How to Make Your Email HIPAA Compliant?

Emails have become the preferred way for business communication, especially in busy environments like healthcare organizations. But, is sending emails secure? Will it support compliance with HIPAA and other regulations? If not, what can you do to make your emails HIPAA-compliant?

Read on to get answers to these questions.

What is HIPAA?

HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a U.S. law enacted in 1996 to safeguard individuals’ medical information privacy and ensure the security of electronic health records. It establishes standards for the handling and protection of sensitive health data, which is often called Protected Health Information (PHI)

HIPAA applies to organizations that handle PHI and its electronic format called ePHI. Patients’ PHI is sensitive because it contains information related to their health conditions, treatment, and care. In general, any information that can identify a specific patient comes under PHI. Due to the sensitive nature of this data, HIPAA explicitly prohibits organizations from sharing it with unauthorized users. Moreover, organizations must ensure that this data is not accessed by unauthorized people.

Broadly speaking, these provisions of HIPAA apply to healthcare providers, health plans, health insurance providers, and other entities handling health information. They must have policies and processes that protect the security and integrity of PHI when it’s stored, accessed, or communicated.

HIPAA’s Email Rules

HIPAA does not explicitly state that PHI information must not be sent through emails. However, organizations must implement strong security policies to protect PHI and its integrity. In other words, you can send PHI by email, but securely.

Unfortunately, the design and working of emails make it a less secure option for sending PHI. This is because emails go through multiple locations, starting from the sender’s device to the server of the sender’s Internet Service Provider(ISP). From there to the destination ISP server before eventually reaching the end user’s device. Moreover, much of this communication happens over the Internet where many malicious actors are lurking to gain access to such sensitive data.

Also, a copy of the email is stored on every device that it traverses. Imagine you’re using Microsoft Outlook for sending and receiving. This means four copies are stored, and it requires little technical experience to access them.

Other reasons why emails are not the safest choice for sending PHI are:

  • Emails can be accessed by unauthorized individuals who have access to the patient’s device.
  • Possibility for man-in-the-middle and intrusion attacks, where data is stolen or accessed during transmission from the source to the destination device.
  • Social engineering attacks like phishing can put PHI data at risk.
  • PHI information can be forwarded or printed without the patient’s explicit permission.
  • Third-party companies like email service providers have visibility into the PHI data.
  • Emails could be sent to the wrong person due to manual errors.

While the above aspects make emails an unsecured option, the good news is that you can take measures to improve their security.

Before we go into the security measures, let’s see what types of email communications require security.

Types of Email Communication

Below are some types of email communication that require stringent protection.

Remote Access Emails

The general rule is that you don’t have to secure the emails that are transmitted within your organization, like communication between doctors and nurses. But, these emails have to go through your server and must not leave your network. If you plan to allow practitioners to access their emails remotely, it requires some security mechanisms in place.

The same rules apply to communications among doctors. If both doctors are within your organization and if the emails are routed through your email server, they can be unencrypted and no specific rules apply. Otherwise, they must be secured.

Personal Emails

Now comes an important question. Can a doctor access a patient’s files outside of the organization? Can they work at home and send the records from their personal to official emails?

A simple answer is that it depends on the contents of the email. If the doctor is accessing PHI or emailing any information that falls under the PHI categories or anything that can be related to a specific patient, the email has to be secured to avoid HIPAA violation. On the other hand, if this is general information about the treatment that cannot be related to a patient, then it will not violate HIPAA’s rules.

Broadcast Emails

Broadcast emails must be avoided. However, if you want to send a broadcast email to all the patients about an event or changes to your operational rules, you must use a secure email provider that complies with HIPAA regulations.

Now, some might argue that using the BCC field can provide patient security. Unfortunately, the BCC information is visible to hackers who can intercept an email. This is why choose a HIPAA-compliant email service when sending broadcast emails.

Emails from Recipients

What happens when the recipient sends an email to you or replies to a secure email you sent earlier? You are not impacted because it is the recipient’s choice  HIPAA clearly states that the responsibility of choosing a secure email provider is on the sender and not the receiver. If you’re not sending emails, it does not matter from the standpoint of HIPAA guidelines.

Thus, these are the types of email communications likely to happen between a healthcare provider and patients. The rule of thumb is that the sender is responsible for sending secure emails that do not fall into the hands of the wrong person, resulting in a breach of the patient’s privacy and confidentiality.

How to Make Emails HIPAA-Compliant?

You can take additional steps to improve the security and privacy of emails. Some aspects to consider are:

Use Multi-Factor Authentication (MFA)

You can enforce MFA to reduce unauthorized access to PHI as only users with the right credentials can view their emails. However, this does not prevent hacking during email transmission.


You can encrypt emails and transmit them. The advantage of this method is that even if hackers intercept your email during transmission or at rest on the servers and local devices, no one can read the sensitive information. The downside is that with tools like AI and the increasing sophistication of hackers, decrypting these emails is not difficult.

Moreover, HIPAA requires the PHI to remain secure during transit and at rest. Encryption can achieve this for you. However, make sure you choose a hard-to-break encryption algorithm like AES-256 to encrypt your emails. At the receiver’s end, you can require the user to enter a password to open and access their PHI.

If you’re opting for third-party email providers, make sure they have a “Zero-step” or automatic encryption process. Some providers ask you to click a button to encrypt your emails before sending them. This is a potential problem because if the sender forgets to click on the button or doesn’t know this functionality, the email can go through unsecured channels.

Enter into Business Associate Agreement

Make sure to sign a Business Associate Agreement (BAA) with the email service provider before using their services. To clarify, HIPAA rules are for covered entities like healthcare providers, insurance plans, and healthcare clearinghouses. Any company or entity that handles PHI data on behalf of these covered entities are business associates, and they sign a BAA with the covered entities.

The BAA lays down the guidelines for sending and receiving emails, shared responsibility, liability in case of data breaches, and other clauses that can protect you from HIPAA non-compliance. It also establishes the security, administrative, and technical safeguards that will protect the PHI during transmission. Understanding these protection mechanisms can help you identify the right email service provider who will meet your specific needs while ensuring HIPAA compliance.

Email Configurations

Check your email configurations, even if you have signed a BAA, and use encryption to protect the email contents. Typically, the wrong email configuration can cause HIPAA violations. For example, HIPAA rules require you to blind copy (BCC) the recipients when sending bulk healthcare content. This requirement is in addition to using a secure and HIPAA-compliant email service for communication.

A general rule of thumb is that no one should associate any data with a specific individual without their explicit permission. As long as you follow this rule of thumb in all email communication, you can ensure compliance with HIPAA’s guidelines.

Continuous Training

An often overlooked aspect of HIPAA email compliance is training. You must educate your employees and train them on how to send emails that conform to HIPAA’s guidelines. You can even make it more extensive to cover all of HIPAA’s guidelines to help your employees understand the big picture.

Some aspects to cover in the training include double-checking the recipient’s name and email address to ensure that the email doesn’t go to the wrong individual. Also, your employees must check if the recipient has given explicit consent to receive PHI and other data through emails, as sending emails without consent is a violation of HIPAA rules. Moreover, the email must not contain passwords and other unique identifiers. It must only contain information that’s essential to achieve the purpose of communication.

Providing regular training on the above aspects can enable employees to follow the rules. Also, it can enhance their commitment and understanding of patient privacy and can even reduce accidental mistakes, taking you closer to 100% HIPAA compliance.

Established Purpose

Since HIPAA doesn’t lay down explicit rules related to emails, it’s best to stick to sending electronic communication only when needed. Moreover, note that a patient’s full name is protected under HIPAA at all times and can be used only for permissible purposes. Since the health records contain the patient’s name, this HIPAA rule extends to PHI and other patient data by default. Due to this restriction, send emails only when needed.

HIPAA-Compliant Servers

You can make sure that emails reside in a HIPAA-compliant server that takes the necessary precautions to safeguard the PHI data. Again, this does not protect the email during transmission.

Note that these above aspects don’t fully address all the issues. You may have to combine all of the above features to make your emails more secure. Instead of doing this manually and tracking them, many organizations prefer to use email services that comply with HIPAA guidelines.

HIPAA-Compliant Email Service Providers

As a general rule, avoid using Internet-based webmail services like Gmail and Hotmail because they are not secure. Healthcare providers who use these services have paid high fines and penalties for non-compliance. Note that signing a BAA with the email service provider is not enough to meet HIPAA’s rules.

Despite the BAA agreement, the covered entities continue to be responsible for PHI data because the responsibility is shared. Moreover, the onus is on covered entities to ensure they have done their best to prevent a breach.

Due to this liability, many covered entities prefer to use secure email providers that have all the required data protection technologies and processes in place to protect PHI during email transmission. When covered entities use these HIPAA-compliant email services, they are considered to have taken the best possible efforts to protect the PHI.

Note that HIPAA does not explicitly prevent using Internet-based email services. It clearly states that covered entities can send unencrypted emails to recipients, provided recipients are aware of the risks involved and choose to continue to use these services. Also, if covered entities use a secure email service, then they are no longer responsible for what happens on the receiver’s end. Due to these provisions, many healthcare providers prefer to use HIPAA-compliant email services.

Below are some examples of HIPAA-compliant email services.

  1. Virtru – A secure email and file-sharing service that uses encryption and other advanced controls to protect your email communication. It even integrates with Google and Microsoft’s email services to make your communication HIPAA-compliant.
  2. Paubox – An email service designed exclusively for HIPAA compliance, Paubox comes with many features like easy setup, no passcodes, encryption, and more. With these features, it keeps all email communication secure from end to end.
  3. HIPAA Vault – Another email service with comprehensive security, HIPAA Vault works well with Google and Microsoft 365 to provide the protection mandated by HIPAA. Moreover, it also offers a Business Associate Agreement to reduce your liability in case of a data breach.
  4. MailHippo – This service secures all emails by extracting the contents and encrypting them before sending the email. As a result, hackers cannot access the contents even if they intercept the email, making it a 100% HIPAA-compliant email service provider.
  5. Hushmail – With this service, the entire connection between your device and Hushmail’s server is secured and this means, no one can eavesdrop or access the contents you send to the server.

Overall, these are some examples of secure and HIPAA-compliant email services that you can leverage to send your PHI and other confidential data through emails.

Alternative to Emails

Besides HIPAA-compliant emails, another option is to communicate sensitive data through a patient portal because these platforms offer encryption, Identity and Access Management (IAM), audit logging, and other security features that ensure data transmission safety. These portals come in handy if you’re looking for a service that goes beyond communication, as they offer services like patient reminders, billing, appointment scheduling, and more.

Some popular patient portals to choose from are:

  1. Sprinto: Sprinto offers a wide range of features like role-based access to allow only authorized users to access data. Also, its risk monitoring continuously checks usage in real time to identify and mitigate threats.
  2. OhMD: OhMD is another HIPAA-compliant solution that facilitates seamless communication between the patient and the healthcare provider. It delivers encrypted messages visible only to authorized patients and their caregivers.
  3. LuxSci: LuxSci specializes in protecting sensitive patient data. It provides advanced encryption options and isolates sensitive data on the server to reduce the likelihood of data breaches.
  4. Updox: Updox is another well-known HIPAA-compliant platform that enables authorized individuals to securely view patient information through the unified dashboard. It also supports audit trails to support collaboration and visibility into communication processes.
  5. PrognoCIS: This patient portal empowers patients and healthcare providers to securely connect from any Internet-enabled device to communicate with each other. It also supports the secure transmission of PHI that complies with HIPAA laws.

You can choose to communicate using a comprehensive patient portal or a HIPAA-compliant email service. Regardless of your choice, make sure to verify the security policies of the third parties of this service to ensure that you are protected from HIPAA rules.

Final Thoughts

To conclude, emails are a key mode of communication between healthcare providers and patients. However, given the sensitive nature of patient information and the HIPAA rules surrounding the use of PHI, healthcare providers like you must ensure that the emails you send are secure. You can either communicate through patient portals that have security mechanisms in place to ensure the confidentiality and integrity of your communications. Otherwise, consider using HIPAA-compliant email service providers who ensure that your email communicates between HIPAA guidelines.

Lavanya Rathnam

Lavanya Rathnam is an experienced technology, finance, and compliance writer. She combines her keen understanding of regulatory frameworks and industry best practices with exemplary writing skills to communicate complex concepts of Governance, Risk, and Compliance (GRC) in clear and accessible language. Lavanya specializes in creating informative and engaging content that educates and empowers readers to make informed decisions. She also works with different companies in the Web 3.0, blockchain, fintech, and EV industries to assess their products’ compliance with evolving regulations and standards.

Posted in Articles

Leave a Reply

Your email address will not be published. Required fields are marked *