According to the HHS HIPAA Basics for Providers, "HIPAA establishes standards to protect people's medical records and other protected health information (PHI). These standards apply to the following covered entities and their business associates: health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically."
Under HIPAA's Security Rule, organizations must protect the confidentiality, integrity, and availability of all electronic protected health information (ePHI). Email is a vulnerable transmission point for ePHI because standard email platforms do not provide built-in HIPAA compliance. These platforms require additional security measures to meet regulatory requirements.
According to Paubox's 2025 report What Small Healthcare Practices Get Wrong About HIPAA and Email Security, most small practices believe they're compliant when they're not. The Paubox report found that more than 80% of small practices expressed confidence in their current compliance posture, yet gaps exist in their actual security implementations.
Furthermore, the Paubox report reveals that 83% of small healthcare organizations believe that patient consent removes the need for encryption, but this is a misunderstanding of HIPAA requirements. Additionally, 64% believe portals are required for HIPAA compliance, when in fact HIPAA explicitly permits secure, direct email as a reasonable alternative.
Perhaps most concerning, the Paubox report found that 20% of small and midsize healthcare organizations don't utilize any form of email archiving or audit trail. This means one in five practices are unable to investigate incidents after they happen or demonstrate compliance during regulatory reviews.
According to a 2024 study by Herath, Gelman, Hastings, and Wang published in their paper Safeguarding Virtual Healthcare: A Novel Attacker-Centric Model for Data Security and Privacy, there was an increase in cyber-attacks during the 2019-2021 period, which the researchers attribute to the COVID-19 pandemic and increased use of digital infrastructure that made healthcare systems more vulnerable to breaches.
The research further reveals a gap in how healthcare organizations approach security. The study found that a portion of organizational responses focuses on informing individuals after a breach occurs, rather than implementing safeguards to prevent such breaches in the first place.
This reactive approach also extends to regulations. As the Dakota State University researchers note, most regulations have been instituted reactively in response to past failures or incidents rather than proactively anticipating potential future issues. This makes it critical for new practices to adopt proactive security measures from day one.
The Paubox report indicates that over 70% of healthcare data breaches originated from phishing attacks, and 43% of small and midsize healthcare organizations reported experiencing a phishing or spoofing incident in the past year. These attacks don't discriminate by organization size; in fact, small practices are targeted because they often lack formal training programs, technical defenses, or dedicated security staff.
Additionally, the research identifies that blended attacks, which combine physical and cyber-attack strategies, represent emerging threats to healthcare systems. Ultimately, email security cannot exist in isolation but must be part of a broader security strategy.
In 2024, Watson Clinic faced a cyberattack. Hackers infiltrated the clinic's network on January 26, 2024, remaining undetected for 11 days before unusual network activity triggered an investigation. By the time the breach was discovered, attackers had accessed files containing sensitive patient information, including medical records and medically necessary pre- and post-operative images belonging to more than 280,000 patients. Some of this information was later leaked to the dark web.
In November 2025, Watson Clinic agreed to a $10 million settlement to resolve a resulting class action lawsuit, with affected patients receiving automatic cash payments of up to $75,000 if their sensitive medical images were found on the dark web. The settlement amount aligns closely with IBM's 2025 report showing that the average cost of a healthcare data breach has reached $11 million, the highest of any industry for the 14th consecutive year, as noted in the Paubox report.
According to the Paubox report, healthcare breaches in 2025 took an average of 224 days to detect and another 84 days to contain, over 10 months total. The longer it takes to spot a breach, the higher the cost, and many small organizations lack the systems to see it coming.
As Melanie Fontes Rainer, Director of the HHS Office for Civil Rights, stated in the Paubox report: "Every organization, no matter the size, is required to comply with the HIPAA Security Rule. Risk assessments are not optional—they're foundational."
It's important to understand that HIPAA does permit email communication with patients. According to HHS FAQ guidance on email use, the Privacy Rule allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. With proper precautions, email can be a valuable communication tool in your practice.
The HIPAA Basics for Providers document states that, "The Privacy Rule protects PHI that you hold or transmit in any form, including electronic, paper, or verbal. PHI includes information about personal identifiers, like name, address, birth date, and SSN; past, present, or future physical or mental health condition; health care you provide to the patient; and payment for health care."
The Paubox report found that nearly all small practices (98%) say their platform "encrypts emails by default," yet many are using common platforms without additional safeguards. In practice, this means a provider may believe every email is encrypted when in reality, encryption may drop if the recipient's server doesn't support modern protocols. In those cases, HIPAA required safeguards aren't actually applied, and there's no audit trail to prove compliance.
Healthcare organizations should prioritize email solutions specifically designed for the healthcare industry. A critical feature to evaluate is automatic encryption. Automatic encryption eliminates manual steps and human error from the security process. Staff members don't need to remember special procedures, checkboxes, or subject line conventions; encryption is applied to every message by default.
Learn more: HIPAA compliant email
Before implementing any third-party email platform, organizations must establish a signed business associate agreement (BAA). This is a non-negotiable compliance requirement.
A BAA is a legally binding contract that specifies how email providers will handle and protect PHI. It defines permissible uses, establishes accountability, and outlines data security obligations. Without a BAA, email cannot be considered HIPAA compliant, regardless of underlying technology security.
The Paubox report identified that 44% of small practices cite missing Business Associate Agreements as a reason why they fail HIPAA email compliance audits.
When evaluating providers, organizations should confirm BAA availability and conduct a thorough review of terms. Many healthcare email providers, such as Paubox, include BAAs as standard and provide them publicly for review prior to enrollment. This transparency indicates a trustworthy vendor relationship.
Read also: Paubox Business Associate Agreement (BAA)
Phishing attacks, malware, and ransomware primarily infiltrate healthcare organizations through inbound email. Cybercriminals specifically target healthcare providers because patient data commands premium prices in illicit markets.
As Hoala Greevy, CEO of Paubox, notes in the Paubox report: "Phishing attacks have evolved—they're faster, smarter, and relentless. It's not about one-off scams anymore; it's deception at scale."
Yet the Paubox report reveals that about 50% of small and midsize healthcare organizations lack phishing or spoofing protection beyond default platform settings. This leaves practices vulnerable to attacks that can bypass basic spam filters.
Email solutions should include inbound security capabilities, particularly AI-powered threat detection that identifies phishing attempts, spoofed emails, and malicious links. Additional protections include domain age verification, display name spoofing detection, and business email compromise identification, a technique where attackers impersonate executives or known contacts.
Effective inbound protection intercepts threats before reaching the inbox, reducing the likelihood of accidental staff interaction with malicious content and safeguarding patient data.
Learn more: Inbound Email Security
According to the HIPAA Basics for Providers, "The Security Rule includes security requirements to protect patients' electronic PHI (ePHI) confidentiality, integrity, and availability. The Security Rule requires you to develop reasonable and appropriate security policies and ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit."
HIPAA requires organizations to maintain retrievable exact copies of electronic PHI and establish auditing capabilities. Email archiving fulfills these requirements.
However, the Paubox report found that 20% of small and midsize healthcare organizations don't utilize any form of email archiving or audit trail. This is a compliance gap that leaves one in five practices unable to investigate incidents after they happen or demonstrate compliance during regulatory reviews. Archiving solutions should encrypt archived messages, enforce access controls, and generate audit logs documenting all access activity.
Data Loss Prevention (DLP) tools add additional safeguards by scanning outgoing messages for sensitive information patterns and preventing unintended disclosure. DLP systems can detect patient names, medical record numbers, insurance identifiers, and other protected data elements.
For newly established practices, DLP catches mistakes before distribution. Staff members may include patient information in messages to incorrect recipients or copy PHI where unauthorized. DLP policies flag these situations or block transmission based on organizational configuration.
According to the Paubox report, the average small and midsize healthcare employee has access to more than 5,500 sensitive files, including PHI, billing data, and internal documents. This access makes every inbox a high-risk asset, showing the need for DLP controls to prevent accidental disclosure.
Technology investments require staff education. As noted in the HIPAA Basics for Providers, "You can use email, phone, or fax machines to communicate with other health care professionals and with patients, as long as you use safeguards."
According to HHS FAQ guidance, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message. These practical safeguards should be incorporated into your staff training program.
The Paubox report reveals training gaps in small practices. One third of organizations report not having enough time for compliance tasks, and the same number have no clear policies or procedures in place. Additionally, 47% cite lack of employee training as a reason why practices fail HIPAA email compliance audits.
HIPAA training programs should note email security best practices, including:
Written policies formalize email practices and provide staff guidance. Yet the Paubox report found that 47% of practices cite lack of clear policies or procedures as a top challenge in managing email security and HIPAA compliance, and 47% identify lack of incident response plans as a reason for failing compliance audits.
Email policies should address:
According to HHS FAQ guidance, an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable.
For example, a health care provider should accommodate an individual's request to receive appointment reminders via email, rather than on a postcard, if email is a reasonable alternative means for that provider to communicate with the patient. Conversely, if the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of communicating with the patient should be offered and accommodated.
This directly contradicts the misconception identified in the Paubox report that 64% of small practices believe portals are required for HIPAA compliance. The regulations are clear, portals are one option, but HIPAA explicitly permits secure, direct email and other reasonable alternatives if the appropriate safeguards are in place.
HHS FAQ guidance also clarifies that when patients initiate communications with a provider using email, the health care provider can assume that email communications are acceptable to the individual unless the patient has explicitly stated otherwise. However, if the provider feels the patient may not be aware of the possible risks of using unencrypted email, or has concerns about potential liability, the provider can alert the patient of those risks and let the patient decide whether to continue email communications.
Yes, insurance covers financial and legal exposure that technical compliance alone cannot prevent.
A practice should perform a full HIPAA risk assessment annually or whenever major systems change.
Yes, internal emails can still contain ePHI and must be encrypted the same as external messages.
Yes, only if the platform meets HIPAA safeguards and your vendor signs a BAA.