How school-based healthcare providers can use HIPAA compliant email

School-based healthcare providers, such as nurses, counselors, and therapists, often handle sensitive student health information that falls under the Health Insurance Portability and Accountability Act (HIPAA) or FERPA (Family Educational Rights and Privacy Act), depending on the institution's structure. When HIPAA applies, it's essential that any email communication containing protected health information (PHI) is HIPAA compliant.

HIPAA in the school setting

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information. While HIPAA applies broadly to healthcare settings, its role in schools is more limited and often confused with the Family Educational Rights and Privacy Act (FERPA), which governs student education records.

When does HIPAA apply in schools?

HIPAA generally does not apply to schools because most student health records are considered education records under FERPA, not protected health information (PHI) under HIPAA. However, there are exceptions. 

“The U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services released updated joint guidance in December 2019 addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students,” writes the U.S Department of Health and Human Services (HHS). Under the new guidance, HIPAA applies to schools if:

• The school is not subject to FERPA (e.g., private schools that don’t receive federal funding).
• The school operates a healthcare component that conducts standard electronic transactions, such as billing Medicaid.
• Health services are provided by outside healthcare providers (e.g., school-based health clinics run by hospitals or health departments) who are HIPAA-covered entities.

Examples:

• School nurse documenting a student's visit: FERPA applies if the nurse is employed by the school and the records are maintained by the school.
• Community clinic on campus treating students: HIPAA applies if the clinic is not part of the school and is a covered entity.
• Billing Medicaid for special education services: If a school bills Medicaid electronically, HIPAA may apply to those transactions.

See also: How FERPA and HIPAA work together to protect student data

Why email security matters

Healthcare email breaches are common, and the consequences can be severe. According to Managed Healthcare Executive, in 2024, 180 healthcare organizations reported email-related breaches to the U.S. Department of Health and Human Services. Notably, Microsoft 365 was the most frequently compromised platform, accounting for 43.3% of these breaches. The financial impact of healthcare data breaches is substantial. According to IBM's Cost of a Data Breach Report, the average cost of a healthcare data breach is $9.77 million, the highest across all industries. Beyond financial costs, breaches can disrupt patient care. A study by Vanderbilt University titled Data breach remediation efforts and their implications for hospital quality, found that as many as 2,100 patients die each year because of security breaches, as patient care is disrupted by compromised systems

Unauthorized access to emails containing PHI can lead to:

• Financial penalties (ranging from thousands to millions of dollars)
• Damage to a school’s reputation
• Loss of trust among parents and students
• Legal action and investigation

This demonstrates that using HIPAA compliant email is not only best practice, it’s often required.

Using HIPAA compliant email as a school-based healthcare provider

Use a HIPAA compliant email service provider

The first step is selecting an email service provider that offers built-in HIPAA compliance features, like Paubox. These platforms should:

• Sign a business associate agreement (BAA): A legal contract required by HIPAA between the provider and the email vendor.
• Encrypt all emails containing PHI: Encryption ensures that even if an email is intercepted, its contents remain unreadable to unauthorized users. Use platforms that offer automatic, encryption for messages both in transit and at rest.
• Train staff on email best practices: Educate all personnel on identifying PHI, avoiding unsecured personal accounts, verifying recipients, using neutral subject lines, and recognizing phishing attempts. Training should be regular and documented.
• Obtain proper consent from parents or guardians: Before using email to share PHI, inform parents or guardians of potential risks and obtain written consent. This is especially critical when sending messages without encryption.
• Limit the information shared: Follow the minimum necessary standard by only including essential details in emails. Avoid full names or sensitive identifiers in subject lines, and use student ID numbers or initials when appropriate.

Read more: Top 12 HIPAA compliant email services

Encrypt all emails containing PHI

Encryption ensures that even if an email is intercepted, its contents cannot be read by unauthorized users.

There are two common types of encryption:

• Symmetric encryption
  • Definition: Uses the same key for both encryption and decryption.
  • Examples: Advanced Encryption Standard (AES), Data Encryption Standard (DES).
  • Use cases: Encrypting files, secure data storage, and fast data transmission within trusted systems.
  • Pros: Fast and efficient.
  • Cons: Key distribution can be challenging—both sender and receiver must securely share the same key.
• Asymmetric encryption
  • Definition: Uses a pair of keys—a public key for encryption and a private key for decryption.
  • Examples: RSA, ECC (Elliptic Curve Cryptography).
  • Use cases: Secure communication over untrusted networks (e.g., SSL/TLS, digital signatures, email encryption).
  • Pros: Secure key distribution; no need to share the private key.
  • Cons: Slower and more computationally intensive than symmetric encryption.

Platforms like Paubox automatically encrypt emails without requiring the recipient to use a special portal or password. This makes it easier for parents and students to access communications while still protecting their data.

Train staff on email best practices

Even with the right tools, human error remains a top cause of HIPAA violations. In fact, according to InfoSec, “74% of incidents include some human element, such as clicking on a phishing link.” 

Regular training can ensure that all staff members understand how to:

• Identify PHI and when it’s appropriate to send via email
• Avoid sending PHI through personal or non-secure email accounts
• Double-check email addresses before sending messages
• Use clear, professional language without over-disclosing personal information
• Report potential breaches or mistakes immediately

Training should be documented and repeated annually or when significant system changes occur.

Obtain proper consent from parents or guardians

Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers are permitted to communicate with patients via unencrypted email, provided certain conditions are met. Specifically, the U.S. Department of Health and Human Services (HHS) states: "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so." 

This means that if a patient (or their personal representative, such as a parent for a minor) requests unencrypted email communication and is informed of the potential risks, like unauthorized access, they can consent to receive their health information in this manner. Healthcare providers should document the patient's consent and the discussion of risks to ensure compliance with HIPAA regulations.. It’s best practice for schools to:

• Explain the risks of email communication (especially if encryption is not used)
• Offer alternative communication options
• Have parents or guardians sign a communication consent form

This is especially important when discussing diagnoses, treatment plans, or sensitive information that could affect a student’s privacy or mental health.

Limit the information you send

Even when emails are encrypted, providers should follow the minimum necessary standard under HIPAA. This means only sharing the information required to achieve the intended purpose.

Tips for limiting PHI in email communication:

• Avoid full names and identifiers in subject lines
• Refer to students using initials, ID numbers, or case codes when possible
• Don’t attach documents unless necessary—and ensure they are password protected or encrypted
• Summarize only what’s needed and direct parents to call or visit for detailed discussions

Example:

• Don’t: Subject: John Smith’s ADHD medication refill
• Do: Subject: Medication refill request – Student ID 12345

Read also: Writing a HIPAA compliant subject line

Maintain and monitor email activity

Under the HIPAA Security Rule’s Technical Safeguards, “A regulated entity must implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.” 

Your email system should be able to:

• Track when and by whom messages were sent and opened
• Detect unauthorized access or login attempts
• Retain logs for compliance audits
• Send alerts for suspicious activity

These records must be securely stored and readily available during audits or investigations.

Regularly review and update policies

Your school’s HIPAA compliance plan should include:

• Email usage policies
• Staff training documentation
• Communication consent forms
• Breach notification protocols
• Data backup and recovery plans

Review these policies annually or whenever your email system or communication procedures change.

See also: Why HIPAA compliant email should be used for student health services

FAQS

What’s the difference between HIPAA and FERPA?

• HIPAA governs medical records and communication by healthcare providers.
• FERPA protects student education records, including health records kept by schools for educational purposes.

If a school employs healthcare staff who bill insurance or provide clinical services, HIPAA may apply to those records and communications.

What should I avoid including in an email?

Avoid including:

• Full names and dates of birth in subject lines
• Medical diagnoses or treatment plans without encryption
• Sensitive attachments unless securely encrypted or password-protected
• PHI unless it is absolutely necessary