JagMail (Google/G Suite) Secure Messaging Features

General Guidance

  • The University HIPAA office and the Computer Services Center have determined that the following components of the University-contracted G Suite for Education (formerly titled “Google Apps for Education”), when appropriately used, provide the basic  technical and contractual requirements for communication of HIPAA protected data:
    • JagMail email (@storesoo.com)
    • Google Drive/Google Shared Drives
    • Google Documents and Sheets

  • This document does not address the suitability of your business practices with regard to confidential data nor whether you are compliant with HIPAA regulations. It is assumed that you have reviewed your practices and procedures with the appropriate University offices to determine whether the data in question may be shared and with whom it may be shared.

  • These G Suite services may be used in addition to USANAS, the on-campus networked storage system. For most offices exchanging information primarily at University locations, USANAS will be the preferred sharing/storage system.  All faculty and staff offices may request access to USANAS. Please contact helpdesk@storesoo.com for assistance.

  • Although the commercial Gmail system shares many technical characteristics with the University G Suite (JagMail), it is not covered by University contract and does not meet all University technical and administrative requirements for confidential data. It is not approved for PHI or other University confidential data. Using it for such purposes potentially exposes you to personal liability in addition to violating University policies.

  • Although the JagMail email system meets contractual and technical requirements for transmittal of sensitive data including PHI, email is subject to the following concerns:
    • Email can easily be sent to the wrong recipients (or mistakenly forwarded by valid recipients to inappropriate recipients)
    • It is not possible to retract messages once sent.
    • Recipients with auto-forwarding may propagate the message beyond your intent.
    • Email messages persist in sent mail folders and may reside on multiple devices, including smart phones.  It is difficult - if not impossible  - to meet document retention and disposal requirements with email.

  • The Computer Services Center recommends that whenever possible email be used to alert or notify but not to transport or convey sensitive information.  (For example, you can place confidential data within a Google Drive and use email to provide access links.)

 

Security Features

The following security features are available to all users of JagMail (the @storesoo.com/@jagmail.storesoo.com G Suite system.)

 

Dual Factor authentication

All users can activate 2 factor authentication, recommended for everyone, but essential for anyone transmitting or storing sensitive information. Please see  JagMail Two Factor Authentication for details. This information can also be found on the main University web server by finding “JagMail Two Factor Authentication” in the A-Z index.

 

Email transmission security features

  • All email between the University @health.storesoo.com and JagMail systems only over encrypted channels. (also known as Transport Layer Security, or TLS), as does all email between JagMail users.

  • #secure subject keyword

    For communications outside the two University systems, any user of @storesoo.com or @jagmail.storesoo.com may request that email be sent only over an encrypted channel by including the keyword “#secure” in the subject line.

    If the email system cannot deliver over TLS channels, you will receive an error message from the system and it will not be delivered. You may then determine whether another method - such as a Google Drive share - is an appropriate alternative.

Google Drive and Shared Drives  (including Google Docs and Sheets)

  • Access to these services is only over secure, encrypted channels.

  • Google Drive space is "unlimited" for the University G Suite.  

  • Sharing options: 
    • Google Drive permits flexible sharing controls, including limiting access to specific JagMail recipients or to all JagMail users.
    • You can set expiration times on your shares.
    • Files and folders can be shared "to anyone with the link", permitting sharing of data to individuals outside the JagMail system. When used for sensitive data, this should be for a limited period and unshared once transmitted. 

  • General usage suggestions:
    • Google Drive is tied to an individual user account, and is best suited for individual user working files and ad hoc sharing.
    • Shared Drives exist independently of individual user accounts and are best for shared projects and long-term storage.
    • Health System users can be issued accounts to access Google Drive resources upon request.

  • More information is available at  Get Started with Google Drive and  Get Started with Shared Drives and from the Computer Services Center/Academic Computing Help Desk at helpdesk@storesoo.com