HIPAA compliant email
43% of healthcare data breaches involve email. Encryption alone does not make email HIPAA compliant — and most practices are missing at least three of the seven requirements.
The risk
Every email containing patient information is a potential breach vector. Standard email was designed for convenience, not security — and HIPAA was written for security, not convenience.
Standard email sends PHI in plaintext between servers. Any intermediary can read the content. TLS encryption only works if both sender and recipient servers support it — and there is no guarantee they do.
43% of healthcare breaches involve email (Verizon DBIR, 2024).
Personal email accounts have no role-based access, no session timeouts, and no device management. Anyone with the password can read every message from any device, indefinitely.
Shared passwords on email accounts are flagged in 1 in 3 OCR audits.
Standard email providers do not log who accessed a message, when, or from where. When OCR requests evidence of your safeguards, you have nothing to show.
Failure to produce audit logs is a standalone HIPAA violation.
Emails sit in inboxes and trash folders indefinitely. Former employees retain access on personal devices. PHI accumulates in places your practice no longer controls.
Average email account contains 3+ years of unmanaged PHI.
What HIPAA requires
HIPAA does not ban email. It requires that email systems used for PHI meet specific technical and administrative safeguards. Missing any one of these can result in a violation.
All email containing ePHI must be encrypted using TLS 1.2+ in transit and AES-256 at rest. If the recipient's server does not support TLS, the message must not be sent — or must use a portal-based secure delivery.
Your email provider processes ePHI on your behalf, making them a business associate. You must have a signed BAA before any patient data flows through the system. Gmail, Outlook, and Yahoo personal accounts do not offer BAAs.
Each user must have a unique login. Multi-factor authentication (MFA) is required. Shared accounts, shared passwords, and auto-login on unmanaged devices are violations.
Your email system must log who sent and received messages, when, and from what device. These logs must be retained for a minimum of six years per HIPAA requirements.
Rules must detect and block outbound messages containing PHI patterns (SSNs, MRNs, DOBs) sent to unauthorized recipients or personal accounts.
Email retention periods must be defined and enforced. Deleted messages must be purged on schedule. Staff cannot maintain personal archives of patient communications.
If staff access email from mobile devices, those devices must be managed — remote wipe capability, screen lock requirements, and encryption enforced.
Provider comparison
Not all email platforms are equal. Some can be made compliant with configuration. Others cannot be used for PHI under any circumstances.
| Provider | BAA | Encryption | DLP | Audit | Notes |
|---|---|---|---|---|---|
| Google Workspace | Yes (Business plans and above) | TLS in transit, AES-256 at rest | Yes (admin configuration required) | Yes (Google Vault + Admin audit log) | Must sign BAA in Admin Console. Free Gmail does not qualify. |
| Microsoft 365 | Yes (Business and Enterprise plans) | TLS in transit, BitLocker at rest | Yes (Microsoft Purview) | Yes (Compliance Center audit log) | Must sign BAA in Admin Center. Personal Outlook.com does not qualify. |
| Free Gmail / Yahoo / AOL | No | TLS opportunistic (not guaranteed) | No | No | Not HIPAA eligible. No BAA available. Cannot be used for PHI. |
| Hushmail for Healthcare | Yes | TLS + OpenPGP, encrypted web forms | Limited | Basic logging | Purpose-built for healthcare. Simpler than Google/Microsoft but limited features. |
| Paubox | Yes | Automatic TLS + fallback portal | Optional add-on | Yes | HITRUST CSF certified. Seamless encryption — no portals for TLS-capable recipients. |
Common mistakes
Beyond email
Even with perfectly configured email, your practice still needs a risk assessment, workforce training, vendor BAA tracking, incident response procedures, and monitoring across every system that touches patient data. Patient Protect manages your full compliance posture — not just one communication channel.
FAQ
Standard email is not HIPAA compliant. Email can be made compliant when sent through a platform with a signed BAA, encryption in transit and at rest, access controls, audit logging, and DLP policies configured. The platform alone is not enough — organizational policies and staff training are required.
Yes, if you use a HIPAA-compliant email system with proper encryption and have a signed BAA with your email provider. The patient should be informed that email carries inherent risks, and you should document their consent to receive communications via email. Never include PHI in subject lines.
Free Gmail is not HIPAA compliant — Google does not offer a BAA for personal accounts. Google Workspace (Business, Enterprise) can be HIPAA compliant after signing the BAA in the Admin Console and configuring DLP, MFA, and retention policies.
OCR penalties for email-related HIPAA violations range from $100 to $50,000 per violation, up to $1.5 million per year per violation category. Individual violations can be aggregated — a practice sending unencrypted emails daily could face penalties for each message.
No. Encryption is one of several requirements. HIPAA also requires access controls, unique user authentication, audit logging, a signed BAA with the email provider, data retention policies, and staff training. Encryption alone does not equal compliance.
Not necessarily. Google Workspace and Microsoft 365 can both meet HIPAA requirements when properly configured with a BAA. However, dedicated healthcare email providers like Paubox or Hushmail offer simpler setup and healthcare-specific features like encrypted web forms and automatic compliance.
Next step
Most practices have at least one email-related HIPAA gap. The risk assessment shows you exactly where — and what to fix first.
