An email subject line does have to be HIPAA compliant and should not contain Protected Health Information because some encryption standards do not encrypt email metadata. Those that do may have compliance risks, may be complex to administer, and/or may make searching for an email – or the content of an email – difficult.
When you send an email from any email account (personal, business, etc.) and for any reason (leisure, work, etc.), the email is usually encrypted in some form during its journey from your device to your email service’s servers. It remains encrypted from your email service’s servers to the servers used by the recipient’s email service, and rests there in an encrypted format until the recipient logs into their email account and the email is delivered.
Whether the email remains encrypted in the last stage of its journey – or encrypted in the same format as it was sent – depends on the type of encryption used by the recipient. In most cases, emails encrypted in incompatible formats are delivered using Transport Layer Security (TLS) encryption, which protects the content of the email, but not the email metadata. If the recipient’s email account does not accept TLS encryption, the email is returned to the sender.
What is Email Metadata?
Simply put, email metadata is information used by email services’ servers to authenticate the sender and recipient of an email, determine the route of the email, and establish a return path for non-deliveries and replies. The metadata also includes information such as timestamps (to see when an email was sent compared to when it was delivered), whether the email has an attachment, and whether the email is written in plain text or HTML code.
In the context of answering the question does an email subject line have to be HIPAA compliant, email subject lines form part of the email metadata. This is to ensure interoperability between encryption types, help email filters identify spam, and support searches by subject matter when emails are delivered to the recipient’s inbox. For this reason, an email subject line should never include sensitive information – including Protected Health Information.
Is There a Way to Encrypt Metadata?
Some email encryption standards work by encapsulating the whole email (content + metadata) during its journey from sender to recipient. This form of “end-to-end” encryption is regarded by some security experts as the best way to protect emails from man-in-the-middle attacks because – although the content of emails is protected by TLS encryption – intercepted metadata could be used to identify communication patterns and relationships.
However, end-to-end encryption is not ideal in all scenarios. There may be compliance risks with regards to the accountability of encryption keys (i.e., PGP), administration challenges with endpoint security (S/MIME), and compatibility issues with some email clients that make it difficult to search for an email or the content of an email. In addition, if the recipient’s email service does not support end-to-end encryption, the email will be delivered using TLS encryption.
Note: End-to-end encrypted emails have to be decrypted and re-encrypted by email services’ servers to make sure they are delivered correctly, and by email filters to identify spam and other threats. Consequently, email metadata is not encrypted at all stages of an email’s journey and may still be vulnerable to man-in-the-middle attacks at key points.
Best Practices for Subject Line Security
Even when an organization is a healthcare provider, not all personally identifying information is considered Protected Health Information under HIPAA. Nonetheless, it is advisable to prohibit the use of any personal identifiers in the subject line of an email and limit the amount of secondary information to the minimum possible to describe the subject of the email – avoiding words such as health, treatment, and payment as much as possible.
For example, rather than using the subject line “Reminder for Healthcare Appointment”, just use “Appointment Reminder”, delete “Hospital” from the subject line “Follow-Up to Your Hospital Visit”, and avoid using specifics when emailing test results to a patient – i.e., “Results of Your Test” rather than “Results of Your Blood Test” . Finally, be sure to include the best practices for subject line security in HIPAA security awareness training.