Problem solve Get help with specific problems with your technologies, process and projects.

PHI in the subject line of e-mail

A question has been raised at my place of employment about subject lines of e-mails. Are we required to omit employee names as well as patient names from the subject lines of e-mails? There has been much speculation about this issue and I would like to have any confusion cleared up.

Given that names are considered protected health information (PHI), these could fall under the Security Rule requirements. You didn't mention whether or not employee names are considered PHI at your organization. If so, what I mention below will apply to both patient names and employee names. This issue would most likely fall under the "Transmission Security" standard in the final Security Rule which must be "addressed." What this basically means is that you'll have to perform a risk assessment to determine whether or not this PHI is at risk to any known information security threats or vulnerabilities.

If you're sending your e-mails in clear text you can bet it's at risk, both during transmission and once it arrives at its destination. So, given all of this, there is no rule that states you have to omit names from e-mails. However, you do need to make sure that any PHI (names, addresses, phone numbers, etc.) is not at risk when e-mailing it. If your risk assessment shows you need to protect e-mails, you'll need to either eliminate the PHI from the e-mails or somehow encrypt the e-mails so that the information is not interceptable or readable by a third party.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Protecting in-house e-mail containing PHI
  • Ask the Expert: Encrypting e-mail and what is considered confidential under HIPAA
  • Featured Topic: HIPAA update

  • This was last published in March 2003

    Dig Deeper on Email and Messaging Threats-Information Security Threats