Does an email subject line have to be HIPAA compliant?

Featured image

Share this article

Does an Email Subject Line Have to Be HIPAA Compliant? - Paubox

Healthcare organizations must be careful to only send HIPAA compliant email to their patients in order to safeguard protected health information (PHI) in accordance with the HIPAA Security Rule.

This includes any electronic PHI (ePHI) in an email subject line.  Since even just a name or email address when coupled with an email coming from your practice can be considered PHI, it follows that email subject lines must be HIPAA compliant as well.

The problem with portals

When you send an email to a patient using most portal-based encrypted email products, only the message in the email portal is guaranteed to be secure, not the email alerting the patient that he or she has a message waiting to be read.

Without added safeguards, if you send a message to a patient’s email address that does not support TLS encryption, the message is delivered unencrypted in clear text—giving hackers the opportunity to intercept the email.

In fact, Google’s own data shows that 12% of emails sent with Gmail are delivered unencrypted.

What if a patient sends you an email containing PHI in the subject line?

If your patient sends you an email containing PHI, you are not inherently responsible for it.

According to the Department of Health & Human Services (HHS) Office for Civil Rights (OCR), if a patient emails a healthcare provider, you can assume (unless the patient has explicitly stated otherwise) that he or she considers email an acceptable form of communication.

Also, as explained in the HIPAA Omnibus Rule, once a secure email has been delivered, you have fulfilled your HIPAA obligations, and you are no longer responsible for safeguarding the information.

In other words, if a patient responds to an email, any PHI included therein is not your responsibility.

However, if you then respond back to your patient’s email, the ball is back in your court for protecting the PHI.

The easiest thing to do to avoid all these ins and outs is just to send HIPAA compliant email by default 100% of the time.  Enter Paubox Email Suite.

How Paubox can help

Although most email encryption providers use portals that may not encrypt the subject line, Paubox Email Suite encrypts all email by default, both the body and the header.

When a recipient’s email address does not support TLS encryption, Paubox software blocks the email from being delivered in plain text and instead moves the email to a secure web app. This only adds one additional click for the recipient to view the email and ensures that you stay HIPAA compliant.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Chloe Bowen

Read more by Chloe Bowen

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022