help with Send Secure?
Please first review the following article: About Cisco Secure Email Encryption Service (Send Secure)
If further assistance is required, then refer to KB0018777 for Cisco Support information.
Why is my Send Secure showing up in plain text?
There are 2 ways to ensure emails sent to external entities are transmitted securely. One is to use Send Secure, and one is to require that messages sent to specific domains use TLS encryption (forced TLS) for the transmission of the message. If forced TLS is required for messages sent to an external recipient, Send Secure will be ignored and the message will appear to the recipient to be sent normally. However, since the transmission of the message was encrypted, it was sent securely.
If a Send Secure email is showing as a normal email, it is likely because Forced TLS was used instead. This can be verified by checking the recipient domain at https://pweb.partners.org/mgb/emaildomain/home/index
If you want to ensure that your message is delivered securely, you may continue to use "Send Secure" in the subject field. If forced TLS is not set up for the recipient, then the email gateway will encrypt it with Send Secure
My recipients are having trouble and need assistance. How should I direct them?
There are two websites that are helpful to recipients: