Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Are all emails HIPAA compliant?

Are all emails HIPAA compliant?

Not all emails are HIPAA compliant. HIPAA compliance depends on the email's content and the sender and recipient's security measures to protect protected health information (PHI).


The role of email in healthcare communication

In healthcare, emails may contain a wide range of information. They can be used for appointment scheduling, sharing lab results, consulting with specialists, and addressing patient queries and concerns. However, when emails contain PHI, the stakes are significantly raised.


What makes an email HIPAA compliant?

Specific measures must be implemented to ensure HIPAA compliant email communication. These measures include:

  • Encryption: Emails containing PHI must be encrypted during transmission and at rest. In transit, encryption scrambles the content so that it can only be deciphered by authorized users. Encryption at rest means that data is protected on the email server, guarding against unauthorized access in storage.
  • Access controls: These controls are designed to limit access to emails with PHI. Only authorized personnel with a legitimate reason to access the information should be able to do so. Access controls ensure the confidentiality of patient data.
  • User authentication: Authentication mechanisms, which include unique usernames and strong passwords, help ensure that only authorized individuals have access to the email system. This layer of security can prevent unauthorized access to PHI.
  • Audit trails: Maintaining detailed logs of email activities, including who accessed, sent, or received emails with PHI and when these activities occurred, is a HIPAA requirement. These logs provide a historical record of the email system's usage, aiding compliance and identifying potential security incidents.
  • Business associate agreements (BAAs): When using third-party email service providers, BAAs help ensure that these service providers also comply with HIPAA regulations and take responsibility for safeguarding PHI.


When are emails not HIPAA compliant? 

Noncompliance with HIPAA regulations can result from various scenarios and practices, including:

  • Lack of encryption
  • Inadequate access controls
  • The absence of audit trails
  • Use of unsecured email platforms
  • Failure to sign BAAs
  • Untrained staff
  • Sending emails without patient consent
  • Improper data retention and disposal
  • Failure to conduct risk assessments
  • Absence of an incident response plan

Sending emails containing PHI requires the patient's consent. They must be informed about the risks. Patients have the right to know how their PHI will be transmitted and must agree to electronic communication methods.


The responsibility to ensure HIPAA compliant email

Ultimately, ensuring HIPAA compliance for email communication falls on the shoulders of covered entities and their business associates. Neglecting these responsibilities can have severe legal and reputational consequences. Thus, organizations must make a dedicated effort to achieve and maintain HIPAA compliance when communicating via email.

Related: What are the penalties for HIPAA violations?


Do you need inbound security to be HIPAA compliant?

HIPAA compliance doesn't require specific inbound email security. However, HIPAA emphasizes safeguarding PHI during outbound email transmission, primarily through encryption. While inbound security isn't mandatory for compliance, it is a wise addition to protect against cyber threats.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.