IT0002-HSC-C Email

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho


Phone: 901.448.1579


Email: mmadeksh@uthsc.edu

Purpose

The University of Tennessee Health Science Center (UTHSC) email services are provided to facilitate communication in the pursuit of academic and business endeavors. The purpose of this standard is to describe the availability and permitted use of this critical service for purposes appropriate to the University’s mission.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

This standard applies to all members of the UTHSC community entitled to email services.

Definitions

Level 2 Data – The effect on confidentiality and integrity of the Data is significant and includes compliance requirements. This Data is governed by federal, or state compliance requirements and unwarranted exposure can lead to compliance issues and/or fines. This includes all Data that contains personally identifiable information (PII), protected health information, student education records, and cardholder Data. This categorization level also includes lower-risk items that, when combined, represent an increased risk per IT0005-HSC-A-Data & System Categorization.
Email – electronically delivered messages addressed to specific email account holders
Email Account – a NetID and password assigned to a user that allows access to email services
Sponsored NetID – a NetID not automatically generated for an active faculty, staff or student, but for someone affiliated with the University that needs access to specific systems. This type of NetID must be requested by a supervisor, business manager or department head.
UTHSC Business – any activity or communication supporting the mission of UTHSC. This includes communication between internal and external individuals while representing the interests of UTHSC for any UTHSC-related purposes.
UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University owned or managed information technology services, including cloud-based services, that users have access to.

Responsibilities

Information Technology Services (ITS) is responsible for creating and maintaining UTHSC email accounts.
ITS Leadership is responsible for setting standards for the use of the UTHSC email system.
System Custodian is responsible for configuring the appropriate controls for the UTHSC email system.
UTHSC User is responsible for adhering to this standard and the security controls set forth in it.

Standard

UTHSC Email Address and Accounts

Faculty and Staff

Faculty and staff must use UTHSC email services to conduct and communicate University business. Incidental personal use of email is allowed, with the understanding that the primary objective of this email service is UTHSC-related and that occasional personal use does not adversely impact work responsibilities or the performance of the network.

Email services are provided only while a user is employed by the University, or 30 days after separation if the user has left on good terms. Once a user’s electronic services are terminated, employees may no longer access the contents of their mailboxes, nor should they export their mailbox to a personal account before departure. Upon separation, emails contained in the account remain the property of the UTHSC. Retirees wishing to continue using a UTHSC email address must have a sponsored account. See Sponsored Accounts below.

Faculty and staff email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed by authorized University officials for purposes related to University business per IT0002-HSC-B-Expectation of Privacy. UTHSC has the authority to access and inspect the contents of any equipment, files, or email on ITS resources. 

Students

Email services are available for students to support learning and for communication by and between the University and themselves. The services are provided only while a student is enrolled in the University, or up to one year after the end date of the last term the student attended UTHSC classes. Once a student’s electronic services are terminated, students may no longer access the contents of their mailboxes. Upon separation, emails contained in the account remain the property of the UTHSC.

Student email users are advised that electronic data (and communications using the University network for transmission or storage) may be reviewed and/or accessed per IT0002-HSC-B-Expectation of Privacy. UTHSC has the authority to access and inspect the contents of any equipment, files, or email on ITS resources. 

Sponsored Accounts

Individuals with special relationships with UTHSC who are neither employed nor enrolled at UTHSC, are granted limited email privileges, including an email address, commensurate with the nature of their relationship with the University with a sponsored NetID account. This type of account must be requested by a supervisor, business manager, or department head. UTHSC is free to discontinue these privileges at any time. The management of these types of accounts is described in IT0506-HSC-A.02-NetID Account Management.

Acceptable Use under University Policies

Email users have a responsibility to learn about and comply with UTSA IT Policy IT0002-Acceptable Use of Information Technology Resources and IT0002-HSC-A-Acceptable Use of IT Resources. Violation of UTHSC standards and practices (including this one) may result in disciplinary action dependent upon the nature of the violation. Examples of prohibited uses of email include, but are not limited to:

  • Intentional and unauthorized access to other people’s email
  • Sending “spam”, chain letters, or any other type of unauthorized widespread distribution of unsolicited mail
  • Use of email for commercial activities or personal gain (except as specifically authorized by University policy and in accordance with University procedures)
  • Use of email for partisan political or lobbying activities
  • Sending of messages that constitute violations of the University of Tennessee’s HR-0580-Code of Conduct
  • Creation and use of a false or alias email address to impersonate another or send fraudulent communications
  • Use of email to transmit materials in a manner that violates copyright laws. Abuses of UTHSC’s email services should be directed to the Office of Cybersecurity at abuse@uthsc.edu.

Security and Privacy of Emails

UTHSC attempts to provide secure, private, and reliable email services by following sound information technology practices. However, there are always emerging risks that allow attackers to compromise the confidentiality, integrity, and availability of our emails. Therefore, email users should exercise extreme caution in using UTHSC email to communicate sensitive matters. All data contained within an email message, or an attachment, must be secured commensurate with the criticality of the information per IT0005-HSC-A-Data & System Categorization.

Email is a business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email. In that case, the email must be retained according to pertinent University of Tennessee and/or State retention requirements. Users of UTHSC email services also should be aware that the Tennessee Public Records Act & Tennessee Sunshine Law (Open Meetings Act) and other similar laws jeopardize the ability of UTHSC to guarantee complete protection of email.

Best Practices in the Use of Email

C-3 Data or Information
When sending information categorized as Level 2 data, per IT0005-HSC-A-Data & System Categorization (such as data covered by HIPAA and FERPA), the user must encrypt the message if sent via email. To encrypt an email, add the word encrypt anywhere in the subject line of an email sent from the sender’s UTHSC account. Refer to this Knowledge Base article on how to encrypt emails in Outlook. The University of Tennessee UT Vault can also be used to send encrypted messages. Students, staff, and faculty members from any UT institution can send and receive encrypted emails, including emails from non-UT entities. More information on UT Vault is found at vault.utk.edu.

Phishing
Phishing attacks use email to collect personal and financial information or infect devices with malware and viruses. UTHSC email users should be careful not to open unexpected attachments from unknown or even known senders, nor follow web links within an email message unless the user is certain that the link is legitimate. Clicking a link in an email message or opening an attachment may allow bad actors to install malicious programs on the workstation.

Identity Theft
Forms sent via email from an unknown sender should never be filled out by following a link. Theft of one’s identity can result. 

Password Protection
UTHSC requires the use of strong passwords for the protection of our NetID and email. Requirements for a UTHSC password are given in IT0506-HSC-A.01-Password Management and Complexity.

Departmental Email Boxes
Departments that provide services in response to email requests should have a shared mailbox created to help support departmental functional continuity for managing requests sent via email. These accounts should have one owner accepting responsibility for the account and must be monitored.

Forwarding Email
UTHSC email users may not forward emails to a non-UTHSC email address, except to domains that have been approved for forwarding. Staff email users on an extended absence should create an Out of Office message, which should include the contact information for another staff member who can respond while the user is away from the office.

Compromised Accounts
An email account that has been compromised, whether through password cracking, social engineering, or any other means, must be promptly remediated with the appropriate means. Such appropriate means will include a password reset, review of account settings, computer scans, and malware disinfection to prevent possible leakage of PII, spamming, potentially infecting others, and degradations of network service.  If the account is being used to harm UTHSC, the Chief Information Security Officer (CISO) or designee will direct the ITS Infrastructure Team to disable the account until remediations can occur.

Representation
Email users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of UTHSC or any unit of UTHSC unless appropriately authorized (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer shall be included unless it is clear from the context that the author is not representing UTHSC. Refer to SC-002.01-Offical Communications Use & Protections for guidance.

Alternative Means of Communication
Users should be aware that there are alternative means of communication that may be more efficient than email. For example, the use of Microsoft Teams for individual or group conversations and meetings is an approved and appropriate alternative that allows for flexibility during collaborations.

Exceptions to this Standard

Exceptions to this Practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards and Practices.

Policy History

Version #
Effective Date
1
10/31/2016
2
09/02/2021
3
01/24/2022
4
09/18/2023
5
11/02/2023
6
03/01/2025 – new naming convention

References

  1. IT0002–Acceptable Use of Information Technology Resources
  2. HR-0580-Code of Conduct
  3. IT0002-HSC-A-Acceptable Use of IT Resources
  4. IT0002-HSC-B-Expectation of Privacy
  5. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards, Practices, and Controls
  6. IT0005-HSC-A-Data & System Categorization
  7. IT0506-HSC-A.02-NetID Account Management
  8. SC-002.01-Offical Communications Use & Protections