6 min read

HIPAA email security 101: Your HIPAA email questions answered

Picture of Tshedimoso Makhene Tshedimoso Makhene April 2, 2026

HIPAA compliant email
HIPAA email security 101: Your HIPAA email questions answered

As part of the Paubox webinar series, we hosted HIPAA email security 101: PHI, encryption, and what's required. It was our highest attended webinar to date, and we appreciate the amazing turnout, enthusiasm, and the many questions asked. Unfortunately, we ran out of time before we could answer everyone’s questions.

This blog post answers the questions we didn’t get time to answer about HIPAA compliant email, covering encryption, attachments, shared mailboxes, AI features, breach reporting, and more.

Related: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

Recipient experience

Can recipients open encrypted email?

Yes. With HIPAA compliant email solutions like Paubox, encrypted emails are delivered directly to the recipient’s inbox, just like any other email, without requiring a password or portal, making them easy to open and read like normal emails.

 

Do recipients need to click anything to decrypt the email?

No. With Paubox’s seamless encryption, emails don’t require additional steps from the recipient.

 

Does the recipient also need to use Paubox?

No. Recipients do not need a Paubox account or any additional software to read encrypted emails.

 

Can recipients reply to encrypted emails easily?

Yes. Recipients can simply hit “reply” as they would with any email, and the response will be encrypted automatically if the sender’s system supports it.

 

Do recipients see any difference between encrypted and regular emails?

In most cases, no. The experience is intentionally designed to feel identical to a standard email, reducing confusion and improving engagement. The only difference is the inclusion of a footer confirming the email is secured by Paubox.

 

What about assistive tech (screen readers, etc.)?

Encrypted emails delivered directly to inboxes remain compatible with assistive technologies like screen readers because they do not rely on external portals.

Go deeper: Combining HIPAA compliant email and assistive technology

 

What if the recipient's email system can't accept an encrypted email?

In rare fallback cases, such as when the recipient server doesn’t support appropriate encryption levels, Paubox’s automatic secure message center ensures the message is readable and HIPAA compliant.

 

Are links in encrypted emails safe to click?

Recipients should still follow standard phishing awareness practices.

Read also: HIPAA compliant use of hyperlinks in email

 

Manual trigger vs. Automatic encryption

What does “manual trigger” mean?

Manual trigger encryption requires the sender to take action to encrypt the email, such as adding a keyword like “secure” in the subject line. In most email platforms, this triggers a multi-step portal experience for the recipient. While HIPAA compliant, it’s an error-prone experience for the sender, and a hassle for the recipient.

 

Which approach is more HIPAA compliant?

Both can be compliant if implemented correctly, but automatic encryption, like Paubox Email Suite reduces the risk of human error.

 

Why not just auto-encrypt everything?

Indeed. Here at Paubox, we believe this to be the safest approach. Automatic encryption eliminates human error, ensures that all PHI is consistently protected, and simplifies workflows by removing the need for user intervention.

In contrast, manual encryption increases the risk of accidental non-compliance, as it relies on users to remember to apply encryption correctly each time.

 

What are subject line keywords in email encryption?

Subject line keywords are predefined words or phrases, such as “secure” or “[encrypt],” that trigger encryption when included in the subject line of an email. There’s no universally accepted standard, and it depends on the email encryption service you use. With Paubox, every email is encrypted by default, so there’s no need for any keywords in the subject line to trigger that encryption.

Read more: How to trigger the Paubox Secure Message Center using a subject line keyword

 

Are subject lines themselves encrypted?

Paubox does encrypt subject lines.

 

In-transit vs. At-rest encryption

Does Paubox encrypt at rest?

Paubox encrypts email in transit using TLS 1.2 or higher. For email at rest, that protection comes from your email provider, Google Workspace or Microsoft 365. Make sure you have a business associate agreement (BAA) in place with them to stay HIPAA compliant.

 

What counts as PHI?

PHI includes any identifiable health information, such as, but not limited to:

  • A patient’s name, address, or contact details
  • Dates related to an individual (e.g., date of birth, admission date, discharge date)
  • Medical records, diagnoses, and treatment information
  • Health insurance details and policy numbers
  • Billing and payment information linked to healthcare services
  • Laboratory results, imaging, and clinical notes
  • Prescription information and medication history
  • Any unique identifiers (e.g., medical record numbers, device identifiers)
  • Biometric identifiers such as fingerprints or voiceprints
  • Photographs or images that can identify a patient

Go deeper: Examples of protected health information (PHI) in healthcare

 

Is the sent folder considered secure under HIPAA?

Yes, if appropriate safeguards are in place, such as a business associate agreement, access controls, encryption at rest, and audit logging, as required by the HIPAA Security Rule.

 

Do deleted emails (trash folder) remain protected?

Yes. Deleted emails are typically still protected by the email provider’s storage security until they are permanently removed, depending on retention policies.

 

How Paubox works with existing email

Is Paubox a replacement for Outlook or Google?

No, Paubox integrates with existing platforms like Microsoft 365 and Google Workspace and works seamlessly behind the scenes to ensure HIPAA compliance.

 

How does Paubox integrate with existing email systems?

Paubox works as an email gateway that sits between your email provider and the internet, automatically encrypting outgoing emails without requiring changes to user workflows.

Go deeper: Integrating Paubox Email Suite with popular email providers

 

Will recipients notice any difference?

In most cases, no. Emails arrive in their inbox just like regular messages, without requiring portals or additional steps.

 

Reply thread encryption

If someone replies to an encrypted email, is it still encrypted?

Yes. When Paubox can establish a secure connection with the recipient's email server, the reply comes back encrypted automatically. In rare cases where that connection isn't possible, the message is delivered through our Secure Message Center instead, and replies from there are encrypted too.

 

Are all messages in the thread protected?

Yes, as long as all messages in the thread were sent through Paubox. Each message is encrypted as it's sent, so the whole conversation stays protected.

 

Shared mailboxes

Can teams use shared inboxes (e.g., front desk)?

Yes, if safeguards are in place:

  • Access controls
  • Unique user authentication
  • Audit logs

In other words, don’t share usernames and passwords, but if each person has a unique log in, shared inboxes are fine.

 

Can multiple staff members reply to the same email securely?

Yes. As long as the shared mailbox is set up under your Paubox-connected domain, replies from that address are encrypted automatically just like any other email sent through Paubox.

See also: How to mitigate the risk of shared email inboxes

 

AI features and privacy

Does AI scan email content?

Depends on the provider. Some AI tools analyze metadata or content for security (e.g., phishing detection).

 

Does Paubox scan outbound email content using AI?

Not currently. However, Paubox Email Suite Premium includes data loss prevention (DLP), which scans outbound emails for specific keywords and can block sensitive messages that shouldn't be sent. Paubox does use AI for inbound email security (available with Paubox Email Suite Plus and Premium), detecting threats like phishing and spoofing before they reach your inbox.

 

Can you opt out?

Yes, organizations can disable or limit AI features. AI is only used in Paubox Email Suite Plus and Premium. Since it's core to how those tiers detect and block threats, it can't be turned off. If you're on Email Suite Standard, AI isn't part of the product at all.

Learn more: I want to turn off ONLY the AI Summary in Gmail.

 

Do clients/patients need to be informed?

Yes, if AI tools process PHI, this should be covered in:

Read also: What is a Notice of Privacy Practices?

 

Attachments

Are attachments encrypted?

Yes, when using Paubox Email Suite, attachments, including PDFs and images, are encrypted along with the email.

Read also: What types of encryption methods encrypt email attachments?

 

Do recipients need special software to open attachments?

No. With any email sent with Paubox, recipients can open encrypted attachments using their standard email client and apps, just like a normal email attachment.

 

HIPAA Security Rule changes

Are there upcoming encryption requirements?

Last year, we reported that the Office for Civil Rights released a Notice of Proposed Rulemaking titled HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. Proposed modifications to HIPAA's Security Rule included making "addressable" (i.e., flexible) standards under the Rule now "required." That means it's likely that all emails containing protected health information would be required to be encrypted. The proposal was initially published in January 2025,and OCR has since been working through thousands of comments, and we're expecting to hear updates in May 2026.

In the meantime, regulators are pushing toward more explicit, measurable cybersecurity requirements, especially around protecting ePHI in transit, including email. So even before the rule is finalized, healthcare organizations should treat the proposal as a roadmap and tighten safeguards now.

Go deeper: HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information

 

Patient right of access

What if a patient insists on using unencrypted email?

You can send unencrypted emails if:

  • The patient requests it
  • They are informed of the risks
  • Consent is documented

HHS states that “the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients.”

Read more: What are patient rights under HIPAA?

 

Breach reporting

When do you have to report a breach?

According to the HHS, “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” It further states that “notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”

 

What is considered a reportable breach?

Any impermissible use or disclosure of PHI, including emails sent without encryption or accessed by unauthorized parties, is considered a breach unless a risk assessment shows minimal likelihood of harm.

The following risk factors must be considered:

  • “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.”

Read more: Navigating HIPAA's Breach Notification Rule
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.