Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

4 min read

How to make email HIPAA compliant

How to make email HIPAA compliant

Many healthcare providers would love to include email communication into their regular workflows, but are concerned about securing patient information to comply with HIPAA requirements. One breach can mean huge fines that result in a loss of reputation or even the end of operations.

The good news for providers is sending HIPAA compliant email can be . It just requires planning and utilizing the right tools and processes.

Understanding how HIPAA compliance applies to email

The  HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. HIPAA allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate use the information only in the scope of which it was engaged by the Covered Entity. The  HIPAA Security Rule was added to set out what safeguards must be in place to protect electronic protected health information ( ePHI), which is health information that is held or transferred in electronic form. In regards to email, this means that  covered entities are required to take reasonable steps to protect PHI from their computer and as it’s transmitted electronically, all the way to the recipient’s inbox. Once the email reaches the recipient,  the obligation of the sender ends and it becomes the recipient’s job to secure any PHI they have in their inbox. So the bottom line becomes you must protect emails with PHI on your server and while it's in transit to the recipient.


Making your email HIPAA compliant

In order to make sure your healthcare organization has HIPAA compliant email, processes and workflows need to be in place.  Keeping your staff properly trained on HIPAA compliance is key as well. This also includes establishing written policies and training on items such as:
  • Who can have access to PHI
  • Making sure there are proper access controls in place
  • When is it ok to send PHI and to who
  • Is there consent from the patient to receive PHI via email


But you also need the right technology to be sure those procedures can be made as efficient as possible. This is especially important to overcome human error, such as forgetting to press a button or type a password to encrypt an email. Human error accounts for the vast majority of email related HIPAA breaches and violations. Along with policies, there are a couple technical factors to consider in making sure your email is HIPAA compliant. The first factor is your email server.


Securing your emails "at-rest"

Any emails sitting on your server (like your inbox) is considered "at-rest" and must be secured. If you are using a third-party email server, like Google Workspace, Microsoft 365 or Microsoft Exchange, then be sure to also get a business associate agreement (BAA) with them. It's important to note here that popular consumer email services are NOT compliant:
  • Gmail. By far, one of the most popular email providers in the world, Gmail is not HIPAA compliant. But as we went through in a previous post, you can make Gmail HIPAA compliant with a few extra steps.
  • Yahoo. Another popular email provider, Yahoo is not compliant.
  • GoDaddy. A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
  • Host Gator. Another popular web hosting provider that offers email hosting and is not HIPAA compliant.
  • Microsoft Outlook. Just like Gmail, people often confuse a consumer Outlook email account with a business one.

This is because consumer email platforms do not sign BAA and there is no guarantee that data stored on those consumer email servers are secure, even from the vendors themselves. Once you have a commercial email provider, if you only send email with PHI internally within your organization and it doesn't go beyond your server, then it is likely you're good to go and don't need anything further. This is provided your email server is behind a secure firewall. But what happens when email goes out.


Encryption to secure emails in transit

As email moves from one server to another it is considered "in transit." It must be secured every step of the way until it reaches the recipient's inbox. This process is typically handled with email encryption. But normal email is not always secure. This is because normal email was created with the priority on delivering messages, not email security. Even if your email provider does secure email with TLS encryption, that doesn’t mean your message will be delivered securely. That’s because if the recipient’s email provider doesn’t support TLS, your message is downgraded and delivered unencrypted in clear text. Google’s own data shows that only 87% of email sent with Gmail is encrypted. For HIPAA, 87% isn’t good enough. Only 100% encryption is acceptable. That's where having a third-party secure your email in transit becomes helpful.


How Paubox can help make email HIPAA compliant

Paubox helps insure that 100% of the emails you send are secure in transit all the way to your recipient's inbox. It's a seamless and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant email behave like regular email for both senders and recipients. Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile devices. Your recipients will be able to view messages and attachments without needing to enter extra passwords, download an app, or login to a portal. This greatly reduces the risk of accidentally sending PHI over email. It is a giant burden to have staff make a decision on whether to encrypt an email. It can be easy to forget to press an encrypt button or type a keyword before sending an email. Sometimes a use may not realize certain information is PHI as well.


Easy HIPAA related email communications means greater client satisfaction

For recipients, it can be a hassle to have to login to a portal or go through extra steps just to view a message. Especially when trying to view messages on a mobile device. Paubox also integrates with Google Workspace, Microsoft 365 and other commercial email providers, so you don’t have to change your email address. This ease of use doesn't come at the expense of security. Paubox has taken security and compliance to the next level by achieving  HITRUST CSF Certification for our products:
Our solutions meet the highest key regulatory requirements and industry-defined requirements and is appropriately managing risk. Our HITRUST CSF Certified status backs that up and we have a 4.9/5 rati o This achievement places Paubox in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
At this time we believe Paubox is the only HIPAA compliant email provider to have their solution achieve HITRUST CSF Certified status.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.