JagMail (Google/G Suite) Secure Messaging Features
General Guidance
- The University HIPAA office and the Computer Services Center have determined that
the following components of the University-contracted G Suite for Education (formerly
titled “Google Apps for Education”), when appropriately used, provide the basic technical
and contractual requirements for communication of HIPAA protected data:
- JagMail email (@southalabama.edu)
- Google Drive/Google Shared Drives
- Google Documents and Sheets
- This document does not address the suitability of your business practices with regard
to confidential data nor whether you are compliant with HIPAA regulations. It is assumed
that you have reviewed your practices and procedures with the appropriate University
offices to determine whether the data in question may be shared and with whom it may
be shared.
- These G Suite services may be used in addition to USANAS, the on-campus networked
storage system. For most offices exchanging information primarily at University locations,
USANAS will be the preferred sharing/storage system. All faculty and staff offices
may request access to USANAS. Please contact helpdesk@southalabama.edu for assistance.
- Although the commercial Gmail system shares many technical characteristics with the
University G Suite (JagMail), it is not covered by University contract and does not
meet all University technical and administrative requirements for confidential data.
It is not approved for PHI or other University confidential data. Using it for such
purposes potentially exposes you to personal liability in addition to violating University
policies.
- Although the JagMail email system meets contractual and technical requirements for
transmittal of sensitive data including PHI, email is subject to the following concerns:
- Email can easily be sent to the wrong recipients (or mistakenly forwarded by valid recipients to inappropriate recipients)
- It is not possible to retract messages once sent.
- Recipients with auto-forwarding may propagate the message beyond your intent.
- Email messages persist in sent mail folders and may reside on multiple devices, including
smart phones. It is difficult - if not impossible - to meet document retention and
disposal requirements with email.
- The Computer Services Center recommends that whenever possible email be used to alert or notify but not to transport or convey sensitive information. (For example, you can place confidential data within a Google Drive and use email to provide access links.)
Security Features
The following security features are available to all users of JagMail (the @southalabama.edu/@jagmail.southalabama.edu G Suite system.)
Dual Factor authentication
All users can activate 2 factor authentication, recommended for everyone, but essential for anyone transmitting or storing sensitive information. Please see JagMail Two Factor Authentication for details. This information can also be found on the main University web server by finding “JagMail Two Factor Authentication” in the A-Z index.
Email transmission security features
- All email between the University @health.southalabama.edu and JagMail systems only
over encrypted channels. (also known as Transport Layer Security, or TLS), as does
all email between JagMail users.
-
#secure subject keyword
For communications outside the two University systems, any user of @southalabama.edu or @jagmail.southalabama.edu may request that email be sent only over an encrypted channel by including the keyword “#secure” in the subject line.
If the email system cannot deliver over TLS channels, you will receive an error message from the system and it will not be delivered. You may then determine whether another method - such as a Google Drive share - is an appropriate alternative.
Google Drive and Shared Drives (including Google Docs and Sheets)
- Access to these services is only over secure, encrypted channels.
- Google Drive space is "unlimited" for the University G Suite.
- Sharing options:
- Google Drive permits flexible sharing controls, including limiting access to specific JagMail recipients or to all JagMail users.
- You can set expiration times on your shares.
- Files and folders can be shared "to anyone with the link", permitting sharing of data
to individuals outside the JagMail system. When used for sensitive data, this should be for a limited period and unshared once
transmitted.
- General usage suggestions:
- Google Drive is tied to an individual user account, and is best suited for individual user working files and ad hoc sharing.
- Shared Drives exist independently of individual user accounts and are best for shared projects and long-term storage.
- Health System users can be issued accounts to access Google Drive resources upon request.
- More information is available at Get Started with Google Drive and Get Started with Shared Drives and from the Computer Services Center/Academic Computing Help Desk at helpdesk@southalabama.edu