While the Health Insurance Portability and Accountability Act (HIPAA) establishes the federal baseline for protecting protected health information (PHI) transmitted via email, it is not the only law that governs healthcare communications. Healthcare organizations that use email to communicate with patients, providers, insurers, or business associates must also comply with applicable state privacy and security laws. In many cases, these laws impose requirements that are more stringent than HIPAA, creating additional compliance obligations for organizations that rely on email to exchange sensitive information.

As a result, healthcare providers cannot assume that HIPAA compliance alone is sufficient. Organizations must understand and adhere to both federal and state requirements to ensure that electronic communications remain secure, compliant, and protective of patient privacy.

 

HIPAA vs state laws in email communication

Over the years, email has become one of the most widely used communication tools in modern healthcare. According to Stephen Ginn, in the article Email in healthcare: pros, cons and efficient use, “Email is a tool for communication that facilitates delivery of messages and information between individuals and organisations. Email's origins can be traced back to the 1960s. Since then, sequential technological advances, such as the advent of webmail and smartphones, have facilitated its increasing use.”

As email adoption has grown, lawmakers and regulators have introduced legal frameworks to govern its use, particularly in industries that handle sensitive personal information. In healthcare, where patient confidentiality and data security are paramount, these regulations help protect electronic protected health information (ePHI).

HIPAA remains the primary federal law governing healthcare communications and establishes standards for safeguarding PHI during transmission. However, healthcare organizations must also comply with state privacy and security laws that may impose additional requirements. Depending on the state, these laws can affect how providers obtain patient consent for electronic communications, transmit PHI via email, implement encryption and other security safeguards, retain records, and respond to data breaches.

Since state requirements can exceed HIPAA standards, healthcare organizations should regularly review the laws of every state in which they operate or serve patients. A comprehensive compliance strategy should address both federal and state obligations to reduce legal risk and strengthen the protection of patient information.

 

Laws governing communication in healthcare

The following laws play a significant role in regulating communication within the healthcare industry:

 

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is the primary federal law governing healthcare communications involving protected health information. The law permits healthcare providers to communicate PHI for treatment, payment, and healthcare operations while requiring safeguards to protect patient privacy.

According to the US Department of Health and Human Services (HHS), “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.” This means that healthcare organizations must implement reasonable safeguards when sending emails that contain PHI and must ensure that communications are limited to authorized recipients. HIPAA also grants patients the right to request communications through alternative means or at alternative locations, such as receiving information via email instead of postal mail.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act builds upon and strengthens key provisions of HIPAA, particularly those relating to the privacy and security of ePHI, in response to the increasing reliance on digital systems for the storage and transmission of health data.

The HITECH Act expanded the use of electronic health records and encouraged the electronic exchange of health information. As healthcare organizations increasingly relied on digital communication tools, the Act strengthened requirements for protecting ePHI.

Read also: How the HITECH Act changed secure email communication in healthcare

 

CAN-SPAM Act

The CAN-SPAM Act regulates commercial email communications, including marketing emails sent by healthcare organizations. While transactional emails, such as appointment reminders and billing notifications, are generally exempt, promotional emails must comply with the Act's requirements. According to the Federal Trade Commission (FTC), the CAN-SPAM Act "establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations." To comply, organizations must use accurate sender information, avoid misleading subject lines, include a valid physical address, provide a clear opt-out mechanism, and promptly honor unsubscribe requests.

See also: What is the CAN-SPAM Act and how does it impact healthcare email?

 

42 CFR Part 2

42 CFR Part 2 regulates communications involving records related to substance use disorder treatment. Compared to HIPAA, this regulation places stricter limitations on when patient information may be disclosed. Healthcare organizations subject to Part 2 must exercise additional caution when communicating information via email or other channels, often requiring patient consent before sharing treatment-related information with third parties.

 

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) grants California residents greater control over their personal information. Although most PHI maintained by HIPAA-covered entities is exempt from the CCPA, the law applies to certain communications involving consumer health data that falls outside HIPAA's scope. Healthcare organizations subject to the CCPA must provide clear privacy notices, respond to consumer requests regarding their personal information, and ensure that communications about data collection and use are transparent.

 

California Confidentiality of Medical Information Act (CMIA)

The California Confidentiality of Medical Information Act (CMIA) complements HIPAA by imposing strict requirements on the disclosure of medical information. The law regulates when healthcare providers and other covered entities may communicate a patient's medical information and generally requires patient authorization before disclosures that are not otherwise permitted by law. Organizations communicating with California patients via email must ensure that medical information is disclosed only to authorized recipients.

 

Washington My Health My Data Act

The Washington My Health My Data Act regulates the collection, sharing, and disclosure of consumer health data, including information that is not protected by HIPAA. The law requires regulated entities to obtain consumer consent before sharing certain health data and to provide clear privacy disclosures. Healthcare organizations communicating with Washington residents must ensure that electronic communications involving consumer health data comply with these consent and disclosure requirements.

 

How Federal and State laws work together to secure healthcare email communications

Although HIPAA, the HITECH Act, the CAN-SPAM Act, and various state privacy laws each serve different purposes, they collectively create a legal framework that enables healthcare organizations to communicate electronically while protecting patient information. Rather than viewing these laws as separate compliance requirements, organizations should treat them as complementary regulations that support secure, transparent, and patient-centered communication.

 

FAQS

Why is understanding multiple healthcare communication laws important?

No single law governs all aspects of healthcare communication. Understanding how HIPAA, the HITECH Act, the CAN-SPAM Act, and state privacy laws work together helps healthcare organizations protect patient information, maintain compliance, and communicate more effectively with patients and other stakeholders.

 

What happens if federal and state laws conflict?

In general, healthcare organizations must comply with the law that provides greater privacy protection or gives patients additional rights. This often means following state law when it is more stringent than HIPAA.