Although not mandatory, it is best practice to use HIPAA compliant email to communicate with vendors, especially those who may handle sensitive information or operate within the healthcare ecosystem. Doing so reduces the risk of accidental disclosures and cyberattacks and also ensures consistent data protection standards across all communications, helping healthcare organizations build a culture of compliance and trust.
According to the U.S. Department of Health and Human Services (HHS), HIPAA does not prohibit the use of email to communicate health information. In fact, the HHS states: “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.” However, this is only mandatory if communication protected health information (PHI). If an email contains PHI, then HIPAA requires proper safeguards, including encryption, access controls, and secure storage.
When assessing whether you need HIPAA compliant email for vendor communication, ask yourself the following:
Under HIPAA, a business associate is any third party that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include:
If the vendor qualifies as a business associate, they must sign a business associate agreement (BAA) before any PHI is shared. The BAA legally binds the vendor to uphold HIPAA standards and protects your organization from liability in case of a data breach.
If the vendor is not handling PHI, such as office supply vendors or marketing consultants discussing generic strategies, a BAA may not be required; however, cybersecurity precautions should still be taken.
Popular email platforms like Gmail, Outlook, or Yahoo are not HIPAA compliant by default. They may offer features like encryption, but HIPAA compliance is only possible if:
Some providers offer enterprise HIPAA compliant versions (like Google Workspace or Microsoft 365 with compliance configurations), but setup can be complex. A better approach may be using a platform specifically built for healthcare compliance. HIPAA compliant email providers go further by integrating these safeguards and ensuring that both senders and recipients handle information securely.
You don’t need to use a HIPAA compliant email service if the communication doesn’t involve PHI. For example, if you’re discussing routine business matters with a vendor, such as contracts, orders, or pricing information, HIPAA compliance may not be required. However, it’s always a best practice to steer towards the side of caution and ensure that any sensitive information is transmitted securely.
Examples include:
Even when PHI is not explicitly shared, adopting HIPAA compliant email platforms can safeguard against human error, phishing attacks, and data leaks.
According to an IBM study, quoted by The Hacker news, over 95% of healthcare data breaches were caused by human error. This includes misdirected emails, weak passwords, and phishing attacks. These findings underscore the importance of secure communication protocols, even for routine or non-clinical emails.
Another study, Healthcare Data Breaches: Insights and Implications, wrote that “The Internet of Medical Things, Smart Devices, Information Systems, and Cloud Services have led to a digital transformation of the healthcare industry. Digital healthcare services have paved the way for easier and more accessible treatment, thus making our lives far more comfortable. However, the present day healthcare industry has also become the main victim of external as well as internal attacks… The study found that hacking/IT incidents are the most prevalent forms of attack behind healthcare data breaches, followed by unauthorized internal disclosures. The frequency of healthcare data breaches, magnitude of exposed records, and financial losses due to breached records are increasing rapidly.”
This study demonstrates that it is best practice that all healthcare entities adopt enterprise-level, HIPAA compliant messaging platforms to minimize variability and reduce exposure.
In yet another study, Cybersecurity in healthcare: A systematic review of modern threats and trends, researchers stressed that vendors in the healthcare ecosystem were frequently targeted as soft-entry points into healthcare networks. These vendors often lacked the same level of security oversight as covered entities, making them a prime attack vector.
These studies reinforce a key message: compliance and security are ongoing processes, not one-time decisions.
To meet HIPAA requirements and protect your organization, an email platform must offer:
Many vendors promote "secure email," but without a BAA or full encryption, they do not meet HIPAA standards.
Paubox is a HIPAA compliant email provider that stands out for its simplicity, security, and transparency. Here's how it helps you maintain secure vendor communication:
Paubox offers always-on, automatic encryption without requiring recipients to log into portals or retrieve messages via external links. Emails land directly in the recipient’s inbox, encrypted and readable just like any other email. This improves vendor responsiveness and reduces friction.
If your vendor qualifies as a business associate, Paubox provides a BAA that outlines the obligations of all parties under HIPAA. This eliminates ambiguity and ensures that your vendor communications remain within compliance boundaries.
If you're sending marketing emails to patients or vendors and want to include PHI (e.g., appointment reminders, treatment plans, or lab results), Paubox also offers HIPAA compliant email marketing solutions. Unlike traditional platforms like Mailchimp or Constant Contact, Paubox Marketing is designed specifically for healthcare.
Using non-HIPAA compliant email for PHI can lead to data breaches, HIPAA violations, and hefty fines. It can also compromise patient privacy and damage your organization's reputation.
If a vendor qualifies as a business associate and refuses to sign a BAA, you should not share PHI with them. Look for alternative vendors who are willing to comply with HIPAA regulations.