The gap between knowing and doing

Ask any dentist, physician, or practice manager whether email encryption matters for HIPAA compliance. Almost all of them will say yes. Now ask them whether every email leaving their practice that contains patient information is encrypted. The answer changes.

This is not an intelligence problem. The professionals running independent healthcare practices are sharp, educated, and capable. They understand risk in clinical contexts — they assess it every day with patients. But when it comes to email encryption, there is a persistent gap between knowing it matters and actually implementing it.

That gap is where HIPAA violations live. And it is costing the industry billions.

Why the gap persists

The reasons are consistent across practice types and sizes. They are not excuses — they are structural barriers that the industry has failed to address.

Complexity masquerading as simplicity

Email feels simple. You open a client, type a message, hit send. The simplicity of the interface masks the complexity of what happens underneath: DNS lookups, SMTP relay chains, TLS negotiation (or lack thereof), server-side storage, backup replication, and forwarding rules.

When a compliance vendor says "enable encryption," a practice manager hears "flip a switch." The reality is configuring TLS enforcement, verifying recipient server capabilities, setting up fallback behavior, enabling S/MIME certificates, or deploying a secure email gateway. None of that is one click, and most practices do not have the technical staff to implement it correctly.

The EHR false sense of security

Many practices believe their EHR system covers email security. The logic goes: "Patient data lives in the EHR. The EHR is encrypted. Therefore our patient data is encrypted."

This reasoning breaks the moment someone copies a lab result into an email body, attaches a scanned referral letter, or forwards a patient message from the portal to a colleague's inbox. The EHR protects data inside the EHR. The moment information moves to email — which happens dozens of times daily in most practices — EHR encryption is irrelevant.

Workflow friction

Encrypted email introduces friction. Portal-based encryption requires recipients to log into a web interface to read messages. S/MIME requires certificate management. Secure email gateways add an extra step to the send process.

In a practice where every minute matters — where front desk staff are juggling phones, check-ins, insurance verification, and patient questions simultaneously — any additional step gets skipped. Not out of negligence, but out of operational survival.

"Nothing has happened yet"

This is the most dangerous reasoning of all. The absence of a known breach feels like evidence that current practices are adequate. But the average healthcare breach takes 258 days to identify and contain (IBM, 2024). It is entirely possible — likely, in fact — that practices with poor email security have already been compromised and simply do not know it yet.

The absence of evidence is not evidence of absence. It is evidence of insufficient monitoring.

What unencrypted email actually costs

Every unencrypted email containing PHI is a separate potential HIPAA violation. That is not hyperbole — it is how OCR calculates penalties.

Consider the math for a practice that sends 20 emails per day containing some form of patient information — appointment details, clinical notes, insurance information, referral letters. Over a year, that is approximately 5,200 separate transmissions. If those emails are unencrypted and a breach occurs (or an audit reveals the pattern), each transmission is an independent violation.

Under the HIPAA penalty tiers:

• Tier 1 (did not know): $100-$50,000 per violation
• Tier 2 (reasonable cause): $1,000-$50,000 per violation
• Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation
• Tier 4 (willful neglect, not corrected): $50,000 per violation

Even at Tier 1 minimums, 5,200 violations at $100 each is $520,000. At Tier 2, the exposure starts at $5.2 million. The annual maximum per violation category is $1.5 million under OCR enforcement discretion (the inflation-adjusted statutory cap exceeds $2.1 million) — but that cap applies per category, and unencrypted email can trigger violations across multiple categories simultaneously (transmission security, access controls, audit controls).

These are not theoretical numbers. They are the framework OCR uses in every enforcement action.

The behavioral economics of inaction

Research in behavioral economics explains why smart people consistently fail to act on known risks:

Present bias — The cost of implementing encryption is immediate (time, money, workflow disruption). The cost of not implementing it is uncertain and in the future. Humans systematically overweight present costs and underweight future risks.

Status quo bias — Changing email systems or adding encryption layers requires active decision-making and change management. Doing nothing requires no action at all. The default wins.

Optimism bias — "Breaches happen to other practices, not mine." This belief persists despite data showing that attacks on independent providers have risen 6x since 2021 and that 276 million Americans had their health data exposed in 2024.

These biases are not character flaws. They are features of human cognition that security design must account for — by making the secure path the easy path.

Solutions that remove friction

The answer is not to lecture smart professionals about what they already know. The answer is to build systems where encryption happens without requiring daily decisions:

Enforce TLS at the server level. Configure your email system so that messages to external recipients require TLS. If the receiving server does not support TLS, the message does not send — and the sender gets a notification to use an alternative channel. This removes the decision from individual staff.

Use a secure email gateway. Services like Paubox, Virtru, or LuxSci sit between your email system and the internet. They handle encryption transparently — outbound messages are encrypted automatically without requiring the sender to do anything different.

Default to the patient portal. Make portal messaging the primary channel for patient communication. Reserve email for non-PHI content only. This is a policy decision, not a technology decision, and it eliminates the largest category of email-based PHI exposure.

Implement DLP scanning. Data loss prevention rules can detect PHI patterns in outbound email and block or quarantine messages before they leave the practice. This catches the lab result that gets copy-pasted, the insurance form attached to a reply-all, and the clinical note forwarded to the wrong address.

Train on specifics, not generalities. Annual HIPAA training that includes one slide about email is useless. Staff need scenario-based training: "A patient emails you asking about their test results. What do you do?" "You need to send a referral letter to a specialist. What is the process?" Specific, repeatable workflows beat abstract policies.

For a complete view of where your practice email security stands relative to HIPAA requirements, read our detailed guide on HIPAA compliant email requirements. The free risk assessment also evaluates your communication channels as part of the overall security review.

Closing the gap

The knowledge-action gap in email encryption is not going to close by itself. It persists because the secure option is harder than the insecure option — and because consequences feel distant until they arrive.

Closing it requires three things:

1. Technical controls that enforce encryption by default — so staff do not have to make a security decision on every email
2. Visibility into current exposure — the ePHI data flow mapper shows where unencrypted patient data is actually moving in your practice
3. Continuous monitoring that catches drift — because encryption configured once and never verified is encryption that may no longer be working

Smart professionals do not skip encryption because they are careless. They skip it because the systems around them make it easy to skip. Fix the systems, and the behavior follows.