Release of Information (ROI) via email

All Queensland Health staff members have an obligation under the Hospital and Health Boards Act 2011 and Information Privacy Act 2009 to protect personal information including, but not limited to, patient information, collected, managed, stored, disseminated, and disposed of by Queensland Health.

Information classified as ‘sensitive' (including clinical and confidential information), should only be sent when there is a legitimate and approved need to do so and in compliance with the Hospital and Health Board Act 2011 and Information Privacy Act 2009.

Emails must be encrypted. Encryption means that information is converted to a code to prevent unauthorised access and so the information cannot be altered. This information can be ‘unencrypted’ by the authorised recipient.

Risks of email communication

Before providing consent to use email as a method of communication, please be aware that email has risks which include, but are not limited to, the following:

• Emails may be misaddressed or potentially received by unintended recipients.
• Email that are inadvertently not encrypted may be intercepted, forwarded or used without authorisation or detection.
• Employers (if you are using a work-based email address) and online services have a right to archive and inspect emails transmitted through their systems.

Agreement to receive correspondence via email

• Agreement to utilise email for correspondence / communication is voluntary. Please ensure you provide the correct email address and maintain its currency.
• You may ‘opt out’ of receiving email communication by notifying the clinic / service.
• Your email address will not be used for any purpose other than for which was agreed and cannot be forwarded to another person without your permission.
• Another form of contact and communication may be required or requested if it is deemed that email communication is not appropriate.
• General Practices may utilise a generic email account to request and receive ROI in an encrypted format.
• Background user settings of generic email accounts must provide owner permissions for individual users to access encrypted email.

Process to read your encrypted email

You will receive email communications from SCHHS in an encrypted format.

Using Outlook.com or Microsoft 365

• If using the Outlook.com website, the Outlook mobile app, or the Mail app in Windows 10, you can read encrypted messages the same way as with unencrypted messages.
• If using Outlook for Windows, Outlook for Mac, or a third-party email app, you will receive an email message with instructions for how to read the encrypted message and can gain access using your Microsoft account or Microsoft 365 account.

If NOT using Outlook.com or Microsoft 365

You will receive an email message with options and instructions for how to read the encrypted message. The encrypted message may be checked via a temporary passcode or by signing in into your Google account.

SCHHS email addresses for ROI

Process to encrypt emails

• Available to practitioners with a Microsoft Office 365 email account.
• Applies encryption (AES-128-bit) to the email.

All attachments are encrypted, however the subject line is not. The subject line should include the general purpose of the message. For example, ‘processed ROI’ ,‘advice’ or ‘appointment’. No confidential information should be contained on the subject line, the content of the subject line is not encrypted.

1. Open a new email
2. select the ‘Options’ tab in the ribbon
3. click ‘Encrypt’
4. select ‘Encrypt-only’ on the dropdown menu
5. the use of read receipt is also recommended.