Email Best Practices

Email is an important communications tool used throughout UC San Diego Health. Due to its ubiquity, it is often easy to overlook the importance of utilizing email security best practices to help protect sensitive data against outside threats. For us to successfully thwart malicious attacks and protect our organization, we want to communicate some important best-practice strategies that you can implement immediately. This page will highlight things you can do to help ensure data and resources remain secure.

Email security is a shared responsibility!

Security is a shared responsibility for ensuring the protection of institutional information and IT resources both as a sender and recipient of sensitive data (Protection Level 3 or 4) as defined in the University of California Data Classification policy:
  • Use only UC San Diego Health provided email accounts.
  • Never automatically redirect emails or use automatic forwarding.
  • Be wary of phishing scams designed to capture sensitive data such as passwords.
  • Report any suspicious emails to .
  • When communicating with patients electronically, only use MyChart.
  • Use Microsoft Teams within UC San Diego Health Office 365 to share sensitive data. Please use your email (not email) to ensure you are using the Health instance of Microsoft Teams.

What information can be sent in an email?

Do not share protected information via email unless absolutely necessary. If sharing is necessary, only add the information that is essential to communicate. When sharing protected health information is required, follow the minimum necessary standard, which is sharing the minimal or least amount of information needed.

How can I securely share protected information?

The best way to share protected information is through Microsoft Teams within UC San Diego Health Office 365. Steps to take when it is necessary to send protected information via email:
  • Be cautious when communicating sensitive information and assume that any message sent could be captured and delivered to unauthorized individuals;
  • Confirm the email address:
  • Delete unnecessary identifiers;
  • Include a privacy statement notifying the recipient when the email contains confidential information;
  • Use “Secure:” in the email subject to send an encrypted email,;
  • Encrypt attachments with passwords;
  • Use a different communication channel to provide the password to the recipient. For example, if files are emailed, transmit the password through Teams Chat or call the receiver to share.

How long should I keep email messages with protected information?

Once a file with protected information is processed and no longer needed, the file should be deleted. That applies to the source files, including messages in the Sent Items folder, and to received files in the Inbox or Downloads folder. If an archive is required, a department share, Microsoft Teams, or SharePoint site are the preferred locations. Purging files with protected information reduces the risk to UC San Diego Health in the event of unauthorized access.

Additional information and policies...