Staying on the right side of HIPAA with your email communication

If you leverage the right business partners for your email, you can both mitigate risk and provide seamless communication to your patients.

Staying on the right side of HIPAA with your email communication

For most industries, email is a no-brainer for communicating with customers and colleagues, however, healthcare providers must implement safeguards in order to maintain HIPAA compliance and avoid costly fines and potential litigation.

This is not a reason to shy away from email in the healthcare field. If you leverage the right business partners for your email, you can both mitigate risk and provide seamless communication to your patients.

HIPAA and email encryption

Under the HIPAA Security Rule, healthcare providers must ensure confidentiality, integrity, and availability of electronic protected health information (ePHI), protect against security threats and impermissible uses or disclosures, and ensure employee compliance. HIPAA email encryption requirements can be confusing because they lack clear instruction, which leaves the rules open to interpretation.

HIPAA requirements are specified as either “required” or “addressable.” A “required” function must be implemented in order to be HIPAA compliant. An “addressable” function only has to be implemented after a risk assessment has determined that it is needed to maintain ePHI security.

ePHI encryption requirements are called “addressable” in the Security Rule. But since there is no appropriate alternative for protecting ePHI in email other than encryption, it’s effectively required.

In order to maintain HIPAA compliance, you must protect data as it is transmitted electronically to your recipient’s inbox. Relying on your email provider alone is not enough to safely send ePHI directly to your patients’ inboxes. Although most popular email services use Transport Layer Security (TLS) encryption, some do not support encryption at all. If your recipient’s email address does not support encryption, the email is delivered in plain text, which is a HIPAA violation.

If you use a popular business email provider like Google Workspace or Microsoft 365, you can solve this problem by integrating an additional layer of HIPAA compliant email encryption.

Look for encryption services that are easy to use for both employees and administrators with no extra steps or manual processes to send or receive a message, and don’t forget that to sign a business associate agreement (BAA) with all your email partners.

When HIPAA obligation ends

The HIPAA Omnibus Rule explains that covered entities are not responsible for safeguarding ePHI in email once delivered to the individual.

As long as you have encryption in place for your data at rest and in motion—provided you send the email to the right email address—you will maintain HIPAA compliance in your email communication with patients.

The importance of inbound email security

Ransomware attacks have been surging during the coronavirus pandemic. The U.S. experiences seven ransomware attacks an hour, and emboldened hackers are starting to go after critical infrastructure.

Healthcare has long been a target for ransomware due to the critical nature of the industry and the value of PHI (e.g., bank information, Social Security numbers, etc.).

Email phishing has become the leading entry point for ransomware attacks. These malicious emails impersonate a legitimate sender and attempt to trick people into providing information or clicking on a malicious link. A successful hack leads to stolen PHI, often resulting in a significant HIPAA fine and possible patient litigation.

Healthcare providers should implement robust inbound email security in addition to outbound HIPAA compliant email. The best solutions will block malicious messages from reaching the inbox in the first place.

No matter how much your employees are trained to spot phishing emails, human error is unavoidable. For the hackers, it’s a numbers game; if you get your malware to land in enough inboxes, someone will open it. All it takes is one click to infect an entire network.


It is up to each organization to understand and correctly implement the requirements set by the HIPAA Privacy and Security Rules. The first step to HIPAA compliance is reading and understanding HIPAA and its amendments.

Encryption is de facto required in order to email directly with patients without relying on a portal. Once the message is delivered, your HIPAA responsibility has concluded; it is the patient’s prerogative to forward the message or use it however they wish.

Although inbound email security is not technically required per HIPAA, it is best practice to utilize strong inbound security as well since ransomware and other threats are coming at a progressively faster clip.