by Rick Kuwahara COO of Paubox
Article filed in

HIPAA email encryption requirements: What you need to know

by Rick Kuwahara COO of Paubox

Healthcare professional with laptop making a call on smartphone

HIPAA email encryption requirements can be confusing because of the lack of clear instruction that leaves the rules open to interpretation. As a result, some question whether email encryption is truly a HIPAA requirement.

For example, the encryption requirements around Protected Health Information (PHI) are called “addressable” in the security rule. And the HIPAA encryption requirements for transmission state that covered entities should encrypt PHI “whenever deemed appropriate”.

How HIPAA email encryption is defined  

HIPAA encryption requirements are specified by two main terms — “required” and “addressable”. 

Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA. Those that are called “addressable” only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI. 

If your organization determines that encryption is not appropriate, then you must document your reasoning behind that decision and implement an equivalent solution to safeguard PHI. 

As there’s not an appropriate alternative for protecting PHI other than encryption, it’s effectively required. Not using encryption is risky for your patient’s information and your organization. 

Why encryption requirements are unclear

HIPAA requirements are vague because when the security rule was enacted the Department of Health and Human Services (HHS) wanted to allow organizations to select the best solution for their individual needs. 

HHS realized they couldn’t demand that covered entities use specific security technologies that could be out of date in a short time. 

This doesn’t mean that encryption can be overlooked, only that an organization has to document a reason why action hasn’t been taken. Plus, an alternative method must be used and its details made available to the Office for Civil Rights (OCR) in the case of an audit. 


HIPAA encryption requirements apply to every part of an organization’s IT system, including cloud servers and smartphones. 

The increased use of mobile devices in the work environment can make it more complicated to comply with the encryption requirements, including safeguarding PHI both at rest and in transit. 

Third-party providers like Paubox can provide end-to-end encryption to ensure that your emails are protected even in transit. 


Try Paubox Email Suite for FREE today.