Am I responsible for incoming email compliance?

Healthcare organizations are partially responsible for incoming email compliance, particularly regarding protected health information (PHI) under HIPAA. Upon receipt, as a healthcare provider, you are responsible for securing, safeguarding, and ensuring the integrity of the data, which requires proactive measures aligned with HIPAA regulations to protect patient information.

Understanding incoming email compliance under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was designed to “safeguard patient privacy and secure health information,” writes Peter F. Edemekong, et al. in the article Health Insurance Portability and Accountability Act (HIPAA) Compliance. “HIPAA sets strict standards for managing, transmitting, and storing protected health information.” Although the law does not explicitly separate “incoming” and “outgoing” emails, its Security Rule applies to all electronic PHI (ePHI) that a covered entity or business associate creates, receives, maintains, or transmits. Furthermore, HIPAA’s Privacy Rule states that “Patients may initiate communications with a provider using e-mail.” This demonstrates that while HIPAA permits email use, if the patient initiates this communication, you have no control over which email platform the patient uses and its HIPAA compliance status. However, once the email is received, the responsibility shifts. From that moment forward, you are accountable for:

• Securing the PHI
• Preventing unauthorized access
• Maintaining data integrity
• Ensuring appropriate use and disclosure
  
  

Clarifying responsibility for incoming emails

The responsibility for complying with incoming email regulations is complex and depends on the specifics of HIPAA regulations. While healthcare organizations may not have direct control over the compliance of incoming emails during transit, they have a responsibility when receiving communications that contain PHI. This responsibility involves ensuring that adequate safeguards are in place to protect patient data confidentiality and security.

What you are not responsible for

Healthcare organizations generally do not control:

• Whether the sender used encryption
• The security of the sender’s email provider
• The security of the sender’s device
• The sender’s internal HIPAA policies (if they are not a business associate)

For example, if a patient emails their medical history from a personal Gmail account without encryption, the healthcare provider is not in violation of HIPAA simply for receiving that email.

What providers are responsible for

Once the message reaches your inbox, you are responsible for:

• Securing the message within your email system
• Ensuring only authorized staff can access it
• Preventing further unauthorized disclosure
• Storing or disposing of the message appropriately
• Responding to it in a HIPAA compliant manner

HIPAA is clear that covered entities must implement reasonable and appropriate safeguards to protect ePHI they receive, regardless of how it was transmitted.

Why incoming emails are a major risk area 

According to Paubox, email remains the single largest vector for cyberattacks in the healthcare sector and is consistently cited as the weakest security link. Paubox also reported that 180 healthcare organizations fell victim to email-related breaches in 2024, and 107 email-related breaches were reported in the first half of 2025. 

Phishing, malware, ransomware, and business email compromise (BEC) attacks often arrive through inbound messages. Simultaneously, legitimate emails may contain PHI, sometimes unexpectedly.

Common examples include:

• Patients sending medical questions or updates 
• Referral partners emailing test results
• Vendors attaching documents with PHI
• Insurers requesting or responding with claims data

Without proper controls, these emails can be:

• Accessed by unauthorized staff
• Forwarded improperly
• Stored insecurely
• Exploited during a cyberattack

This makes ensuring HIPAA compliance a necessity to safeguard PHI once in your possession.

Proactive measures for incoming email compliance

Identifying emails that contain PHI

Identifying PHI in emails requires attention to detail, as PHI can come in many forms. An email is considered to contain PHI when health-related information is linked to an identifiable individual. The 18 PHI identifiers include: 

1. Names (full names or last names and initials)
2. Geographic data (address, city, county, ZIP code, etc.)
3. Dates (birth date, admission date, discharge date, etc.)
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers (e.g., license plates)
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers (fingerprints, voiceprints)
17. Full-face photographs and any comparable images
18. Any other unique identifying number, characteristic, or code

Go deeper: Identifying PHI in emails

Using HIPAA compliant email gateways

HIPAA compliant email gateways provide an essential layer of protection for inbound messages. These solutions typically offer:

• Automatic encryption for emails at rest
• Secure message storage
• Threat detection for phishing and malware
• Policy-based access controls
• Logging and reporting for compliance audits

Even if the incoming message was not encrypted during transit, encrypting it upon receipt reduces the risk of interception and demonstrates compliance.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

Responsibilities upon receipt of PHI containing emails

Healthcare entities must take comprehensive steps to ensure compliance and data protection upon receiving emails containing PHI. 

• Encryption should extend beyond transmission to include email servers and storage systems, restricting access solely to authorized personnel. 
• Establish access controls to prevent unauthorized access, including multi-factor authentication (MFA) and role-based permissions. 
• Additionally, maintaining detailed audit logs enables meticulous tracking of access attempts and modifications, facilitating prompt detection and response to breaches.
• Continuous staff training on HIPAA regulations and secure email practices becomes an ongoing imperative to ensure adherence to compliance standards.

The role of staff training in incoming email compliance

According to the study Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis, unintentional human errors, such as misdirected emails, phishing attacks, or carelessness, account for 73.1% of data breaches and compromised 141 million records between 2015 and 2020. This indicates the need for training staff on HIPAA compliance best practices.

Furthermore, staff training is a HIPAA requirement under the Privacy Rule. 45 CFR § 164.530(b)(1) requires that regulated entities:

• Provide training to all workforce members: Staff should receive training tailored to their specific roles and responsibilities. This ensures that everyone understands how to properly handle PHI.
• Training for new employees: New staff should receive training shortly after joining the organization. This approach ensures they understand their responsibilities and the organization's HIPAA policies right from the beginning.
• Updates and refresher training: When there are changes in privacy policies or procedures due to regulatory updates, covered entities are required to provide additional training to address these modifications. Additionally, periodic refresher courses are advised to reinforce important concepts and any recent updates.

HIPAA’s Security Rule also requires staff training under 45 CFR § 164.308(a)(5). This requirement mandates that regulated entities: 

• Provide security reminders: Ongoing updates and reminders about security policies and procedures are necessary to keep security at the forefront of employees' minds.
• Protection from malicious software: Training should cover strategies for preventing, identifying, and reporting malicious software. It should also include recognizing phishing attempts and other cyber threats.
• Log-in monitoring: Employees should be trained to track login attempts and report any irregularities, aiding in the identification and response to unauthorized access efforts.
• Password management: Training should include best practices for creating, altering, and protecting passwords.

Healthcare organizations must also provide ongoing staff training that covers:

• How to recognize emails containing PHI
• How to handle suspicious or phishing emails
• When and how to use secure email tools
• What not to forward or download
• How to report potential incidents

Read also: Is staff training a HIPAA requirement?

Additional considerations for compliance

Considering the involvement of third-party service providers in email transmission and storage, healthcare organizations must establish business associate agreements (BAAs) to ensure these entities comply with HIPAA regulations, thus extending the responsibility for compliance to these associates. An essential part of compliance readiness involves a comprehensive incident response plan. This plan outlines clear steps for containment, investigation, notification, and remediation in case of a potential breach, ensuring a swift and efficient response to mitigate risks.

FAQS

Should all emails be treated as PHI by default?

Not all emails contain PHI, but healthcare organizations should assume any incoming email could contain PHI until reviewed. Implementing automated detection and secure handling reduces the risk of accidental exposure.

Is deleting an email enough to remove PHI?

Not always. Deleted emails may still exist in archives, backups, or recovery systems. Secure deletion and proper retention management policies are essential to ensure PHI is fully protected.

Can auto-replies or out-of-office messages accidentally disclose PHI?

Yes. Auto-replies can unintentionally confirm a patient relationship or reference care details. Organizations should ensure automated messages are generic and do not include patient-specific information.