As noted in Security and Privacy of Technologies in Health Information Systems: A Systematic Literature Review, healthcare organizations handle a lot of sensitive patient data, including personal information and medical records. For healthcare organizations, every email containing protected health information (PHI) represents both an opportunity for efficient care delivery and a potential compliance risk.
The HIPAA Privacy Rule and Security Rule don't explicitly prohibit or mandate specific email technologies. Instead, they provide standards for protecting PHI in electronic form, which includes email communications. According to the official HHS Summary of the HIPAA Security Rule, healthcare organizations must implement appropriate administrative, physical, and technical safeguards when using email to transmit PHI.
As outlined in the HIPAA Basics for Providers: Privacy, Security, & Breach Notification Rules fact sheet published by CMS in May 2025, the Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) they create, receive, maintain, or transmit. Additionally, organizations must protect against reasonably anticipated threats to the security or integrity of protected information and ensure compliance by their workforce.
These requirements apply to all covered entities which include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically, as well as their business associates. The fact sheet also states that covered entities and their business associates must follow HIPAA rules, and the Security Rule was designed to be flexible, scalable, and technology neutral to accommodate organizations of all sizes, from small practices to large health organizations.
Read also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Standard emails go through multiple servers and networks, often in plain text that can be read by unauthorized parties. As Akilnath Bodipudi notes in Enhancing Email Security and Email Encryption with Data Loss Prevention in Healthcare, "unsecured emails can be intercepted, leading to data breaches and unauthorized access."
Also, according to Health Insurance Portability and Accountability Act (HIPAA) Compliance, PHI breaches have affected over 176 million patients in the United States, with most resulting from employee negligence and noncompliance rather than external hacking.
Encryption makes PHI unreadable to unauthorized parties even if intercepted. Research by Bodipudi confirms that "encryption ensures that only authorized recipients can access and read the email content.” However, not all encryption approaches are created equal for healthcare use.
Encryption in transit protects messages as they travel across networks using protocols like TLS (Transport Layer Security). This prevents interception during transmission, but messages remain readable once they reach the recipient's inbox.
Encryption at rest protects stored messages on email servers and devices. This safeguards PHI if servers are compromised or devices are lost or stolen. However, it doesn't protect the message during transmission.
The most practical approach for healthcare is transparent encryption that works without recipient action and authentication to verify sender and recipient identities. This is where HIPAA compliant email solutions like Paubox come in. Unlike consumer email services with add-on encryption, Paubox encrypts by default, requires no additional steps from users, works with any email recipient, and maintains audit trails for compliance documentation.
Learn more: Why should ePHI be encrypted at rest and in transit?
The fact sheet outlines that organizations must implement policies and procedures to ensure workforce members have appropriate authorization and access to ePHI based on their roles.
Role-based access controls allow staff members to only access the PHI necessary for their job functions. The Security Rule requires that access to ePHI be authorized only when such access is appropriate for the user or recipient's role, consistent with the Privacy Rule's minimum necessary standard. Not every employee needs access to all patient communications.
Session management and automatic logouts prevent unauthorized access when users step away from workstations. In healthcare environments employees move between examination rooms, nursing stations, and other locations.
Account monitoring and anomaly detection help identify potential security incidents before they get worse. Unusual login patterns, access from unexpected locations, or sudden changes in email behavior can indicate compromised accounts.
Written policies provide procedures for email use. The fact sheet notes that regulated entities must adopt reasonable and appropriate policies and procedures, maintain documentation for at least six years, and make these policies available to those responsible for implementation. Your policies should address:
Regular, role-specific training helps staff understand both the "what" and the "why" of HIPAA compliant email practices. As noted in the Health Insurance Portability and Accountability Act (HIPAA) Compliance, annual HIPAA training is mandatory for all employees, with training levels corresponding to employee responsibilities. The fact sheet states that organizations should train all workforce members on security policies and procedures, and apply appropriate sanctions against those who violate them. As Bodipudi notes, "comprehensive training programs are essential to help users understand the importance of security measures."
Effective programs include:
Read also: Maintaining staff training policies in healthcare
This is false. HIPAA regulations apply to all forms of communication that involve the transmission of PHI, whether through email, phone calls, text messages, or any other medium. The fact sheet confirms that the Security Rule specifically protects electronic protected health information (ePHI), which includes email communications containing PHI. All covered entities and business associates must comply with HIPAA requirements when using email to transmit protected information.
While encryption is highly recommended and represents best practice for secure email communication, HIPAA doesn't explicitly mandate encryption for all emails containing PHI. However, the Security Rule does require covered entities to implement security measures to protect PHI during transmission. The fact sheet states that organizations must implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network.
Considering the risks of unencrypted email, encryption has become the standard for healthcare email security.
HIPAA does not just cover doctors and hospitals. The fact sheet confirms that the Security Rule applies to all covered entities. Any organization or entity that handles PHI in the United States must comply with HIPAA regulations, which includes vendors, consultants, IT service providers, and others who have access to PHI.
Many organizations mistakenly believe standard consumer email services like personal Gmail or Outlook.com accounts become HIPAA compliant if they enable available security features. This is incorrect. Consumer email services:
Some organizations use patient portals for all electronic communication, believing this satisfies HIPAA requirements while avoiding email risks. While portals seem to work, requiring patients to log into portals for all communications creates barriers that reduce engagement. Modern HIPAA compliant email solutions enable direct, encrypted email communication that arrives in patient inboxes normally, improving accessibility while maintaining security.
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. According to the fact sheet, violations may result in civil monetary penalties, and in some cases, U.S. Department of Justice-enforced criminal penalties may apply.
The fact sheet identifies common violations that organizations should note:
Learn more: The complete guide to HIPAA violations
The fact sheet outlines requirements under the Breach Notification Rule that directly impact email security practices. Organizations must notify affected patients, HHS, and in some cases the media when a breach involves PHI. A breach occurs when PHI is used or shared in ways not permitted under the HIPAA Privacy Rule, putting the privacy or security of the information at risk.
Any unauthorized use or disclosure of PHI is considered a breach unless there's a low probability the PHI has been compromised, based on a risk assessment considering:
Organizations must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. The fact sheet notes that smaller breaches affecting fewer than 500 patients must be submitted to HHS annually. Additionally, business associates must notify covered entities of breaches at or by the business associate.
Learn more: Navigating HIPAA’s Breach Notification Rule
Before implementing or upgrading email security solutions, conduct an assessment of your current state. The fact sheet states that when developing compliant safety measures, organizations must consider their size, complexity, capabilities, technical infrastructure, costs of security measures, and the likelihood of risk and how they might affect ePHI.
Map all email communication flows involving PHI:
Identify gaps in current security measures:
Understand your organization's unique risks:
Not all healthcare organizations need the same email security approach. A small primary care practice has different needs than a large healthcare system, an academic medical center, or a specialty practice handling sensitive conditions.
When evaluating HIPAA compliant email solutions, look beyond feature checklists to understand how solutions actually work in practice.
Core capabilities should include:
Equally important are operational considerations:
For healthcare organizations specifically, look for:
Secure Email Gateway (SEG) approaches that process email before it reaches your system provide the strongest protection against inbound threats, preventing malicious content from entering your environment. This architecture offers clear advantages over Integrated Cloud Email Security (ICES) approaches that rely on API access to scan emails after delivery to your inbox. SEGs:
Phase implementation thoughtfully.
Customize configurations to your organization. Take time to:
Plan for ongoing management. The fact sheet notes that organizations must regularly review and modify security measures and periodically evaluate their effectiveness to ensure continued protection. Establish:
Integrate with broader security programs. Email security should complement your organization's overall security:
Read also: Inbound Email Security
Yes, patients may request unencrypted email, but providers must document the request and inform the patient of the associated security risks.
HIPAA applies to both internal and external emails if they contain PHI, although risk mitigation strategies may differ.
Emails used to support telehealth services must meet the same HIPAA security standards as other electronic PHI transmissions.
Yes, both are electronic communications involving ePHI and must meet HIPAA Security Rule safeguards.
Organizations must still perform a risk assessment to determine whether the incident qualifies as a reportable breach.