HIPAA email: What you need to know

As noted in Security and Privacy of Technologies in Health Information Systems: A Systematic Literature Review, healthcare organizations handle a lot of sensitive patient data, including personal information and medical records. For healthcare organizations, every email containing protected health information (PHI) represents both an opportunity for efficient care delivery and a potential compliance risk.

Understanding HIPAA's email requirements

What HIPAA actually says about email

The HIPAA Privacy Rule and Security Rule don't explicitly prohibit or mandate specific email technologies. Instead, they provide standards for protecting PHI in electronic form, which includes email communications. According to the official HHS Summary of the HIPAA Security Rule, healthcare organizations must implement appropriate administrative, physical, and technical safeguards when using email to transmit PHI.

As outlined in the HIPAA Basics for Providers: Privacy, Security, & Breach Notification Rules fact sheet published by CMS in May 2025, the Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) they create, receive, maintain, or transmit. Additionally, organizations must protect against reasonably anticipated threats to the security or integrity of protected information and ensure compliance by their workforce.

These requirements apply to all covered entities which include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically, as well as their business associates. The fact sheet also states that covered entities and their business associates must follow HIPAA rules, and the Security Rule was designed to be flexible, scalable, and technology neutral to accommodate organizations of all sizes, from small practices to large health organizations.

Read also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

The reality of risk

Standard emails go through multiple servers and networks, often in plain text that can be read by unauthorized parties. As Akilnath Bodipudi notes in Enhancing Email Security and Email Encryption with Data Loss Prevention in Healthcare, "unsecured emails can be intercepted, leading to data breaches and unauthorized access."

Also, according to Health Insurance Portability and Accountability Act (HIPAA) Compliance, PHI breaches have affected over 176 million patients in the United States, with most resulting from employee negligence and noncompliance rather than external hacking. 

The three pillars of HIPAA compliant email

Encryption and transmission security

Encryption makes PHI unreadable to unauthorized parties even if intercepted. Research by Bodipudi confirms that "encryption ensures that only authorized recipients can access and read the email content.” However, not all encryption approaches are created equal for healthcare use.

Encryption in transit protects messages as they travel across networks using protocols like TLS (Transport Layer Security). This prevents interception during transmission, but messages remain readable once they reach the recipient's inbox. 

Encryption at rest protects stored messages on email servers and devices. This safeguards PHI if servers are compromised or devices are lost or stolen. However, it doesn't protect the message during transmission.

The most practical approach for healthcare is transparent encryption that works without recipient action and authentication to verify sender and recipient identities. This is where HIPAA compliant email solutions like Paubox come in. Unlike consumer email services with add-on encryption, Paubox encrypts by default, requires no additional steps from users, works with any email recipient, and maintains audit trails for compliance documentation.

Learn more: Why should ePHI be encrypted at rest and in transit?

Access controls and authentication

The fact sheet outlines that organizations must implement policies and procedures to ensure workforce members have appropriate authorization and access to ePHI based on their roles.

Role-based access controls allow staff members to only access the PHI necessary for their job functions. The Security Rule requires that access to ePHI be authorized only when such access is appropriate for the user or recipient's role, consistent with the Privacy Rule's minimum necessary standard. Not every employee needs access to all patient communications. 

Session management and automatic logouts prevent unauthorized access when users step away from workstations. In healthcare environments employees move between examination rooms, nursing stations, and other locations. 

Account monitoring and anomaly detection help identify potential security incidents before they get worse. Unusual login patterns, access from unexpected locations, or sudden changes in email behavior can indicate compromised accounts. 

Policies and training

Written policies provide procedures for email use. The fact sheet notes that regulated entities must adopt reasonable and appropriate policies and procedures, maintain documentation for at least six years, and make these policies available to those responsible for implementation. Your policies should address:

• When email communication is appropriate for PHI
• How to verify recipient identities before sending PHI
• What information should never be transmitted via email (even encrypted)
• How to handle suspected security incidents
• Procedures for mobile device use and bring-your-own-device scenarios

Regular, role-specific training helps staff understand both the "what" and the "why" of HIPAA compliant email practices. As noted in the Health Insurance Portability and Accountability Act (HIPAA) Compliance, annual HIPAA training is mandatory for all employees, with training levels corresponding to employee responsibilities. The fact sheet states that organizations should train all workforce members on security policies and procedures, and apply appropriate sanctions against those who violate them. As Bodipudi notes, "comprehensive training programs are essential to help users understand the importance of security measures."

Effective programs include:

• Ongoing education 
• Simulated phishing exercises that test awareness
• Case studies of real breaches and their consequences
• Practical scenarios relevant to staff roles

Read also: Maintaining staff training policies in healthcare

Common misconceptions about HIPAA email

HIPAA does not apply to email communication

This is false. HIPAA regulations apply to all forms of communication that involve the transmission of PHI, whether through email, phone calls, text messages, or any other medium. The fact sheet confirms that the Security Rule specifically protects electronic protected health information (ePHI), which includes email communications containing PHI. All covered entities and business associates must comply with HIPAA requirements when using email to transmit protected information.

HIPAA requires all emails containing PHI to be encrypted

While encryption is highly recommended and represents best practice for secure email communication, HIPAA doesn't explicitly mandate encryption for all emails containing PHI. However, the Security Rule does require covered entities to implement security measures to protect PHI during transmission. The fact sheet states that organizations must implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.

Considering the risks of unencrypted email, encryption has become the standard for healthcare email security.

HIPAA is only for healthcare providers

HIPAA does not just cover doctors and hospitals. The fact sheet confirms that the Security Rule applies to all covered entities. Any organization or entity that handles PHI in the United States must comply with HIPAA regulations, which includes vendors, consultants, IT service providers, and others who have access to PHI.

Consumer email services are HIPAA compliant if you enable security features

Many organizations mistakenly believe standard consumer email services like personal Gmail or Outlook.com accounts become HIPAA compliant if they enable available security features. This is incorrect. Consumer email services:

• Are not designed for healthcare compliance
• Don't provide necessary administrative controls required by HIPAA
• Typically won't sign Business Associate Agreements
• Lack specialized features like healthcare-focused DLP and proper audit trails
  
  

Email portals provide adequate patient communication

Some organizations use patient portals for all electronic communication, believing this satisfies HIPAA requirements while avoiding email risks. While portals seem to work, requiring patients to log into portals for all communications creates barriers that reduce engagement. Modern HIPAA compliant email solutions enable direct, encrypted email communication that arrives in patient inboxes normally, improving accessibility while maintaining security.

Understanding HIPAA enforcement and common violations

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. According to the fact sheet, violations may result in civil monetary penalties, and in some cases, U.S. Department of Justice-enforced criminal penalties may apply.

The fact sheet identifies common violations that organizations should note:

• Unpermitted PHI use and disclosure
• Use or disclosure of more than the minimum necessary PHI
• Lack of PHI safeguards
• Lack of administrative, technical, or physical ePHI safeguards
• Not giving patients access to their PHI

Learn more: The complete guide to HIPAA violations

The breach notification rule and email security

The fact sheet outlines requirements under the Breach Notification Rule that directly impact email security practices. Organizations must notify affected patients, HHS, and in some cases the media when a breach involves PHI. A breach occurs when PHI is used or shared in ways not permitted under the HIPAA Privacy Rule, putting the privacy or security of the information at risk.

Any unauthorized use or disclosure of PHI is considered a breach unless there's a low probability the PHI has been compromised, based on a risk assessment considering:

• The type of PHI involved, including identifiers and the likelihood someone could identify the patient
• Who used the PHI or obtained it without permission
• Whether anyone viewed or retained the PHI
• What steps were taken to reduce risk after the incident

Organizations must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. The fact sheet notes that smaller breaches affecting fewer than 500 patients must be submitted to HHS annually. Additionally, business associates must notify covered entities of breaches at or by the business associate.

Learn more: Navigating HIPAA’s Breach Notification Rule

Implementation

Getting started

Before implementing or upgrading email security solutions, conduct an assessment of your current state. The fact sheet states that when developing compliant safety measures, organizations must consider their size, complexity, capabilities, technical infrastructure, costs of security measures, and the likelihood of risk and how they might affect ePHI.

Map all email communication flows involving PHI:

• Patient communications
• Provider-to-provider consultations
• Insurance and billing communications
• Third-party business associate interactions

Identify gaps in current security measures:

• Encryption coverage
• Inbound threat detection
• Outbound content monitoring
• Archiving and retention

Understand your organization's unique risks:

• Your size and complexity
• Patient population and communication needs
• Existing security incidents and near-misses
• Regulatory environment beyond HIPAA

Not all healthcare organizations need the same email security approach. A small primary care practice has different needs than a large healthcare system, an academic medical center, or a specialty practice handling sensitive conditions.

Choosing the right solution

When evaluating HIPAA compliant email solutions, look beyond feature checklists to understand how solutions actually work in practice.

Core capabilities should include:

• Default encryption that requires no user action or recipient setup
• Inbound security including AI-powered threat detection
• Content-aware DLP that understands PHI in context
• Tamper-proof archiving with powerful search and legal hold
• Integration with existing email infrastructure (Microsoft 365, Google Workspace, etc.)

Equally important are operational considerations:

• Ease of deployment and configuration
• Administrative burden and ongoing management requirements
• User experience that doesn't disturb clinical workflows
• Reporting and analytics for compliance documentation
• Vendor stability and long-term viability

For healthcare organizations specifically, look for:

• Purpose-built healthcare focus with HIPAA compliance in architecture
• Willingness to sign Business Associate Agreements
• Understanding of healthcare workflows and requirements
• Proven track record with healthcare customers
• Responsive support that understands healthcare urgency

Secure Email Gateway (SEG) approaches that process email before it reaches your system provide the strongest protection against inbound threats, preventing malicious content from entering your environment. This architecture offers clear advantages over Integrated Cloud Email Security (ICES) approaches that rely on API access to scan emails after delivery to your inbox. SEGs:

• Eliminate threats before potential exposure
• Provide more inspection without API limitations
• Maintain your organization's control over security policies
• Offer better protection against zero-day threats and attacks
  
  

Implementation best practices

Phase implementation thoughtfully. 

• Pilot with a limited group to identify issues and gather feedback
• Expand gradually to additional departments while refining approaches
• Provide adequate training and support before and during rollout

Customize configurations to your organization. Take time to:

• Define DLP policies reflecting your communication needs and risk tolerance
• Configure inbound security to minimize false positives for legitimate partners
• Establish archiving retention periods based on regulatory and legal requirements
• Tune encryption settings to balance security with user experience

Plan for ongoing management. The fact sheet notes that organizations must regularly review and modify security measures and periodically evaluate their effectiveness to ensure continued protection. Establish:

• Regular review cycles for security policies and configurations
• Monitoring of reports and analytics to identify trends and issues
• Updated training based on incident patterns and emerging threats
• Periodic risk assessments to ensure controls remain effective

Integrate with broader security programs. Email security should complement your organization's overall security:

• Incident response procedures and escalation paths
• Identity and access management policies
• Mobile device management for accessing email remotely
• Security awareness training and phishing simulations

Read also: Inbound Email Security

FAQs

Can patients request unencrypted email communication under HIPAA?

Yes, patients may request unencrypted email, but providers must document the request and inform the patient of the associated security risks.

Does HIPAA apply differently to internal emails versus external emails?

HIPAA applies to both internal and external emails if they contain PHI, although risk mitigation strategies may differ.

How does HIPAA compliant email apply to telehealth communications?

Emails used to support telehealth services must meet the same HIPAA security standards as other electronic PHI transmissions.

Are text messages and emails treated the same under HIPAA?

Yes, both are electronic communications involving ePHI and must meet HIPAA Security Rule safeguards.

What happens if PHI is accidentally sent to the wrong recipient but not opened?

Organizations must still perform a risk assessment to determine whether the incident qualifies as a reportable breach.