HIPAA Compliant Email: How to Ensure Your Inbox is Secure

Do you handle protected health information (PHI) at work? If so, you must ensure that all email communications and other forms of PHI communication, storage, and transmission comply with the Health Insurance Portability and Accountability Act (HIPAA).

Every day, more than 205 billion emails are sent, and a significant portion of those must adhere to HIPAA regulations. Research shows that the number of HIPAA breaches reported to the U.S. Department of Health & Human Services (HHS) increased from 418 in 2019 to 505 in 2020. Of those incidents, email was by far the main threat channel. Email led to 37% of all HIPAA breaches in 2020 (1, 2).

The good news is that you can adopt measures to avoid facing severe fines and penalties for email HIPAA violations. This post outlines the steps you can take to ensure your emails are HIPAA compliant.

What is a HIPAA Compliant Email?

Today, email is still considered the most popular form of communication, which explains why most healthcare organizations use it to create, transmit, and store PHI. Electronic PHI (ePHI), or health information that is stored or transferred in electronic form, must be safeguarded, according to HIPAA Security Rule (3, 4).

When it comes to emailing, covered entities must take all necessary precautions to safeguard ePHI as it is sent electronically to the recipient’s inbox.

A HIPAA-compliant email, at its core, guarantees that an email containing PHI is delivered securely to the recipient’s inbox. For this, chances are you will need the assistance of a third-party HIPAA-compliant email provider. However, most typical email providers for consumers and businesses, like Yahoo! or Gmail, aren’t automatically set up to be HIPAA compliant and require special configuration.

There are four points of interaction between you and the intended recipient when you send an email.

The factors involved in sending an email are:

  • The program you use
  • The email’s actual transmission
  • The receipt of the email
  • The recipient’s storage of it

The responsibility of the sender ends when the email reaches the recipient, and it is then up to the recipient to protect any PHI they may store in their inbox.

Keep in mind that no certification makes an email provider HIPAA compliant. To help you send HIPAA secure emails, follow the HIPAA Privacy & Security Rules requirements and take strong technological security precautions to ensure that ePHI is safeguarded (4).

How to Send a HIPAA-Compliant Email

Protect your patient’s data when sending emails by applying key steps that help in safeguarding their information.

  1. HIPAA Email Encryption

Emails must have end-to-end encryption. Without automatically HIPAA-encrypted emails, you will have to manually encrypt every email you send. Using email service providers and storage technology that automatically encrypts all data will save you time and reduce the risk of human error.

  1. Specify who can Access Patient Information

Anyone who emails patients will need access to PHI. You must specify which employees need access to PHI to communicate with patients and ensure that only the employees who need access have it.

  1. Back up Email Communications

You must have the ability to share a patient’s history and communications with someone requesting them. Therefore, you must implement secure storage technology that both stores and safeguards such data. In addition to the patient, other parties such as lawyers, insurance companies, government auditors, and other doctors may also require this information.

Ensure you also record all the steps you implement to securely store PHI, including email communications.

  1. Receive Patient Consent

Patients who consent to receive emails from you that may include their personal medical information must sign a written authorization form. Additionally, they should be aware that the email provider they currently use, such as Google, Microsoft Outlook, or Yahoo, may not be protected.

The patient may decide to deny the authorization, in which case you must provide an alternative secure method for communication with them. A standard alternative is implementing a secure online portal with its own password and account.

  1. Sign a Business Associate Agreement with Your Email Provider

Before sending ePHI via a third-party email service, you should enforce a HIPAA-compliant Business Associate Agreement (BAA). A BAA states that the service provider oversees using administrative, physical, and technical security measures to ensure the confidentiality, integrity, and availability of ePHI.

Consider a different option if an email service provider or compliant email vendor refuses to sign a BAA.

  1. Safeguard Devices with Access to PHI

A common HIPAA violation occurs when employee devices with PHI are stolen. You must find an effective method to secure employee devices, such as laptops, USB devices, and phones. Although you won’t be penalized for the theft, you will certainly be penalized for failing to adequately secure the stolen devices with encryption, passwords, or other safeguard methods.

  1. Provide Staff Training

As part of HIPAA compliance, staff training must be implemented every year and completed by everyone. The training should cover various topics, such as how to safeguard devices, who has access to information, and what can and cannot be included in emails to different entities.

Staff should understand how to follow HIPAA compliance email policies, therefore including a topic on how to identify and avoid email phishing scams will be valuable.

  1. Seek Legal Advice from a Healthcare Attorney

It is highly advised that you consult with a healthcare attorney who specializes in HIPAA if you are unaware of HIPAA requirements, therefore they can inform you of your responsibilities and the needs of HIPAA secure emails.

For more information on HIPAA compliant emails, go to the U.S. Department of Health & Human Services website or stay on the right side of the law with the comprehensive courses offered through HIPAA Exams.


  1. THE RADICATI GROUP, INC. (2021). Email statistics report, 2021-2025 executive summary – radicati. Retrieved October 23, 2022, from https://www.radicati.com/wp/wp-content/uploads/2021/Email_Statistics_Report,_2021-2025_Executive_Summary.pdf
  2. Greevy, H. (2022, September 14). 2019 HIPAA breach report: A year in Review. Retrieved October 23, 2022, from https://www.paubox.com/resources/2019-hipaa-breach-report-a-year-in-review/
  3. Alton, L. (2022, June 17). Email remains the top communication tool for businesses – here’s why. Retrieved October 23, 2022, from https://theamericangenius.com/business-news/email-remains-top-communication-tool-businesses/
  4. (OCR), O. for C. R. (2022, October 20). Summary of the HIPAA security rule. HHS.gov. Retrieved October 23, 2022, from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html#:~:text=The%20Security%20Rule%20protects%20a,%22%20(e%2DPHI).