Policy rationale

HMS email services are provided by Harvard Medical School (HMS) for the purpose of enhancing productivity and maintaining effective communications in support of the school’s mission. HMS encourages the use of email for the distribution of information to HMS email users. This policy outlines the responsibilities, service definition, security requirements, and acceptable use of the HMS email Service.

Applicability

This policy applies to all users of HMS email services.

Policy statements

Responsibilities

  • Use of HMS provided email resources and the content of email messages must be in accordance with HMS acceptable use policy, HMS email policy, all applicable federal and state regulations, and University policies, or in accordance with executed service agreements for outside organizations utilizing HMS email provisioning services.
  • Each HMS email user is expected to check email messages for HMS-related communications on a basis consistent with their role.
  • HMS IT manages HMS email services that are available for use by all HMS email users.
  • The thorough list of email eligibility rules will be kept current by designated HMS Email Eligibility Approvers, in a single web-based location accessible to the HMS/HSDM community and hosted by HMS IT.

HMS email services use, availability, compliance, and prohibited activity

  • HMS email is the property of Harvard University and not of the individual HMS email user.
  • No email service can be utilized or advertised as an official HMS email service, apart from the HMS email service.  (A definition of HMS email service can be found in the "Definitions" section of this policy).
  • HMS Administrative and Research units shall not deploy alternative email systems for conducting HMS business.
  • HMS/HSDM email services must not be used as a permanent storage for Protected Health Information (ePHI).
  • HMS/HSDM email should not be used as a primary method of sending Protected Health Information (ePHI).
    • ePHI can be securely sent via secure file transfer methods listed in the related resources section below.
    • If HMS/HSDM email must be used to send Protected Health Information (ePHI) due to business, school, or patient needs the following must be followed: 1) Inquiry with HMS Security on non-email secure options for sharing ePHI; if no such options are available or functional at the time, then 2) the email must be sent encrypted, 3) any attachments must be encrypted with password, and 4) the password must be sent to receiver in a separate email or text message.
      • If the steps in above are not followed, HMS/HSDM email cannot be used to send Protected Health Information (ePHI).
  • HMS/HSDM email services must not be used as a permanent storage of HMS research data.
  • Use of email resources and the content of email messages must comply with all applicable local, state, and federal laws and regulations and all university and HMS Policies and information security controls.
  • Users of HMS email services shall not abuse the privilege of access to HMS information resources.
  • Personal email accounts should not be used for conducting HMS business. HMS may require an employee to disclose any email messages residing in an employee’s personal email account(s) relating to HMS business to satisfy obligations regarding an audit, investigation, legal or official proceeding.
  • HMS discourages the use of HMS email for personal use or activities (e.g. online banking, shopping, and personal memberships, child, or partner's school/work). Access to your HMS email account is terminated upon your departure or at a designated time after departure from HMS and may result in loss of access to personal accounts and information set-up through or stored in your HMS email.
  • Student HMS email services will have their accounts terminated if they graduate or cease to be registered without approved leave.
    • Students who graduate from Harvard Medical School will have their email accounts terminated after an approved number of days following their graduation in the registrar system. The approved number of days shall be documented in the Approved Email Eligibility website (link is in the related resources section below).
    • All graduating students regardless of type will be downgraded to the lowest level of licensing immediately upon graduation. (for example, from M365 A3 to M365 A1) Lower levels of licensing may have reduced storage capacity and functionality.
  • When a student, faculty, or staff member is officially on a leave of absence, the email account will remain active during the leave.
    • For eligibility details regarding student, faculty, or staff members officially on a leave of absence, refer to the Approved Email Eligibility Site (link is in the related resources section below). 
  • HMS email services based on employment status at HMS will be decommissioned upon separation from Harvard Medical School.
    • For details and exceptions regarding email continuity, post departure form HMS, refer to the Approved Email Eligibility website (link is in the related resources section below). 
  • All messages in the HMS email services must be electronically scanned and filtered according to processes managed by HUIT and HMS IT. 
    • Messages that are determined to contain malicious content (i.e., viruses, malware, or phishing attempts) shall be rejected. 
    • Messages that are likely to be spam must be quarantined or discarded.  

HMS email services eligibility

  • HMS IT shall host the list of HMS Email Services eligibility rules in a web-based location accessible, as appropriate to the HMS/HSDM community. Please see the Related Resources section for link. 
  • Certain individuals/offices are designated to determine email eligibility.  A list of current email eligibility designees can be found in a web-based location accessible, as appropriate, to the HMS/HSDM community. Please see Approved Email Eligibility website (link is in the Related Resources section below).
  • Should an HMS email user’s circumstances change such that they are no longer eligible for HMS email services, HMS reserves the right to terminate or disable the email account, with or without notice.  

Group email services

  • Departmental or other shared email: Users of shared email accounts must use the delegated access model and not share credentials for a single email account. 
  • Student groups are ineligible for HMS email services 

HMS email services for non-employees

  • HMS email services may be offered to non-HMS employees, (such as but not limited to: vendors, contractors, and contingent workers, only if the following conditions are met: 
    • Must be onboarded via the Harvard Sponsored Role (HSR) process in accordance with the HMS guest account standard. 
    • The HSR role type must be one that qualifies for email. Note: HSR accounts will only be valid for a maximum period of one year and must be renewed annually. 
  • HSR accounts will lose access to HMS email services after the last day of sponsored affiliation. 

Email privacy

​​​​​​​Email messages that are maintained by Harvard/HMS and its employees or contractors, in certain cases, may be subject to disclosure for:

  • System protection
  • Maintenance
  • System Management
  • Business continuity
  • Safety matters
  • Legal process
  • Litigation
  • Investigations of misconduct
  • Emergencies and other extraordinary cases
  • For more information, please refer to the Harvard University Access to Electronic Information Policy in the Related links section.

Email and records retention

All email and attached files should adhere to the HMS Archives and Record Management retention guidance, as well as Harvard University General Record Schedule

Failure to comply

Noncompliance with this policy may result in university, school, and departmental sanctions, including, but not limited to, loss of email or other IT services and/or Individual disciplinary action, including termination in accordance with university and school disciplinary and employment policies and procedures, or civil or criminal legal actions.

Exceptions

Any exceptions to this policy (HMS Email Policy) will need to be submitted via the HMS Exception request form.

Exceptions will be considered and approved or denied on a case-by-case basis depending on risk and other factors.

Any current exceptions to this policy that result in non-compliance due to policy revisions, should have an exception request submitted no later than 6 months from last publication date.

Definitions

HMS email services:Email services (address routing and mailbox services) provided or managed by HMS IT, encompassing email, calendaring, contacts, contact management, mailing lists, and list management. An HMS email contains identifier@[optional sub domain].HMS[med].Harvard.edu, identifier@[options sub domain].hsdm.harvard.edu, or identifier@[optional sub domain].HMS[med].edu

HMS email users:Any individual who has been provided an email address by HMS IT. HMS Email Users, including HSDM email users, can include but are not limited to: 

  • HMS/HSDM staff;
  • HMS/HSDM faculty / researchers;
  • individuals with an active, close affiliation to HMS, HSDM or the University;
  • select retirees;
  • current and former students;
  • post-doctoral researchers
  • guests and vendors.

HMS-IT: Harvard Medical School Information Technology

Email provisioning approver: Designated individual(s) at the departmental or school level who can approve email provisioning to an individual or groups of individuals under their privy. An email Provisioning Approver list is kept by HMS IT and annually reviewed and approved by the Office of the Executive Dean for Administration.

HUIT: Harvard University Information Technology

HMS business: All activities including administrative, research, academic, charitable, commercial, or industrial in service to the HMS mission or conducted with   HMS owned assets, with HMS provided funds, or involving data associated with HMS researchers, faculty, staff, and students, or otherwise determined as such by Harvard Office of General Council and the Office of The Executive Dean for Administration.​​​​​​​

Related resources

Version control

  • HMS Primary Responsible Office: CISO
  • Other Responsible Office(s): ACIO and CTO
  • Approval Body: HMS IT Governance (SPC)
  • Applicable To: All HMS and HSDM
  • Subject Area: IT
  • Key Contact(s): Joe Zurba, Caroline Pereira, Simone Biver-LeBlanc
  • Security Permissions-accessible to: All HMS / HSDM
  • Effective Date: 04/01/2024

Review period

This policy will be reviewed as needed, but no less than every two (2) years.

Revision history

  • November 10, 2023 – v0.1: Initial draft.
  • December 6, 2023 – v0.2: Reviewed by Policy Working Group.
  • February 5, 2024– v1.0: Approved by SPC.
  • February 26, 2024 – v1.0 Reviewed and approved by CISO and CIO