How small clinics can achieve email security compliance despite expenses

Generic email platforms, like basic versions of Google Workspace or Microsoft 365, do not fully address the encryption requirements mandated by the latest HIPAA Security Rule updates. A 2025 Paubox report reveals that nearly all small practices (98%) believe their platform “encrypts emails by default”, most relying on tools like Microsoft 365 or Google Workspace, but “these tools often fall short on enforcement and visibility.” In practice, "such encryptions may drop if the recipient’s server doesn’t support modern protocols, without any alert to the sender.” 

The combination of HIPAA compliant email software, along with the support of Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), provides a practical and effective pathway for small clinics to meet these requirements. The report states: “Confidence without clarity is what gets organizations breached. We don’t just need encryption, we need evidence.”

The recent regulatory changes

The U.S. Department of Health and Human Services (HHS) decided that sweeping updates were overdue to the HIPAA Security Rule, the first major overhaul since 2013. The HHS fact sheet explains the changes published on December 27, 2024, notes they “issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI).” 

One of the biggest shifts is transforming what were once addressable or flexible security measures into mandatory requirements. The factsheet states that the NPRM would “remove the distinction between ‘required’ and ‘addressable’ implementation specifications and make all implementation specifications required with specific, limited exceptions.” This means healthcare providers and their business associates no longer have the option to pick and choose which safeguards to implement. 

For example, encryption, which was previously recommended as a flexible safeguard, is now becoming non-negotiable. It proposes to “require encryption of ePHI at rest and in transit, with limited exceptions” such as AES-256 for stored data and TLS 1.2 or higher for data moving across networks. This move aims squarely at closing gaps where bad actors previously found easy pickings, like unencrypted emails or files vulnerable during transfer.

Risk management is no longer about ticking boxes once a year; it’s becoming a continuous, ongoing process. The NPRM would require a “technology asset inventory and a network map that illustrates the movement of ePHI … on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.” This approach helps identify emerging vulnerabilities and ensure that remediation efforts keep pace with changing threats. 

Building on prevention, healthcare providers must also have mature incident response plans in place. These plans aren’t simply paper exercises; they must be regularly tested and capable of rapid deployment to limit exposure and downtime during an attack. New guidance encourages frameworks that aim to restore affected systems within 72 hours.

The changes to email standards 

The backdrop to these regulatory changes is the vulnerability of healthcare data exchanges, particularly over email. Data breaches in healthcare have been driven by a combination of human error, technical misconfigurations, and increasingly sophisticated cyber-attacks such as phishing and ransomware. 

A Healthcare Journal study analyzing breaches between 2015 and 2020 found that approximately 73% of affected records resulted from inadvertent actions, such as carelessness or negligence, while about 27% involved malicious attacks, including phishing scams and cyber intrusions. The updated rule introduces: 

• All emails containing PHI must be encrypted both in transit and at rest.
• Encryption must follow recognized standards such as TLS 1.2+ and AES-256 to safeguard email content.
• Healthcare organizations must perform regular risk assessments focused specifically on their email systems and workflows.
• Detailed audit trails and logging of email activities are mandatory to support breach investigations and compliance audits.
• Incident response plans must include procedures for email-related security events, with timely breach notifications in line with HIPAA rules.
• Workforce training programs are required to educate staff on secure email usage and phishing threat recognition.
• Business associate agreements (BAAs) must be in place with any third-party email service providers handling PHI on behalf of the clinic.
• Email archiving for compliance visibility and retention is encouraged to support data access requests and investigations.
  
  

Why small clinics face challenges in meeting the cost 

The financial burden associated with achieving and maintaining compliance with updated standards is often disproportionate to the resources available to these clinics. One major factor is the initial capital investment required for adopting purpose-built, HIPAA compliant email technologies. An economic analysis published in BMC Health Services Research on email-based telemedicine services revealed fixed costs alone could reach $30,000 upfront, along with recurring annual hosting fees of around $5,000. These expenses can be a steep barrier for smaller practices operating on tight budgets.

Beyond hardware and software acquisition, ongoing staffing costs represent a substantial and continuous financial commitment. Clinical, supervisory, and administrative labor needed to manage secure email communications effectively contributes heavily to annual operating expenses. Administrative roles, in particular, may require additional time allocated to managing email workflows, security protocols, and compliance documentation, which can lead to increased payroll costs in already resource-strapped clinics.

The solutions 

HIPAA compliant email 

Besides lowering upfront costs, HIPAA compliant email software simplifies compliance by automating security controls such as encryption, access management, secure authentication, and audit logging. Clinics avoid the need for extensive internal technical expertise, which is often scarce in smaller settings, by relying on providers who ensure the software stays updated with evolving standards and safeguards against emerging threats.

MSSPs and MSPs

MSPs and MSSPs offer specialized, ongoing expertise in managing secure email environments, which small clinics can rarely afford in-house. MSPs handle areas such as system setup, patch management, user access controls, and monitoring email workflows to ensure continuous compliance. MSSPs enhance security posture by providing real-time threat detection, incident response capabilities, and vulnerability assessments tailored to healthcare’s specific risks. 

FAQs

What is the HIPAA Security Rule NPRM 2025?

It is a proposed update by the HHS to strengthen cybersecurity protections for ePHI and modernize requirements to address current and emerging cyber threats.

Why is the HIPAA Security Rule being updated?

The update addresses the increasing frequency and sophistication of cyberattacks on healthcare organizations, aiming to improve data security, safeguard patient information, and align HIPAA with modern cybersecurity standards.

What is the purpose of the required incident response and disaster recovery plans?

These plans aim to ensure healthcare organizations can detect, report, respond to, and recover from cybersecurity incidents efficiently, minimizing harm to patient data and ensuring continuity of care.