Paubox blog: HIPAA compliant email made easy

Do email headers need to be encrypted?

Written by Kirsten Peremore | October 06, 2023

While email headers do not need to be encrypted for routine email communication, encrypting email headers is a best practice for healthcare professionals. It is necessary to implement proper encryption measures to protect the email content when sensitive information is involved.

 

HIPAA and email

HIPAA sets the regulations and standards to protect the privacy and security of individuals' health information, including when it is communicated via email. HIPAA requires covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, to implement safeguards to ensure the confidentiality and integrity of electronic protected health information (ePHI). 

While HIPAA doesn't explicitly prohibit the use of email for transmitting ePHI, it does mandate that appropriate safeguards be in place that ensure this is HIPAA compliant email. This includes encryption and other security measures to protect the content of the email and any ePHI it may contain. 

Additionally, covered entities must have policies and procedures in place to monitor and manage email communications containing ePHI and should obtain patient consent when necessary. 

 

What is an email header?

An email header, often referred to as the "message header" or simply "header," is a beneficial component of an email message. It is a block of text at the beginning of an email that contains metadata and information about the email itself. Email headers provide details about how the email was sent, routed, and received. 

 

Does the email header need to be encrypted?

Email headers primarily contain routing and metadata information, which is not inherently sensitive. In the main, email encryption efforts should focus on securing the email's content, especially when it includes sensitive data like personal health records or financial information. 

However, in cases where information considered PHI is included in the header, encryption is necessary for additional protection. Ultimately, encrypting headers by default is the safest approach.

An email message header includes fields that contain information about the sender, recipient, and message routing.

The email header fields include:

  • From: the email address of the sender
  • To: the email address of the primary recipient
  • Subject: the subject or topic of the message

Any of these could be considered PHI. Therefore, you should encrypt email message headers as a best practice.

 

How to encrypt email headers

Encrypting email headers can be efficiently achieved using Transport Layer Security (TLS). The TLS protocol ensures privacy between communicating applications and users, providing a secure pathway for transmitting sensitive email content and PHI, including headers.

However, implementing and managing TLS might be beyond the technical expertise of a typical healthcare professional who needs to focus on patient care rather than IT security.

Paubox offers seamless email encryption services by default, without the need for portals or password protections, making the process straightforward for both senders and recipients.

Healthcare providers can send secure, encrypted emails directly from their existing email platforms. This ensures that sensitive patient data is protected while in transit, including the email headers. This approach allows healthcare professionals to concentrate on their primary responsibilities without worrying about the technicalities of email encryption.