What constitutes an emailed PII incident?  

An emailed PII incident occurs when any entity shares personally identifiable information (PII) from IRIS through a non-secure method, such as an unencrypted email.  

What is considered PII? 

PII stored in IRIS includes demographic information (e.g., name, DOB, gender), contact details (e.g., phone, email, physical address), and other information included in a referral to assess patient eligibility and support the delivery of services (e.g., health records, living conditions, household information).  

Responding to Emailed PII in IRIS Help Desk 

FYI: This is not a tier 1 ticket; the tier 1 support individual should escalate in Help Desk channel to the tier 2 support individual.  

  • Reply to the email with the canned response “IRIS Email PII.”  
    • Edit the ticket to redact the PII shared by pressing the edit button at the top of the original ticket. 
    • Tag the ticket as “PII."

Note: If you cannot edit the ticket, it needs to be deleted! If IRIS Support is still helping the user, create a new ticket to work from.  

  • Navigate to the IRIS Email PII Log located in in the IRIS Teams channel and fill it out with the relevant information.  
    • Provide the names and contact information (i.e., email) of all individuals who may have seen the PII. 
    • Steps taken to prevent the information from being seen. 
    • Any relevant notes related to the incident. 
      • If the email containing PII was sent to multiple people, treat that as one security incident but ensure that all individuals exposed to the PII delete the message and record their name/contact in the notes. 

 

After completing the above steps, please ensure that you inform the IRIS App Management team in the IRIS App Management channel that a PII incident occurred and that you filled out the PII log. 

 

Responding to Emailed PII 

  • Reply to the email with the following: 

As a data security reminder please do not email personally identifiable information, such as names and dates of birth. We understand it is often easier to convey your question or issue with some sort of profile identifiers. IRIS is a secure, HIPAA-compliant system, so personal data may be entered there. However, email is not secure enough to transmit such data. In this instance, please make sure to delete the email completely from your end and we will do the same." 

  • Delete the email from your end or edit it to remove the PII. Ensure that the user does the same on their end.  
  • Navigate to the IRIS Email PII Log located in in the IRIS App Management Teams channel and fill it out with the relevant information, ignoring any fields that do not apply (such as ticket number). 
    • Provide the names and contact information (I.e., email) of all individuals who may have seen the PII. 
    • Steps taken to prevent the information from being seen. 
    • Any relevant notes related to the incident. 
      • If the email containing PII was sent to multiple people, treat that as one security incident but ensure that all individuals exposed to the PII delete the message and record their name/contact in the notes.

After completing the above steps, please ensure that you inform the IRIS App Management team in the IRIS App Management channel that a PII incident occurred and that you filled out the PII log.

  

Escalating Security Incidents 

A data security incident happens when unauthorized or unintended parties gain access to sensitive data or confidential information such as PII or PHI. This usually happens due to internal mishaps or system gaps/defects.  

The IRIS Data Security Policy Manual outlines the procedures for proper and consistent handling of security incidents. If you ever experience a security incident beyond an emailed PII instance, please follow the guidance outlined there. 




Need help? IRIS Support | Last updated: , 2025