Does an email subject line have to be HIPAA compliant?
by Chloe Bowen Chief of Staff
This includes any electronic PHI (ePHI) in an email subject line. Since even just a name or email address when coupled with an email coming from your practice can be considered PHI, it follows that email subject lines must be HIPAA compliant as well.
The problem with portals
When you send an email to a patient using most portal-based encrypted email products, only the message in the email portal is guaranteed to be secure, not the email alerting the patient that he or she has a message waiting to be read.
Without added safeguards, if you send a message to a patient’s email address that does not support TLS encryption, the message is delivered unencrypted in clear text—giving hackers the opportunity to intercept the email.
In fact, Google’s own data shows that 12% of emails sent with Gmail are delivered unencrypted.
What if a patient sends you an email containing PHI in the subject line?
If your patient sends you an email containing PHI, you are not inherently responsible for it.
According to the Department of Health & Human Services (HHS) Office for Civil Rights (OCR), if a patient emails a healthcare provider, you can assume (unless the patient has explicitly stated otherwise) that he or she considers email an acceptable form of communication.
Also, as explained in the HIPAA Omnibus Rule, once a secure email has been delivered, you have fulfilled your HIPAA obligations, and you are no longer responsible for safeguarding the information.
In other words, if a patient responds to an email, any PHI included therein is not your responsibility.
However, if you then respond back to your patient’s email, the ball is back in your court for protecting the PHI.
The easiest thing to do to avoid all these ins and outs is just to send HIPAA compliant email by default 100% of the time. Enter Paubox Email Suite.
How Paubox can help
Although most email encryption providers use portals that may not encrypt the subject line, Paubox Email Suite encrypts all email by default, both the body and the header.
When a recipient’s email address does not support TLS encryption, Paubox software blocks the email from being delivered in plain text and instead moves the email to a secure web app. This only adds one additional click for the recipient to view the email and ensures that you stay HIPAA compliant.