Encrypted email is not the same as compliant email

Email is the most common communication channel in healthcare — and one of the most common sources of HIPAA violations. Practices send appointment confirmations, lab results, referral notes, billing statements, and clinical summaries through email every day. Many assume that because their email provider advertises encryption, the problem is solved.

It is not. Encryption is one technical requirement among many. A practice can encrypt every email it sends and still violate HIPAA in half a dozen ways through that same email system.

The myth of HIPAA compliance and email

The myth goes like this: "We switched to Google Workspace (or Microsoft 365), turned on encryption, and now our email is HIPAA compliant."

This belief is widespread and dangerously incomplete. Here is why:

Encryption covers one requirement. HIPAA's Security Rule requires administrative, physical, and technical safeguards. Encryption addresses one technical safeguard — transmission security. It does nothing for access controls, audit logging, integrity controls, or the administrative requirements that govern how email is used in practice.

TLS is not end-to-end. Most email encryption in healthcare relies on TLS (Transport Layer Security), which encrypts the connection between mail servers. If both the sending and receiving servers support TLS, the message is encrypted in transit. But TLS does not encrypt the message at rest on either server. It does not prevent the recipient from forwarding unencrypted content. And if the receiving server does not support TLS, many systems silently fall back to unencrypted transmission.

The email provider is not the only party involved. Your email system touches multiple entities: the provider (Google, Microsoft), any third-party plugins or integrations, archiving services, spam filters, and the recipient's infrastructure. Each touchpoint is a potential exposure — and each entity that handles PHI needs a Business Associate Agreement.

What is HIPAA compliant email?

| Feature | Standard Email | HIPAA-Compliant Email | |---|---|---| | Encryption | TLS only (not guaranteed) | End-to-end encryption + access controls | | Message logging | No message logging | Full audit trails | | BAA with provider | No BAA | Required BAA in place | | Message lifecycle | No expiration or recall | Secure message lifecycles | | Misdirected PHI protection | Easy to send PHI to wrong recipient | Optional email confirmation + logging |

HIPAA compliant email is email that satisfies all applicable requirements of the Privacy Rule, Security Rule, and Breach Notification Rule when used to create, receive, maintain, or transmit protected health information. That includes:

1. A Business Associate Agreement with your email provider

Before your email system touches PHI, you need a signed BAA with the provider. Google offers a BAA for Google Workspace (not free Gmail). Microsoft offers one for Microsoft 365 Business and Enterprise plans. But the BAA only covers the provider's infrastructure — not third-party add-ons, plugins, or integrations you have connected to the account.

If you are using a consumer email account (Gmail, Yahoo, Outlook.com free tier) for any practice communication that includes PHI, you are in violation regardless of encryption status.

2. Access controls

Every email account that can access PHI must have:

• Unique user credentials — No shared logins, no generic accounts like "frontdesk@practice.com" where multiple staff use the same password
• Multi-factor authentication (MFA) — A password alone is not sufficient. MFA is now considered a baseline expectation by OCR, and the 2025 HIPAA Security Rule amendments are moving it toward explicit mandate status
• Role-based access — Not every staff member needs access to every email thread containing PHI
• Automatic session timeouts — Accounts should lock after a period of inactivity

3. Audit logging

HIPAA requires the ability to track access to ePHI. For email, that means:

• Logging who accessed which email accounts and when
• Tracking login attempts (successful and failed)
• Monitoring email forwarding rules and auto-forwarding configurations
• Retaining logs for a minimum of six years (per HIPAA documentation retention requirements)

Most email providers offer audit logging, but it is not always enabled by default. Google Workspace and Microsoft 365 both provide admin-level audit logs, but someone at your practice needs to know they exist, enable them, and review them.

4. Encryption — done properly

Encryption for HIPAA compliant email means:

• In transit: TLS 1.2 or higher enforced (not optional) for all outbound messages containing PHI. Configure your email system to reject delivery if TLS cannot be established with the receiving server, rather than falling back to plaintext.
• At rest: Messages stored on the server should be encrypted. Google Workspace and Microsoft 365 both encrypt data at rest by default, but verify this for any other provider.
• End-to-end (when feasible): For highly sensitive communications, consider S/MIME or PGP encryption, or use a secure messaging portal where the recipient accesses the message through an authenticated web interface rather than receiving PHI directly in their inbox.

5. Data loss prevention and retention

• DLP rules that scan outbound email for PHI patterns (SSN formats, MRN patterns, clinical terminology) and flag or block messages that appear to contain unprotected PHI sent to external recipients
• Retention policies that comply with state and federal record retention requirements
• Legal hold capabilities for email that may be relevant to audits or investigations
• Secure deletion processes for email that has exceeded its retention period

6. Staff training specific to email

General HIPAA training that mentions email in passing is not sufficient. Staff need specific guidance on:

• When it is appropriate to include PHI in an email
• How to verify recipient identity before sending PHI
• What to do if PHI is sent to the wrong recipient (this is a breach and must be reported internally)
• How to handle patient requests to communicate via unencrypted email (patient right under the Privacy Rule, but must be documented)
• Why auto-forwarding to personal accounts is prohibited

Beyond encryption: the full requirements

Here is a practical checklist for evaluating your email compliance:

| Requirement | Status | |---|---| | BAA signed with email provider | | | BAA signed with any email-related plugins/integrations | | | Unique credentials for every user | | | MFA enabled on all accounts | | | Audit logging enabled and reviewed | | | TLS enforced (no plaintext fallback) | | | Data at rest encryption verified | | | DLP rules configured | | | Retention policies set | | | Auto-forwarding disabled or restricted | | | Email-specific staff training completed | | | Incident response plan covers email breaches | |

If you cannot check every box, you have compliance gaps — regardless of whether your email is "encrypted."

What about patient-initiated email?

Patients have the right under HIPAA to request communication by unencrypted email. If a patient makes this request, you may comply — but you must:

1. Warn the patient of the risks in writing
2. Document the patient's request and your warning
3. Limit the PHI included to what the patient requested
4. Retain the documentation

This does not relieve you of your obligations for practice-initiated communications. If your office sends appointment reminders, billing statements, or clinical results by email, those messages must meet full compliance requirements regardless of what individual patients have consented to.

A better path forward

| Feature | Traditional Email | Encrypted Email Add-On | Patient Protect Secure Messaging | |---|---|---|---| | End-to-end encryption | Sometimes | Often | Always | | BAA included | Rarely | With upgrade | Always | | Internal team messaging | No | No | Yes | | Secure patient communication | No | Often limited | Yes | | Real-time alerts | No | No | Yes | | Full audit logging | No | Sometimes | Always |

Email was not designed for healthcare communication. It was designed for open, interoperable messaging — the opposite of what HIPAA requires. Every compliance control you layer onto email is a workaround for a system that was never built for this purpose.

For practices looking to reduce email-related risk, consider these alternatives for PHI-containing communications:

• Patient portal messaging through your EHR (purpose-built, logged, encrypted)
• HIPAA-compliant secure messaging platforms like the Signal app for internal team communication
• Encrypted file-sharing for documents, images, and attachments containing PHI

For a broader view of where your practice communication channels stand, the free risk assessment evaluates email alongside every other system that touches patient data.

The goal is not to abandon email. It is to understand that encryption is the starting line — not the finish line — for HIPAA-compliant communication. Also read our guide on why smart professionals still skip email encryption to understand the behavioral barriers that keep practices exposed.