Establishing internal email policies for HIPAA compliance

In the late 1990s, electronic communication began transforming healthcare. According to the study "We Got Mail": Electronic Communication Between Physicians and Patients, by 1997, approximately 17.5 million adults in the U.S. were already using the internet to seek medical information. At the same time, physicians began using email for professional tasks such as consulting with colleagues, reviewing lab results, tracking patient outcomes, and corresponding with patients.

The healthcare sector has since adopted email as its primary mode of communication. As noted in Email in Healthcare: Pros, Cons and Efficient Use, “It is the assumption of many healthcare organizations that staff will regularly check and act on their email messages.” This widespread reliance on email makes it essential for healthcare organizations to implement robust internal email governance policies, particularly those that align with the Health Insurance Portability and Accountability Act (HIPAA).

These policies help ensure sensitive patient data is protected, communication practices meet regulatory standards, and operations are secure and efficient.

Why email governance matters for HIPAA compliance

HIPAA requires specific safeguards to safeguard protected health information (PHI), including any electronic PHI (ePHI) stored or transmitted via email. Under the HIPAA Security Rule, covered entities and business associates must implement administrative, physical, and technical safeguards that preserve the confidentiality, integrity, and availability of ePHI.

As the U.S. Department of Health and Human Services (HHS) explains, “A major goal of the Security Rule is to protect the security of individuals’ ePHI while allowing regulated entities to adopt new technologies that improve the quality and efficiency of health care.” The Rule is designed to be flexible and scalable, allowing organizations to tailor their safeguards to their size, structure, and risk profile.

Without formal email policies, healthcare organizations face risks of:

• Sending PHI via unencrypted channels
• Falling victim to phishing or spoofing attacks
• Using unauthorized devices or accounts for email access
• Retaining sensitive emails longer than necessary
• Failing to log or audit email activity properly

Many data breaches originate from simple mistakes or user negligence. As Sarah Varnell, manager of attest services at BARR Advisory, states, “My recommendations for healthcare organizations do not differ significantly from what is considered best practice in other industries. In most cases, the attacks targeting healthcare organizations are not very technical attacks. They rely on tricking users, exploiting weak or reused passwords, or taking advantage of gaps in basic security hygiene. Once attackers have access, they can exfiltrate PHI and either ransom it back to the organization or sell it on the dark web."

Components of internal email governance policies

To develop an effective internal email governance strategy, organizations should include the following components:

Acceptable Use Policy (AUP) for email

An Acceptable Use Policy outlines what staff can and cannot do when using organizational email systems. To comply with HIPAA, the AUP should clarify:

• What types of data can be transmitted via email.
• Which email platforms or applications are authorized.
• That PHI may only be emailed using encrypted and approved channels.
• Restrictions on auto-forwarding to personal email addresses.
• Prohibitions on sharing passwords or using unsecured networks.

As Varnell notes, policies on acceptable use and clean workdesks are foundational practices that reinforce organizational security culture.

Email encryption standards

In December 2025, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM). This proposal aims to amend the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), enhancing cybersecurity measures for electronic protected health information (ePHI).

Under the newly proposed updates to the HIPAA Security Rule, encryption would become a mandatory requirement rather than an “addressable” implementation specification.

Encryption is required when:

• Sending PHI externally (e.g., to patients, payers, or other providers).
• Transmitting sensitive information across insecure networks.
• Storing PHI in email archives.

Internal policies should mandate encryption in transit and, where applicable, at rest, and specify how and when encryption must be used.

Email retention and archiving

The HIPAA Privacy Rule requires that “A covered entity must maintain [patient records] until six years after the later of the date of their creation or last effective date.” This requirement extends to any email communications that include protected health information (PHI) or are considered part of a patient’s designated record set. As such, healthcare organizations must implement email retention and archiving policies that align with this rule.

Internal email governance policies should clearly define:

• Retention timelines for emails that include PHI or pertain to treatment, payment, or healthcare operations.
• Automated archiving systems that securely store emails and ensure they are accessible for audits, legal requests, or patient inquiries.
• Procedures for securely disposing of emails that are no longer required, once retention periods have been met.
• Differentiation between routine communications and those that must be preserved as part of the medical or administrative record.

Access controls and least privilege

Email access must be tightly controlled. HIPAA requires that access to ePHI be limited to only those who need it to perform their job functions. This is in line with the principle of least privilege, which Sarah Varnell also recommends, stating, “Enforcing least privilege access controls to ensure that a compromised account can’t freely move throughout the network is also a critical step in a defense plan."

Governance policies should define:

• Role-based access to email accounts.
• Email permissions (e.g., who can send encrypted messages).
• Termination procedures for former employees.

Multi-factor authentication (MFA) and login security

Strong authentication mechanisms, including MFA, are a technical safeguard under HIPAA’s Security Rule. Governance policies should require:

• The use of MFA for accessing email accounts, especially those containing PHI.
• Strong password policies (length, complexity, rotation).
• Restrictions on password reuse.
• Session timeouts and automatic logout settings.

As Varnell suggests, “Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”

Security awareness and phishing training

A study by IBM, as quoted by The Hacker News, found that human error is “a major contributing cause in 95% of all breaches.” Internal email governance should mandate regular security awareness training, including simulated phishing exercises.

Sarah Varnell emphasizes that “Information security awareness training that covers how to identify and prevent phishing and other social engineering attacks is critical for ensuring employees are equipped with the appropriate knowledge to protect themselves and the organization.”

Training should be:

• Ongoing (quarterly or biannually).
• Tailored to real-world email threats.
• Mandatory for all employees with email access.
• Tracked and documented for compliance purposes.

Policies should also encourage employees to report suspicious emails without fear of punishment.

Incident response and reporting protocols

HIPAA requires covered entities to have policies in place for identifying, reporting, and responding to security incidents. Internal email governance must include:

• Clear definitions of email-related incidents (e.g., misdirected emails, phishing attacks, credential theft).
• A step-by-step response protocol.
• Who to notify internally and externally.
• How to document and investigate incidents.
• Legal and regulatory notification procedures (e.g., breach notification within 60 days).

Device management and mobile email access

With more healthcare professionals using mobile devices, laptops, and tablets to check email, mobile governance is essential. Policies should address:

• Which devices are authorized to access email.
• Mobile Device Management (MDM) requirements.
• Remote wipe capabilities for lost or stolen devices.
• Encryption requirements for mobile email.
• Restrictions on downloading attachments to personal devices.

Vendor and business associate communication

Emails to and from business associates must also be governed. Varnell cautions that “It is important to ensure that vendors and partners, especially those that handle PHI, understand what constitutes a breach and have a clear incident response plan of their own. Many healthcare breaches originate in the supply chain, so conducting due diligence as part of a strong vendor management program is also key.”

Internal policies should:

• Require business associate agreements (BAAs) for vendors handling PHI.
• Specify the use of secure email channels for external communication.
• Detail expectations for vendor email security, training, and incident response.

Monitoring, logging, and auditing

To demonstrate HIPAA compliance, organizations must log and monitor email activity. Governance policies should require:

• Logging of all inbound and outbound emails.
• Alerting systems for anomalous behavior (e.g., bulk downloads, unusual login locations).
• Regular audits of email access and transmission.
• Documentation of policy violations or incidents.

These practices can help detect early indicators of compromise.

Bridging policy and technology

A well-written policy only works when supported by the right tools. Healthcare organizations should integrate their governance framework with:

• HIPAA compliant email platforms, like Paubox, that support encryption, archiving, and audit trails.
• Data loss prevention (DLP) tools to block unauthorized sharing of PHI.
• Endpoint detection and response (EDR) solutions to catch compromised devices.
• Patch management programs to reduce system vulnerabilities.

As Varnell notes, “From a technical perspective, organizations should build robust vulnerability management programs and conduct regular penetration testing to identify and address security issues before attackers do. Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”

FAQS

What is considered protected health information (PHI) in emails?

PHI includes any individually identifiable health information sent via email, such as medical records, insurance details, lab results, or appointment data, when it can be linked to a specific patient.

Do third-party vendors need to follow the same email policies?

Yes. Any vendor that handles PHI must sign a business associate agreement (BAA) and adhere to the same security requirements, including secure email communication practices.

How often should email policies be reviewed or updated?

At minimum, policies should be reviewed annually or whenever there is a change in regulations, technology, or organizational structure. Regular updates ensure continued relevance, legal alignment, and operational effectiveness.