HIPAA Email Rules: HIPAA Compliant Email

Using an email platform that is HIPAA compliant is an essential part of ensuring patient information is securely communicated. HIPAA email rules dictate whether or not an email provider is HIPAA compliant. To provide guidance on what you should look for from your email provider, HIPAA compliant email is discussed below.

HIPAA Email Rules: Encryption

HIPAA compliant email must utilize encryption when email is being sent externally, and contains protected health information (PHI). You do not need to encrypt emails that are sent within your organization, provided you use a secure server that is not shared with external entities. Encryption masks sensitive data so that it can only be read by users possessing a decryption key. End-to-end encryption (E2EE) is particularly important for secure email transmission as it encrypts emails at rest and in transit. This means that an email in your inbox, and an email that you send, are equally secure.

However, even when your email provider uses E2EE, PHI should never be contained in the subject line of an email. This is because subject lines cannot be encrypted, and therefore, when providers put PHI in an email subject line, they risk the PHI being viewed by an unauthorized individual.

HIPAA Email Rules: User Authentication

User authentication ensures that users are who they appear to be. When using email to communicate PHI, it is important to ensure that emails are not accessed by an unintended user. Email providers that offer two factor authentication decrease the likelihood of unauthorized email access. Two factor authentication requires users to input multiple unique login credentials to gain access to an email account. This can be a username and password in combination with security questions, a one-time PIN sent to a user’s phone, etc.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

HIPAA Email Rules: Access Controls

HIPAA compliant email requires access controls to be enabled. Access controls designate different levels of access to PHI based on a user’s job function. The HIPAA minimum necessary standard requires individuals to only have access to the PHI that they need to perform their job. 

HIPAA Email Rules: Audit Logs

Audit logs track access to PHI to ensure adherence to the minimum necessary standard. Keeping an audit log determines regular PHI access patterns for each employee. This allows administrators to quickly detect when employees, or unauthorized individuals using an employee’s login information, access PHI for a purpose other than to perform their job. In essence, audit logs ensure the quick detection of both insider and external breaches.

HIPAA Email Rules: Business Associate Agreements

Business associate agreements (BAAs) are required to be signed with all of your business associates before you share PHI with them. Under HIPAA, email providers are considered business associates, and as such, you must have a signed BAA with them before using email to send or receive PHI. 

A BAA is a legal document that dictates the safeguards that your business associates must have securing the PHI you share with them. A BAA also requires your business associates to be responsible for maintaining their HIPAA compliance. HIPAA compliant email providers are willing to sign a BAA. Many email providers will only sign BAAs with their paid users, as such, their free versions are not HIPAA compliant, and cannot be used in conjunction with PHI. 

HIPAA Compliant Email: Risks and Best Practices

Many patients do not use encrypted email and are unaware of the risks that this poses.

Before using email to communicate with patients, it is your duty to inform the patient of the risks of using unencrypted email to communicate sensitive information. You must also provide an alternative means of communication for patients that decide that they don’t want to use email to communicate with you, such as a patient portal that provides secure communication.

Email Errors

Inadvertent PHI breaches occur when email addresses are not carefully reviewed. Check and double check the recipient’s email address before sending PHI. You should confirm that you have the recipient’s correct email address by sending them a preliminary email that does not contain any PHI.

Shared Devices

When patients share computers or other devices with members of their family, the family member may be able to access the patient’s email. This poses a risk especially for patients in an abusive relationship.

Email Subject Lines

As previously mentioned, do not include PHI in email subject lines. Email subject lines cannot be encrypted so including PHI in an email subject line can easily expose patient information.

Group Emails

Do not send group emails, especially to multiple patients. When doing so, other recipients’ email addresses can be easily viewed, which is a HIPAA violation as email addresses are considered PHI.


Take a minute to review your email, including email addresses, subject lines, and attachments to ensure that you are not inadvertently exposing PHI.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image