Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Secure email practices to protect patient privacy

Secure email practices to protect patient privacy

Email offers a quick and convenient way for healthcare professionals to communicate with patients. However, it can also lead to concerns around keeping private information secure.

Keep reading to learn more about how to protect patient privacy through secure email practices. Plus, find out why a HIPAA compliant email provider is key to covering all your bases.


What does HIPAA say about emailing patients?


The HIPAA Security Rule does not explicitly prohibit covered entities from sending emails that contain protected health information (PHI), which is any data used to identify an individual during the course of care.

However, healthcare providers are required to put certain safeguards in place based on HIPAA standards for access control, integrity, and transmission security.

These measures must “restrict access to PHI, monitor how PHI is communicated, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit.” 

Therefore, emailing patients is allowed in the healthcare industry as long as proper precautions are taken. 


Set policies for transmitting PHI 


The HIPAA Privacy Rule requires employee PHI access to be restricted to the “minimum necessary” that enables the individual to fulfill their job functions. 

This means healthcare organizations must implement access control policies that indicate which employees need to access patient data as part of their role. There should also be clear guidelines around the type of situations that warrant sending patient information over email.

Consent is another key piece of protecting patient privacy. Ensure that all employees understand the importance of obtaining written permission from patients to receive PHI over email. This helps verify that you have the right contact information and reduces the risk of lawsuits.


Train your staff on HIPAA compliance


Under the HIPAA Privacy Rule, healthcare organizations must provide employees with HIPAA compliance training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.”

Human error is responsible for the majority of email-related HIPAA breaches. That’s why it’s crucial to provide education on phishing emails and other deceitful social engineering tactics.

Teach your staff how to recognize the warning signs of a malicious email and make sure to reinforce best practices. These could include double checking sender names for inconsistencies and refraining from clicking unexpected links or attachments. 

Thorough email security training helps prevent employees from unknowingly providing cybercriminals with access to PHI. 


Use HIPAA secure email software 


HIPAA email rules require PHI to be secured at rest and in transit. The smartest way to do this is by using a HIPAA compliant email provider that supports encryption.

Encryption ensures that only the intended recipient is able to view the PHI included in an email. Even if a threat actor gains initial access, they will be unable to read the data contained within it. 

However, keep in mind that there is a difference between a HIPAA compliant email platform and a HIPAA capable one. 

Many popular email providers state that they offer email encryption, but they are often not HIPAA compliant until you configure additional features and sign a business associate agreement (BAA) with the company.

Even then, their encryption services are not always enough to meet HIPAA standards. 

For instance, Gmail only encrypts 87% of sent emails. That thirteen percent is still an opening for cybercriminals to intercept patients’ sensitive information. 

The best way to securely email patients is by using a HIPAA compliant email service that guarantees encryption on 100% of the emails you send.



In conclusion, HIPAA does not restrict covered entities from using email to communicate with patients. However, certain measures are necessary to protect patient privacy. These include:

  • Creating access control policies for PHI
  • Educating employees on how to recognize malicious emails
  • Investing in a HIPAA compliant email service


By keeping these practices top-of-mind, healthcare providers can securely email patients without putting their sensitive information at risk.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.