School-based healthcare providers, such as nurses, counselors, and therapists, often handle sensitive student health information that falls under the Health Insurance Portability and Accountability Act (HIPAA) or FERPA (Family Educational Rights and Privacy Act), depending on the institution's structure. When HIPAA applies, it's essential that any email communication containing protected health information (PHI) is HIPAA compliant.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996 to protect the privacy and security of individuals’ health information. While HIPAA applies broadly to healthcare settings, its role in schools is more limited and often confused with the Family Educational Rights and Privacy Act (FERPA), which governs student education records.
HIPAA generally does not apply to schools because most student health records are considered education records under FERPA, not protected health information (PHI) under HIPAA. However, there are exceptions.
“The U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services released updated joint guidance in December 2019 addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students,” writes the U.S Department of Health and Human Services (HHS). Under the new guidance, HIPAA applies to schools if:
See also: How FERPA and HIPAA work together to protect student data
Healthcare email breaches are common, and the consequences can be severe. According to Managed Healthcare Executive, in 2024, 180 healthcare organizations reported email-related breaches to the U.S. Department of Health and Human Services. Notably, Microsoft 365 was the most frequently compromised platform, accounting for 43.3% of these breaches. The financial impact of healthcare data breaches is substantial. According to IBM's Cost of a Data Breach Report, the average cost of a healthcare data breach is $9.77 million, the highest across all industries. Beyond financial costs, breaches can disrupt patient care. A study by Vanderbilt University titled Data breach remediation efforts and their implications for hospital quality, found that as many as 2,100 patients die each year because of security breaches, as patient care is disrupted by compromised systems
Unauthorized access to emails containing PHI can lead to:
This demonstrates that using HIPAA compliant email is not only best practice, it’s often required.
The first step is selecting an email service provider that offers built-in HIPAA compliance features, like Paubox. These platforms should:
Read more: Top 12 HIPAA compliant email services
Encryption ensures that even if an email is intercepted, its contents cannot be read by unauthorized users.
There are two common types of encryption:
Platforms like Paubox automatically encrypt emails without requiring the recipient to use a special portal or password. This makes it easier for parents and students to access communications while still protecting their data.
Even with the right tools, human error remains a top cause of HIPAA violations. In fact, according to InfoSec, “74% of incidents include some human element, such as clicking on a phishing link.”
Regular training can ensure that all staff members understand how to:
Training should be documented and repeated annually or when significant system changes occur.
Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers are permitted to communicate with patients via unencrypted email, provided certain conditions are met. Specifically, the U.S. Department of Health and Human Services (HHS) states: "The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."
This means that if a patient (or their personal representative, such as a parent for a minor) requests unencrypted email communication and is informed of the potential risks, like unauthorized access, they can consent to receive their health information in this manner. Healthcare providers should document the patient's consent and the discussion of risks to ensure compliance with HIPAA regulations.. It’s best practice for schools to:
This is especially important when discussing diagnoses, treatment plans, or sensitive information that could affect a student’s privacy or mental health.
Even when emails are encrypted, providers should follow the minimum necessary standard under HIPAA. This means only sharing the information required to achieve the intended purpose.
Tips for limiting PHI in email communication:
Read also: Writing a HIPAA compliant subject line
Under the HIPAA Security Rule’s Technical Safeguards, “A regulated entity must implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.”
Your email system should be able to:
These records must be securely stored and readily available during audits or investigations.
Your school’s HIPAA compliance plan should include:
Review these policies annually or whenever your email system or communication procedures change.
See also: Why HIPAA compliant email should be used for student health services
If a school employs healthcare staff who bill insurance or provide clinical services, HIPAA may apply to those records and communications.
Avoid including: