Talk to sales
Start for free

Is email HIPAA compliant?


HIPAA email compliance is a major issue for modern healthcare. There are so many questions around the topic and the risk of making errors comes with a painful cost and exorbitant price tag. Commonly asked questions we hear from providers are, "What are the HIPAA email rules? What do I need to do for HIPAA compliant email? How do I secure HIPAA email?"

Read on to find out the answers to your HIPAA email questions.

The Health Insurance Portability and Accountability Act (HIPAA) requires a number of steps before email communications are considered HIPAA compliant.


5 parts of compliance for HIPAA email


HIPAA email rules require covered entities implement access controls, audit controls, integrity controls, ID authentication, and transmission security in order to:

  1. Restrict access to PHI
  2. Monitor how PHI is communicated
  3. Ensure the integrity of PHI at rest
  4. Ensure 100% message accountability, and
  5. Protect PHI from unauthorized access during transit


What are the HIPAA email rules to email patients?


HIPAA and email can work well together as long as you have the appropriate safeguards in place to protect PHI. The HIPAA Security Rule lays out what safeguards need to be in place to protect patient data. Read our quick guide and learn how to keep HIPAA related email well within regulations.

Essentially, covered entities are required to take reasonable steps to keep PHI secure while it's in their servers and while the email is in-transit. However, the HHS understands you have no control over which email clients your patients use.

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (US Department of Health and Human Services, Omnibus Final Rule, 2013)"

Read our complete HIPAA email guide for busy professionals for more in-depth coverage.


Encryption alone does not make HIPAA compliant email


Some HIPAA covered entities argue that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Although emails can be HIPAA compliant, significant IT resources are at times required for a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email. It is best practice to limit PHI access to only staff you need to work with the data.

There are HIPAA email providers who can ensure all the email sent from your organization are secure, but it is up to your staff to make sure that an email with PHI is not sent to the the wrong person.  Read our Healthcare's Guide to HIPAA Compliant Email Marketing for additional information on this topic and how to reduce mistakes.


How do I know if my encrypted email is HIPAA compliant?


Most popular email providers support email encryption, but it's often not good enough to meet HIPAA standards. Take Gmail , for example, 87% of sent emails are encrypted, but HIPAA requires 100% email encryption. 13% of unencrypted emails is unacceptable.  It is too big of an opening for hackers to get access to HIPAA emails while in-transit.

If you are using Google or Microsoft, make sure to use an additional encryption program that ensures 100% of your HIPAA emails remain private and secured.  The safest and least cumbersome option is for covered entities to consider working with a third-party email security provider to ensure that all HIPAA emails have end-to-end encryption.

End-to-end encryption ensures only the sender and recipient read the HIPAA email, keeping the PHI private as it travels between inboxes.

Read more: HIPAA email encryption requirements: What you need to know


What are HIPAA email encryption requirements?


HIPAA email rules require messages that contain PHI to be secured in transit outside of the internal email network and firewall. As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.


What is an addressable standard in HIPAA?


An addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email means encryption is not ‘required.’ However, covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

When a patient's privacy or a data breach is on the line; however, it is always best to play it safe and keep your emails encrypted. Data breaches are averaging over $10m in costs today. In order to determine whether ePHI sent via email is at risk of loss of confidentiality, integrity, and availability, your organization will need to conduct an analysis of the risks.

In order to reduce the level of risk to an appropriate and acceptable level, a risk management plan must be developed along with encryption or an alternative measure. Documentation must also accompany the decision. As part of its review, OCR will ask for information about whether encryption was considered, the reasons for not using it, and whether the alternative safeguard provides an equivalent level of protection.


Where can I get government help on HIPAA email?


HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published  SP 800-45 Version 2 – which will help organizations secure their email communications.


What are the penalties for HIPAA email violations?


Penalties for HIPAA Email Violations
Penalties are per violation per year From To
Could not have avoided with reasonable care $100 $50,000
HIPAA email violation despite reasonable care $1,000 $50,000
Willful Neglect – Corrected within reasonable time $10,000 $50,000
Willful Neglect – Not corrected $50,000 $1,500,000


Does secure messaging resolves issues with HIPAA compliance for email?


In spite of the fact that secure messaging meets all the requirements of the HIPAA Security Rule, users do not adopt it. To ensure audit trails, authorized users must log into the apps using a unique username and PIN number. Furthermore, all PHI-containing messages are encrypted, and security mechanisms ensure that PHI cannot be sent outside of an organization's network of authorized individuals.

Many covered entities think a patient portal is the answer to HIPAA compliant email. Portals require a patient to log into a separate website, app, or create a new login and password to access it. In theory, portals provide a secure location for patients and healthcare professionals to communicate safely. But patients don't like it, nor do they use it.

By 2019, 62% of covered entities reported less than a quarter of their patients were registered for portals. Unfortunately, portals only serve to decrease patient engagement.

The biggest problem with a patient portal is that it's not easy to use. There are too many steps for patients to communicate with their doctors, so they don't do it at all. 


How do I send secure HIPAA complaint email?


Microsoft 365 and Google Workspace require no change in email behavior once it's configured with Paubox Email Suite and is set up for modern encryption to keep your email HIPAA compliant. That means your office staff or IT department has an implementation that takes minutes and there is no end user training required. 


How do I secure HIPAA email?


Paubox Email Suite is a better option because it allows healthcare professionals and patients to directly communicate in their inboxes. Paubox Email Suite has also achieved HITRUST CSF certification —a distinction that demonstrates our product has met key regulatory requirements to appropriately manage risk.

We're committed to ensuring that healthcare providers have access to secure email, which is why a BAA is included in all of our plans, and two-factor authentication (2FA) is required to access the customer admin panel. 


Will all email be HIPAA compliant?


While email encryption provides privacy, there are some older email providers that don't support encryption. Without encryption, your HIPAA related email is at serious risk of security issues. So how can covered entities protect PHI when email clients and patients with older email accounts?

Paubox Email Suite has the capability to recognize when an email is unencrypted and provide an alternative solution. Recipients whose email does not support encryption will get an email alerting them to click on a link. The link leads them to a secure HTTPS URL where the can read the message.  Whatever third party solution you choose, make sure it covers older email platforms to keep your HIPAA related email within regulations. 

Read more: What happens when a Paubox email recipient doesn't support encryption?


How can you secure different types of HIPAA email?


There are other emails besides doctor-to-patient that may need encryption or to follow other HIPAA guidelines. You'll also want to ensure that these types of emails are encrypted as well:


  • In-office emails if using remote access
  • Emails sent to a different healthcare professional outside your network
  • Healthcare professionals using their home computers or personal email


It's highly recommended that healthcare companies invest in a professional email address instead of using a personal or free email domain. It will make you look more professional and enables you to partner with HIPAA compliant email providers such as Paubox. Another consideration is email marketing.

Many marketing email services won't sign a business associate agreement (BAA) , which means they aren't HIPAA compliant email vendors.


What is encrypted email archiving for PHI?


In order to comply with HIPAA regulations, covered entities must retain past communications containing PHI for at least six years. It is important to note that the retention of PHI can pose a storage challenge for many organizations depending on their size and the volume of emails sent and received during this time period.

This issue can be resolved by archiving encrypted emails. Businesses that provide email archiving services are considered Business Associates and must comply with the HIPAA Security Rule. To ensure the integrity of PHI, their service must have access controls, audit controls, integrity controls, and ID authentication.

A service provider's secure storage facility will store all emails encrypted at source in order to comply with HIPAA email rules on transmission security.


What are the benefits of archiving email with PHI?


Due to the encryption of emails and attachments, encrypted email archiving for PHI has the advantage that each email's content can be indexed. As a result, covered entities can readily access emails in response to audit requests or for discovery purposes.

The encrypted email archive can also be used as part of a disaster recovery plan when releasing storage space on the covered entity's servers. Protected health information (PHI) and patient names must be kept safe and private when they are sent via email by healthcare providers.

There is good news, though. It's easy to send HIPAA-compliant emails. Email is a game changer for patients and staff since it allows them to communicate easily.


What happens if a patient replies with PHI in their email?


A common question that covered entities have about HIPAA compliant email is when its obligation to secure PHI ends.  Covered entities should always ensure they are sending encrypted emails to their patients, but that's where the obligation ends.

According to the HIPAA Omnibus Rule , " Further, covered entities are not responsible for safeguarding information once delivered to the individual.” Once a person has received an email, it becomes their responsibility to secure any PHI in their inbox. It is their choice whether they respond with additional unencrypted PHI or not.


HIPAA email and your healthcare practice


The bottom line is that there is a lot to HIPAA compliance and the stakes are high if an error is made. On the other hand, good communication with patients is vital to your practice and to your patients well being. Fortunately, Paubox does offer solutions designed specifically for healthcare and it is incredibly easy to use. As a matter of fact, you could be up and running with HIPAA complaint email in the next hour. Over 4000 healthcare customers trust Paubox to secure 70,000,000 each month.

Try Paubox Email Suite for FREE today.

Start a 14-day free trial of Paubox Email Suite today