If you are a healthcare organization, business associate, or covered entity that uses email, you know that any form of communication containing protected health information (PHI) needs to be encrypted to be HIPAA compliant.
For some secure messaging solutions, that means sending an email portal to an end-recipient to access the encrypted message. Typically, the subject line will indicate that the contents inside include sensitive information as a reasonable safeguard.
But if your email subject line reveals PHI–which can simply be a patient’s name–is that a HIPAA compliance violation?
In summary, yes.
How to Write a HIPAA Compliant Email Subject Line
When you send a secure email using most portal-based encrypted email solution, only the message in the email portal is guaranteed to be secure.
If the recipient uses an email provider that does not support transport layer security (TLS), the email contents such as the email header information (email addresses, subject lines) and email body remain unencrypted – leaving them susceptible to HIPAA violations.
In order to comply with HIPAA regulations set by the Department of Health and Human Services (HHS), you must avoid including any patient information or ePHI in the subject line.
According to the HIPAA Privacy Rule § 164.514(b)(2), there are 18 designated PHI identifiers that you need to avoid. Some basic ones are:
- Names (including any part of the patient’s name or initials)
- County, City, or Zip Code
- Dates (all elements of dates related to an individual) including:
- Birth Date
- Age
- Admission Date
- Discharge Date
- Death Date
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
To see the full list, click here.
What if a patient sends you an email with PHI in the subject line?
If your patient sends you an email containing PHI, you are not inherently responsible for it.
As stated directly by the Office for Civil Rights (OCR), “Patients may initiate communications with a provider using email. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that email communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted email or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue email communications.”
However, you should still take the necessary steps to protect the patient’s PHI when you reply to their email.
As a healthcare organization, you have a duty to your patients and your reputation to protect PHI to the best of your ability.
When it comes to communicating with your patients by email:
- Never include any PHI in the email subject line or file attachment name – just in case, make sure the subject line is encrypted in transit.
- If you mention PHI in the body, make sure the email is encrypted from transmission to delivery.
- Make sure the email is being sent to the correct recipient.
Be sure you are thoroughly reviewing your email encryption vendors to see if subject lines are encrypted and safe. Although most email encryption solutions use portals that may compromise the subject line, some providers like Paubox can encrypt the entire message in transit.