The rules for secure emails differ based on if you’ll be sending an email through an internal email network or to an outside network. All emails sent externally, beyond your firewall, need to be encrypted.
However, just because encryption isn’t required for emails sent over your internal email network doesn’t mean you shouldn’t encrypt. Before a healthcare organization decides whether or not to encrypt, they need to perform a HIPAA security risk assessment.
A risk assessment allows a healthcare organization to assess if there is a threat to the integrity, confidentiality, or availability of ePHI. In addition, the decision of whether or not to encrypt must be documented to prove to the Office of Civil Rights (OCR) that you considered encryption and found that it wasn’t necessary.