Secure Email (Office 365)

The Office 365 secure email service provides a solution for UT Health San Antonio personnel who must communicate securely with organizations, companies, or individuals outside of the university. This solution meets state and federal requirements that prohibit transmitting sensitive information (patient data, student records, Social Security numbers, credit card information, etc.) in an unprotected format. When used as described below, the secure email service transmits messages in a manner so that they are unable to be viewed if intercepted while in transit to the recipient.

TO SEND A SECURE MESSAGE, simply add two consecutive plus symbols ("++") to the subject line. The email system will determine the handling of the message based on the recipient (see table at the bottom of this this page.)


1. Open the message in your Inbox and click the "Open the message" button:

2. If you are signed into Office 365, the message should open in a browser window without further action or intervention. If you are not an Office 365 user, then a page like the following will open:

Users on Gmail or otherwise logged into Google will see the "Sign in with Google" option like what's shown above and can opt to log in using their Google credentials. Users of some other email providers, including Yahoo!, may also see an option to log in with those credentials. After logging in, the message should open in a browser window.

Otherwise, click on the "Sign in with a One-time passcode" button. Office 365 will then email you a one-time passcode. Check your inbox for this message, which will look like this:

3. Enter the passcode into the webpage (you may want to copy and paste it) and click continue:


4. The message should then open in a browser window:

If you wish to reply, click the "Reply all" button at the top right or left (depending on how the message was opened), or click the down arrow next to the "Reply all" to select the "Reply" or "Forward" options.

Secure mail troubleshooting
The recipient "cannot open the attachment".
This almost surely indicates that they are attempting to open the "message_v4.rpmsg" file attached to the email in their inbox. This attachment is the encrypted message itself and cannot be directly opened. Instead, the recipient must follow the instructions above to open the message.

The recipient clicked to use a one-time code but has not received the one-time code message.
First, they should check their junk/spam folder. If they can't find it there, they should contact their IT help desk to determine if it was blocked or quarantined. If they still cannot find it, or they are otherwise unable to receive it, contact the IMS email team for further assistance.

The recipient clicked to open the message and is and being prompted to log in.
There are a number of reasons this could happen and, as a result, the solution will vary depending on the specific circumstances and the recipient's email system. Therefore, the best course of action in this case is for the recipient to contact their IT help desk.

The recipient is trying to open a secure message that's in a shared mailbox.
The recipient must be a full access owner of the shared mailbox in order to have the permissions required to open the message. If they are not a full access owner, then they will not be able to open the message. If they are a full access owner and cannot open the message, they can try to open the shared mailbox in and open the message there.

Additional information
The following caveats apply to secure messages:

  • Only outbound messages are affected: It is not necessary to take extra steps to protect messages internally and therefore they are not processed by the secure mail service.
  • Attachments: The entire message, including attachments, is sent securely.
  • Automatic processing: All messages leaving our mail system that are not already flagged for secure transmission are scanned for sensitive content including PHI, social security numbers, and credit card information. If the scan determines that such information is contained in the message or any attachments, the message will be automatically be flagged for secure transmission and the sender will be notified. Note that this is considered a compliance violation since the message was not proactively flagged to be processed securely, so the compliance office will also be notified.

Secure email is handled differently depending on the recipient:

Recipient location Method
To internal UTHSCSA recipient (1)
To trusted partner (e.g. UHS, VA) (1)
To LiveMail (1)
To other external recipient (2)
To internal UTHSCSA recipient (3)
To trusted partner (e.g. UHS, VA) (2)
To LiveMail (3)
To other external (non-UTHSCSA) recipient (2)

(1) - Message is transmitted normally and can be opened directly from recipient's mailbox.  
(2) - Message will be wrapped in a secure "envelope" and transmitted to the recipient. If the recipient's mailbox is on any Office 365 tenant, then it will be handled as a (3) below. Otherwise, the recipient will have to open the "envelope" by clicking on a button to obtain a one-time code (much like 2FA) that is then entered into a web page and submitted, which then opens the message. Recipients at some mail services, such as Gmail and Yahoo!, will have the option to leverage those credentials instead of obtaining the one-time code.
(3) - Message will be wrapped in a secure "envelope" and transmitted to the recipient, but when the recipient clicks the button to open it, the message will open without further action or intervention (provided the user is logged into Office 365.) If the user is using Outlook Web Access, the message may open normally without the need to click on a button. 

* - This is the process if the person who is replying received the message via a secure envelope.  If the person who is replying received the message normally, then the reply will also be sent normally.

Print Article


Article ID: 92006
Tue 5/18/21 12:29 PM
Tue 4/12/22 2:39 PM