The difference between inbound and outbound email

Email is one of the most widely used communication tools in healthcare, with Paubox noting that “17,755,870 emails [were] sent by 128 healthcare organizations over Q4 2023 and Q1 2024.” Whether it’s a physician sharing lab results, a patient reaching out with questions, or an administrator sending billing information, email plays a central role in daily operations.

The terms "inbound email" and "outbound email" may sound simple, but in the context of healthcare, they represent two distinct compliance challenges. Inbound email requires strong protection against external threats such as phishing and malware. Outbound email demands rigorous safeguards to prevent the accidental or unauthorized disclosure of PHI.

Under HIPAA, both types of email must be secured with encryption, access controls, and proper staff training. By taking a proactive approach to inbound and outbound email security, healthcare organizations can reduce the risk of breaches, avoid costly fines, and most importantly, protect patient trust.

What is inbound email?

Inbound email refers to all emails that an organization receives. These messages enter your email system from external senders, such as patients, vendors, or third parties.

Examples of inbound email in healthcare:

• A patient emailing their doctor to request a prescription refill.
• A lab sending test results to a clinic.
• An insurance company submitting an authorization document.

Because inbound emails come from outside sources, they present security risks. Unlike internal communications, which typically move through protected channels, inbound emails are often beyond the direct control of the healthcare organization until they arrive in the system. This makes them a prime target for cybercriminals. Cybercriminals often use phishing or malware-infected attachments to gain access to healthcare networks. A notable example involved the Children’s Hospital Colorado, which paid a $548,265 settlement after a phishing attack compromised multiple staff email accounts. The breach exposed the ePHI of more than 10,000 individuals, and OCR’s investigation revealed failures in workforce training, inadequate risk analysis, and disabled multi-factor authentication.

This case demonstrates why inbound emails cannot be treated casually. Even a single employee falling victim to a phishing scam can put thousands of patients’ information at risk.

Go deeper: Children's Hospital Colorado Notice of Proposed Determination

HIPAA requirements for inbound email

Under the HIPAA Security Rule, covered entities must implement technical safeguards to protect electronic protected health information (ePHI). The U.S. Department of Health and Human Services notes, “Technical safeguards are becoming increasingly more important due to technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protecting electronic protected health information (EPHI), such as electronic health records, from various internal and external risks.” This applies directly to inbound email:

• Access controls: “Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files.” This means that only authorized personnel should be able to access patient emails.
• Audit controls: Systems must track and record who accessed inbound emails containing ePHI. This helps with “recording and examining information system activity, especially when determining if a security violation occurred.”
• Integrity controls: Measures must ensure that ePHI is not improperly altered.
• Encryption: If an inbound message includes ePHI, it must be encrypted during transfer.

In practice, healthcare organizations need secure mail gateways, spam filters, and decryption tools to safely process inbound emails. Staff should also be trained to recognize phishing attempts that might slip through filters.

What is outbound email?

Outbound email refers to messages that your organization sends externally. In healthcare, these often contain highly sensitive data, making outbound email a compliance challenge.

Examples of outbound email in healthcare:

• A nurse emailing lab results to a patient.
• A billing department sending invoices to insurers.
• A hospital administrator sharing records with a specialist.

Outbound email risks are often less obvious than inbound ones. While inbound risks are about malicious outsiders, outbound risks are usually about data leakage, sending sensitive information to the wrong person without encryption, or violation of HIPAA rules.

This example shows how outbound communication, especially when not properly encrypted, can create massive exposure for healthcare entities.

HIPAA requirements for outbound email

HIPAA sets clear expectations for protecting PHI in outbound messages. Key provisions include:

• Encryption: Outbound email containing PHI must be encrypted in transit unless patients have been informed of risks and consented to unencrypted communication.
• Minimum necessary rule: Only the minimum required PHI should be sent via email.
• Authentication: Systems should verify that recipients are who they claim to be.
• Data loss prevention (DLP): Many healthcare organizations use DLP tools to prevent staff from accidentally emailing PHI to unauthorized recipients.

The Office for Civil Rights (OCR), which enforces HIPAA, has issued fines for violations where PHI was emailed without proper safeguards. One notable case involved PIH Health, which in 2025 settled with the Office for Civil Rights (OCR) for $600,000 after a phishing attack compromised 45 employee email accounts. The breach exposed the unsecured PHI of 189,763 individuals, and OCR found that the organization had failed to implement adequate safeguards, including proper risk analysis, encryption, and timely notification.

Go deeper: HHS Office for Civil Rights Settles Phishing Attack Breach with Health Care Network for $600,000

Why the inbound vs. outbound distinction matters

Both inbound and outbound email involve risks, but the nature of those risks differs.

• Inbound: The main threats are phishing, spam, and malware. These can lead to unauthorized access to PHI if employees are tricked into clicking malicious links.
• Outbound: The main risks are unintentional disclosure, misdirected emails, or sending PHI without encryption.

Treating inbound and outbound email separately in your HIPAA compliance strategy allows you to implement tailored controls that address both threat categories.

Best practices for HIPAA compliant email

To ensure HIPAA compliance, healthcare organizations should implement safeguards that cover both inbound and outbound communications:

• Encrypt all PHI in transit and at rest: Use secure email platforms, like Paubox, that automatically encrypt messages containing PHI.
• Deploy advanced spam and phishing filters: Protect inbound email with tools that detect malicious attachments and suspicious links.
• Use Data Loss Prevention (DLP) policies: Prevent outbound emails from being sent if they contain unencrypted PHI or sensitive keywords.
• Implement strong authentication methods: Require multi-factor authentication (MFA) for accessing emails with PHI.
• Train employees regularly: Staff should be able to spot phishing attempts and understand the risks of sending PHI via email.
• Establish clear email policies: Document and enforce policies for handling both inbound and outbound PHI-related emails.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Does HIPAA require all emails with PHI to be encrypted?

Yes, HIPAA requires encryption for PHI transmitted over email, unless the patient has been informed of the risks and has consented to receive unencrypted messages.

Is using Gmail or Outlook enough to meet HIPAA compliance?

Not by default. Gmail and Outlook can only be HIPAA compliant if used with proper encryption, a signed business associate agreement (BAA), and configured safeguards such as access controls and logging.

Can healthcare staff use personal email accounts for work?

No. Personal email accounts such as Gmail, Yahoo, or Hotmail are not HIPAA compliant and should never be used to send or receive PHI. Staff should only use approved, secure email platforms.