Better email security starts with easier access

Better email security starts with easier access because people use secure tools when those tools fit naturally into their day, especially in healthcare where messages often involve refills, appointments, test results, and personal questions. A Veterans Affairs secure messaging study published in JMIR shows why ease matters: veterans described secure messaging as a practical way to avoid phone delays, manage care on their own time, and keep communication moving without extra effort.

One participant explained, “It’s 24/7 you know, and the next thing I know I got it [prescription] within a week…It doesn’t tie up personnel at the VA. It just makes life easier.” The lesson for HIPAA compliant email is obvious. The security should be protecting the message not forcing the recipient to jump through hoops. In an environment where access is easy, people tend to stay within the sanctioned channel.

Why the recipient experience belongs in the security conversation

An early study of 311 patients who already emailed their physicians in the American Journal of Managed Care found that 95% said email was more efficient than the telephone, describing the advantage as avoiding “telephone tag” and also valuing the ability to save messages and revisit instructions later. In the VA JMIR mixed-methods study, 82% of veterans reported satisfaction with secure messaging at baseline and 97% at follow-up, using it for medication refills and health questions.

A second, larger survey (n=819) in the JMIR VA journal found that 75.6% of respondents found secure messaging a useful way to communicate with clinicians, 69.8% said they were satisfied with it, and 66.7% found it helpful for medication refills. It is an indictment of the conditions for patients to actually get, trust and use a protected channel.

A more recent incident came in May 2025, when Kaiser Permanente disclosed network disruptions that affected messaging, e-visits and access to medical records, showing how quickly communication friction becomes a patient-service problem.

Why security fails when the recipient's journey is too hard

A secure email tool may have encryption, access controls, audit logs and authentication, but it will still fail in practice if recipients cannot easily get the job done. A study of secure messaging for clinical document sharing in Applied Clinical Informatics found that only 11 of 19 providers were able to attach and send a clinical document independently. Researchers identified 36 different use errors, but patient and provider satisfaction remained high (median scores of 6.0 and 5.8 on a 0 to 7 scale, respectively).

For healthcare organizations, recipients who cannot open a message, retrieve an attachment, reset a password, understand a portal prompt, or respond without help may look for another route. They may have to ask staff to resend information via normal email, print and scan documents, call the office, or postpone the exchange altogether. Every workaround compromises the purpose of secure communication. The problem is rarely resistance to privacy per se. Usually, the approved path is too slow or too confusing, or it is too far from the normal ways of communication.

A JMIR systematic review of patient portals for chronic disease management found patient-provider communication was the most common positive feature (present in 10 of 27 articles). However, the most common negative perceptions were security concerns and ease of use, appearing in 11 of 27 articles. People do not want to avoid digital communication with healthcare teams, but they do want to feel the tools are safe and they can use them without friction.

Why recipient experience is a security control

A qualitative study in JMIR Medical Informatics found secure messaging works better when patients and providers understand the rules of use. The study included 42 interviews with experienced patient portal users, 29 patients and 13 primary care physicians, and found patients were unsure when secure messaging was appropriate, were concerned they were taking up physicians’ time and needed more guidance on how to use the tool.

According to the study, the issue is that “patients worry about whether their use is appropriate.” Secure messaging means more than just encryption, authentication, and logging. People need to know when to use the secure channel, what type of information to put in the message, what the response time will be, what to do when a question is urgent. Users hesitate, stall or find easier workarounds when the rules are vague.

What healthcare organizations should look for in an email security option

Paubox found 170 healthcare email-related breaches in 2025, exposing PHI for 2.5 million individuals. The report also found 60% of healthcare IT leaders rated their email security as inadequate, 72% said their infrastructure needed a major overhaul, and only 23% felt confident their email security was fully effective. Those numbers show why buyer teams should look beyond encryption alone. HIPAA compliant email has to be secure, practical, and easy enough for real people to use in normal healthcare workflows.

Paubox’s report also found that 57% of healthcare organizations do email security training once a year, while employees report only 5% of known phishing attacks and 4% of known HIPAA email violations. The gaps are compounded by a complicated recipient journey, because confusion creates delay, support tickets and workarounds. The safest path should look like the easiest path.

FAQs

Is a secure portal always the safest option?

A portal can be secure, yet it can also create friction.

How can patient portals create health disparities?

Patient portals can widen disparities when they favor people with reliable internet, smartphones, digital literacy, English fluency, and time to troubleshoot access problems.

How do portal problems affect healthcare staff?

Portal problems often come back to staff as extra calls, repeated instructions, manual follow-ups, duplicate messages, and administrative work.