Default encryption in healthcare. Why 46% still leave it to the sender.

46% of healthcare organizations rely on manual encryption triggers, partial department coverage, or no encryption at all. Outbound PHI security comes down to a sender remembering to flip a toggle.

The number comes from the Healthcare Email Security Maturity Index 2026, Paubox's benchmark of 170 U.S. healthcare IT leaders. Encryption and recipient experience scored 2.39 out of 4 across the benchmark, the lowest of any dimension.

Where's the gap coming from?

54% of healthcare organizations encrypt every outbound email containing protected health information by default. With default encryption, the sender does not have to take any action to encrypt the email. Encryption applies to every outbound message that contains PHI, automatically, before the message leaves the organization.

The other 46% rely on one of three weaker models:

• Manual triggers: the sender chooses encryption per message, usually by typing a code into the subject line, clicking a button in the email client, or moving the message into a separate workflow
• Partial department coverage: the IT team has enabled encryption for some departments (often billing or compliance) but not others
• No encryption at all: a small share of the survey, but they exist

In all three weaker models, encryption depends on a per-message decision by the sender.

Why manual encryption fails

Asking busy clinicians to make a security decision in real time, for every outbound message, fails at scale.

Healthcare professionals describe the same pattern. From a county government healthcare unit: "Staff move too quickly and forget to encrypt emails to outside providers and vendors." From a healthcare services provider: "Staff awareness and training on risks of email use in relation to PHI is the core challenge."

The post-breach data agrees

The Maturity Index also asked breached organizations what changed first after the breach. 47% of breached respondents named strengthening encryption policies as their top action, ahead of added phishing simulation training, increased budget, and changing email providers.

Regulators have been signaling the same direction. In December 2023, the Office for Civil Rights announced its first-ever HIPAA penalty for a phishing attack, settling with Lafourche Medical Group over a breach that exposed records of 34,862 individuals. "Phishing is the most common way that hackers gain access to health care systems," former OCR Director Melanie Fontes Rainer said at the time.

The proposed update to the HIPAA Security Rule, published in January 2025, would shift PHI encryption from "addressable" to "required."

TLS isn't a substitute

Transport layer security (TLS) encrypts email in transit between mail servers, and most modern healthcare email environments enable it. TLS does not, on its own, prevent unencrypted PHI from leaving the organization.

The Maturity Index documented the TLS fallback distribution. 26% of healthcare organizations block outbound email when TLS cannot be established with the recipient. 5% send the message anyway, in the clear. 68% redirect to a portal.

For the 68% redirecting to a portal, a secure message center without account creation or password friction handles the same fallback at a lower friction cost.

What default encryption looks like

Default encryption in practice has two properties:

• Platform-native: the encryption happens at the email gateway, not in the sender's client. There's no toggle in the user experience and no internal training to maintain.
• Delivery-direct: the encrypted message lands in the recipient's inbox without portals, passwords, or account creation. The recipient reads the message in whatever email client they already use.

Paubox Email Suite provides default encryption for HIPAA compliant email across Google Workspace and Microsoft 365. More than 8,000 healthcare organizations use Paubox.

What the roadmap says

The Maturity Index closes with a six-step roadmap. Step one is making encryption the default for outbound PHI. Step two is replacing legacy portals with a secure message center.

The full Healthcare Email Security Maturity Index 2026, including the encryption section data and the six-step roadmap, is available now.