48% of healthcare organizations always require encrypted email recipients to log in to a portal. Among those, more than 1 in 3 report clinical staff bypassing the workflow entirely.
Those numbers come from the Healthcare Email Security Maturity Index 2026, Paubox's benchmark of 170 U.S. healthcare IT leaders. The survey scored each organization across eight dimensions of email security. Encryption and recipient experience scored 2.39 out of 4, the lowest of any dimension in the benchmark.
Five outcomes of portal friction
The Maturity Index asked respondents what happens when their encrypted-email workflow creates friction:
- 45% report delayed communication with patients or external providers
- 43% report recipients failing to create accounts or log in
- 40% report recipients reverting to unsecure channels
- 34% report clinical staff bypassing encryption to avoid the workflow
- 31% report increased IT support tickets related to encrypted email
The 40% who revert to unsecure channels often follow on from the 43% who never log in. When the recipient doesn't open the encrypted message, the sender resends through regular email, voicemail, or paper. The original message was protected. The PHI ends up in regular email.
Why clinicians bypass the portal
Clinicians communicate with patients, primary care physicians, specialists, labs, and insurers throughout the day. When the encryption portal adds steps to that work, they find another path. The 34% bypass rate is what that pattern looks like in the aggregate.
Healthcare professionals describe the same friction in their own words. From a behavioral health council: "We use a [SECURE] tag in the subject line to encrypt, but we're unsure if that method is actually sufficient."
From a municipal government healthcare operation: "Encrypting emails requires the receiver to log on and get a one-time password. People find it cumbersome."
From a county government healthcare unit: "Staff move too quickly and forget to encrypt emails to outside providers and vendors."
"When more than a third of clinical staff are working around the encryption control, the control is not working," said Hoala Greevy, founder and CEO of Paubox. "Recipient experience is not secondary to security."
The compliance score doesn't catch this
Compliance posture scored highest in the Maturity Index at 3.35 out of 4. Most healthcare organizations passed their audits, have documented encryption policies, and can produce evidence of encrypted-email infrastructure.
The portal-friction findings sit inside that high compliance score because audits check whether encryption exists, not whether staff use it, how many recipients gave up on the portal, or how much breach risk builds between point-in-time audits.
The OCR view
The Office for Civil Rights has been signaling for years that email is the attack surface regulators care about most. In December 2023, OCR announced its first-ever HIPAA penalty for a phishing attack, settling with Lafourche Medical Group over a breach that exposed records of 34,862 individuals.
"Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information," former OCR Director Melanie Fontes Rainer said at the time. The Lafourche investigation found the organization had no documented risk analyses or breach response plans for phishing.
The OCR direction is clear: email is the entry point regulators look at first, and the controls that govern recipient experience are increasingly part of the audit conversation. A portal-based model that produces 34% staff bypass and 40% revert-to-unsecure-channels has audit exposure on top of breach risk.
What to deploy instead
The Maturity Index roadmap calls for replacing legacy portals with a secure message center. When TLS fails or recipients can't receive encrypted email, delivery routes through a branded secure message center with no account creation, no password resets, and no bypassable workflow. The recipient gets a notification with a one-click access link, and the message opens in a branded view.
For most outbound encrypted email, the simpler approach is to skip portals entirely. Paubox Email Suite delivers HIPAA compliant email directly to the recipient's inbox by default, without portals, passwords, or account creation. The recipient reads the message in whatever email client they already use.
The bottom line
The encryption portal is the second-most-deployed control in healthcare email security, behind only spam filtering. The Maturity Index documented five distinct failure modes across 30-50% of organizations.
The full Healthcare Email Security Maturity Index 2026, including the portal-friction outcomes data and the six-step roadmap, is available now.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
