Is encrypted email HIPAA compliant?

Featured image

Share this article

It’s common for healthcare providers to have questions and concerns about sending emails to patients securely. A common question is, is encrypted email HIPAA compliant?

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Security Rule does not prohibit using email to send protected health information (PHI) as long as certain protections, like encryption, are in place. 

Email encryption is an authentication process that blocks messages from being read by unauthorized individuals. But is encrypted email always HIPAA compliant? 

Keep reading to learn more about HIPAA email encryption rules. Plus, find out how a HIPAA compliant email provider can help. 

What are the HIPAA requirements for email encryption? 

Under the Security Rule, implementation specifications for covered entities are classified as either “required” or “addressable.”

Those labeled “required” must be put into place. If they are not, unfortunately, it is considered to be a failure to comply with HIPAA. 

On the other hand, “addressable” specifications only need to be implemented if a risk assessment determines that it is a reasonable and appropriate measure in protecting the confidentiality, integrity and availability of electronic protected health information (ePHI).

If the entity finds it not reasonable and appropriate, they would need to document that decision and implement an equivalent alternative. 

Email encryption falls under the “addressable” category. Since there is no appropriate alternative for safeguarding PHI other than encryption, it is essentially required. 

Not encrypting emails puts both your patients’ privacy and your organization at risk. 

Secure your emails at rest 

Per HIPAA, ePHI must be secure “at rest.” This refers to any data stored on your server, such as emails in your inbox. If you use a third-party email server like Google Workspace, Microsoft 365 or Microsoft Exchange, you must sign a business associate agreement (BAA) with them.

It is important to keep in mind that many popular email services are not compliant, including Gmail and Yahoo. These platforms do not sign a BAA, which means there is no guarantee that data stored on their servers are protected. 

If you only send PHI internally via a commercial email provider, then you are likely adequately protected as long as that server is behind a secure firewall. 

However, what about when your emails are sent out?

Secure email data in transit 

HIPAA also requires ePHI to be secured in transit. That’s where end-to-end encryption comes in. This type of encryption ensures that only the sender and recipient can read an email. It keeps ePHI completely private as it goes from one inbox to another. 

Standard email is not always secure end-to-end. This is because its primary function is to deliver messages, not to provide email security. Your email provider may utilize TLS encryption, but that doesn’t necessarily mean your message will be delivered securely.

If the recipient’s email provider does not support TLS, your message will arrive unencrypted in clear text.

Therefore, the safest way for covered entities to strengthen their email security strategy is to work with a third-party HIPAA compliant email provider that can secure emails every step of the way.

Send secured email with Paubox 

Paubox’s HIPAA compliant email service encrypts 100% of emails that go out—even if the recipient’s provider doesn’t support encryption. 

Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt, and your patients receive your messages right in their inbox—no additional passwords or portals necessary. 

Healthcare email cybersecurity

In addition to enabling healthcare email encryption for compliance with HIPAA email rules, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block malicious cyberattacks from reaching the inbox in the first place. 

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect feature quickly intercepts display name spoofing attempts.

Start Paubox Email Suite free today

Paubox lets you focus on taking care of your patients instead of your inbox

Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022