A subject line is considered Protected Health Information (PHI) under HIPAA regulations if it contains details that can identify an individual or pertains to their health status, health care provision, or payment for health care.
Can PHI be included in an email subject line?
Including Protected Health Information (PHI) in an email subject line is generally discouraged due to the potential risks to patient privacy and security. HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates to implement safeguards to protect PHI from unauthorized access, use, and disclosure.
See also: What are the 18 PHI identifiers?
When would a subject line include PHI?
PHI in an email subject line would include any individually identifiable health information that is related to a patient's medical condition, treatment, or health status and is associated with a specific individual. Here are examples of what could constitute PHI in an email subject line
- Patient's name: Including the full name or even partial name of a patient.
- Medical condition: Describing a specific medical condition or diagnosis.
- Treatment information: Referring to a specific treatment, procedure, or medication.
- Dates: Mentioning dates related to a patient's healthcare. For example, an appointment reminder saying, "follow-up appointment on 08/15/2023."
- Medical records or account numbers: Referring to unique identifiers used by healthcare providers. An example is the subject line, "Billing Statement for Account #123456."
- Test results: Sharing specific test results, such as lab reports or imaging findings. Example: "Lab Results: Cholesterol Levels"
- Location: Identifying a healthcare facility or location. Example: "Visit to XYZ Medical Center"
- Personal identifiers: Any other information that could potentially lead to the identification of the patient. Example: "Medication Adjustment for Patient A"
How to avoid putting PHI in an email subject line?
- Use a generic subject line: Avoid including specific patient names, medical conditions, or other identifiable information in the subject line.
- Encrypt the email: Use a HIPAA compliant email service to protect the content of the email and any attachments. Encryption helps ensure that only authorized recipients can access the information and makes it possible to include PHI in subject lines.
- Obtain patient consent: Obtain explicit consent from patients before sending PHI via email. Clearly explain the risks and limitations of email communication.
- Limit PHI disclosure: Provide only the minimum necessary PHI in your email communication. Avoid including unnecessary details.
- Train staff: Ensure that all staff members who handle PHI are trained in HIPAA compliance and understand the proper procedures for secure communication.
- Maintain audit trails: Keep records of email communications involving PHI, including when emails were sent and received, to track and monitor compliance.
See also: HIPAA compliant methods for sharing PHI with business associates
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.