Is email HIPAA-compliant? While HIPAA doesn’t prohibit email communication, healthcare organizations need to implement safeguards to protect patients’ PHI. Therefore, without encryption, access controls, and monitoring, standard email may not meet compliance requirements. Due to these limitations, many healthcare organizations are turning to HIPAA-compliant secure communication and collaboration platforms that utilize built-in protections for sharing sensitive information and coordinating care. Here, we’ll provide more information on email compliance to help you better understand your options.
Quick Overview: Is Email HIPAA-Compliant?
- Email is not automatically HIPAA compliant, but it can be used in a compliant way if proper safeguards are in place to protect protected health information (PHI).
- HIPAA allows email communication, but organizations must follow Privacy Rule and Security Rule requirements, including encryption, access controls, authentication, and monitoring.
- Patients may request communication by email, even if it is unencrypted, as long as they acknowledge the potential security risks.
- Traditional email systems often lack built-in protections, which can increase the risk of misdirected messages, unauthorized access, or other HIPAA violations.
- Because of these risks, many healthcare organizations choose HIPAA-compliant secure communication and collaboration platforms designed specifically to protect PHI and support clinical communication workflows.
What Does HIPAA Say About Email Communication?
There are several standards outlined for email services and compliance throughout the HIPAA Administrative Simplification Regulations, from the applicability and preemption standards to the privacy, security, and breach notification standards.
With that being said, HIPAA does not prohibit the use of email for healthcare communication. However, it requires that any electronic transmission of protected health information (PHI) be safeguarded to protect patient privacy and security. This means healthcare organizations must implement appropriate administrative, technical, and physical safeguards when sending sensitive information.
Under the Health Insurance Portability and Accountability Act (HIPAA), two key rules apply to email communication:
HIPAA Privacy Rule
The HIPAA Privacy Rule regulates how PHI can be used and disclosed. Healthcare providers are allowed to communicate with patients via email. Still, they must take reasonable steps to protect patient information and limit disclosures to the “minimum necessary” information needed for the communication.
For example, a provider may email a patient about appointment details or follow-up instructions. Still, the message should avoid including unnecessary personal or medical information that could increase privacy risks.
HIPAA Security Rule
The HIPAA Security Rule focuses on protecting electronic protected health information (ePHI). It requires healthcare organizations to implement safeguards such as:
- Encryption for transmitting sensitive information
- Access controls to ensure only authorized users can view messages
- Authentication measures to verify the identity of users
- Audit trails to track access and communication activity
While encryption is technically categorized as an “addressable” safeguard under HIPAA, organizations must either implement encryption or document why another security measure provides equivalent protection. A full copy of the regulation text can be found here for more information.
As of 2025, there is an additional proposed rule that would “require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”
Can You Email PHI Under HIPAA?
Yes, under certain circumstances, healthcare providers can send PHI by email, but privacy and security requirements must be followed. The safeguards typically mean that healthcare organizations must encrypt emails, include access controls, authentication procedures, and monitoring to help reduce the risk of unauthorized access to any sensitive information.
Patient Consent and Acknowledged Risk
HIPAA also allows patients to request communication via unencrypted email, even if there are security risks involved. If a patient knowingly accepts these risks, providers may communicate with them by email, provided the provider has informed the patient about potential privacy concerns.
Understanding HIPAA Compliant Email Requirements
To maintain compliance with HIPAA, email service providers or email solutions must be chosen strategically. Oftentimes, existing email services are not automatically in compliance with the HIPAA requirements. Therefore, a good communication and collaboration app is typically a better option, as this ensures that communications by email meet the standards of the HIPAA requirements. Some of the most important HIPAA secure communication features include the following:
Encryption Requirements for HIPAA Email
Encryption is one of the most important safeguards used to protect PHI in email communication. Encryption converts readable information into coded data that can only be accessed by authorized recipients.
Two primary types of encryption help support HIPAA compliance:
- Encryption in Transit: Protects PHI while the email is being transmitted across networks or the internet. This helps prevent unauthorized interception during delivery.
- Encryption at Rest: Protects stored messages containing PHI while they remain on servers, email platforms, or backup systems.
While encryption is categorized as an “addressable” safeguard under HIPAA, organizations are generally expected to implement it whenever PHI is transmitted electronically unless an equivalent security measure provides the same level of protection.
Access Controls and Authentication
HIPAA-compliant email systems must also ensure that only authorized individuals can access sensitive communications containing PHI. This is typically achieved through access control policies and user authentication measures. Common security practices include:
- User authentication, such as secure passwords or multi-factor authentication, to verify user identity
- Role-based access controls, which limit access to PHI based on an employee’s job responsibilities
- Account management policies, ensuring access is removed when staff leave or change roles
These controls help reduce the risk of unauthorized access to patient information and ensure that only appropriate personnel can view or send PHI through email systems.
Audit Trails and Monitoring
Monitoring and documentation are also critical elements of HIPAA-compliant email systems. Healthcare organizations must be able to track how sensitive information is accessed and transmitted.
Audit trails are particularly important for compliance investigations because they provide a clear record of how PHI was handled within an organization’s communication systems.
Business Associate Agreements (BAAs)
A Business Associate Agreement (BAA) is one of the most critical compliance requirements when using third-party services to handle PHI, including email providers. Under HIPAA, covered entities and business associates must ensure that any vendor handling protected health information follows HIPAA privacy and security standards.
A BAA is a legal contract between a healthcare organization and a vendor that processes, stores, or transmits PHI on the organization’s behalf. The agreement makes sure that the covered entity or business associate understands and agrees to their responsibility for protecting sensitive information and, therefore, must follow the standards of HIPAA compliance. This helps to:
- Clarify the responsibility for protecting PHI between the healthcare organization and the vendor
- Require vendors to follow HIPAA Security Rule requirements and Privacy Rule requirements
- Define procedures for breach notification and incident response
Without a signed BAA, an email provider cannot legally handle PHI on behalf of a healthcare organization.
Is Email HIPAA-Compliant? The Short Answer
Email can be HIPAA-compliant, but it depends on how the email system is configured and whether the proper safeguards are in place to protect emails containing PHI. Many standard email systems lack the built-in controls necessary to reliably protect PHI in accordance with HIPAA email rules and compliance. Therefore, healthcare organizations often turn to secure messaging platforms or healthcare communication tools designed specifically to support HIPAA-compliant communication.
When Email Is NOT HIPAA Compliant
Because traditional email platforms were not designed specifically for healthcare environments, certain practices can create non-secure email risks and potentially lead to HIPAA violations involving email. Even if some platforms boast of having secure email messages and attachments, they may not comply with the HIPAA email requirements.
Is Gmail or Outlook HIPAA-Compliant?
Platforms like Google Workspace and Microsoft 365 can potentially be used in a HIPAA-compliant way, but they are not automatically HIPAA-compliant by default. Whether these email services meet compliance requirements depends on how they are configured and whether the proper safeguards are in place for email security that meets the standards HIPAA requires.
Secure Messaging vs. Traditional Email in Healthcare Communication
| Feature | Traditional Email | Secure Messaging Platforms |
|---|---|---|
| HIPAA Compliance | Not automatically HIPAA compliant; requires additional configuration and safeguards | Designed specifically to support HIPAA-compliant communication |
| Encryption | May require manual setup for encryption in transit and at rest | Typically includes built-in end-to-end encryption |
| Access Controls | Limited control depending on the email provider | Role-based access controls restrict who can view messages |
| Authentication | Often relies on basic login credentials | Multi-factor authentication and identity verification are commonly included |
| Audit Trails | Audit logging may be limited or require additional tools | Built-in audit trails track message activity and access |
| Risk of Misdirected Messages | Higher risk of sending PHI to the wrong recipient | Often includes safeguards like verified user directories |
| Real-Time Communication | Delayed communication and fragmented threads | Instant messaging enables faster care team coordination |
| Workflow Integration | Typically separate from clinical systems | Often integrates with healthcare workflows and clinical communication tools |
| Security Monitoring | May require additional monitoring tools | Built-in monitoring and breach detection features |
How to Choose a HIPAA-Compliant Communication Solution
Choosing the right communication platform is essential for protecting patient information and improving care coordination. To make sure you comply with HIPAA, it’s important to check that all of the features mentioned above are available.
A trusted option for healthcare organizations to consider is Buzz by Skyscape. Buzz is an all-in-one clinical communication and collaboration platform designed specifically for healthcare environments, offering secure messaging, phone calls, fax, file sharing, telehealth, and group collaboration tools within a single application. All communications are archived and secured to support HIPAA-compliant workflows for care teams, patients, and partners. Contact Buzz by Skyscape or schedule a demo to learn how it can streamline collaboration while supporting HIPAA compliance today.
