Email remains one of the most widely used communication channels in healthcare, enabling fast coordination between providers, staff, and patients. However, standard email systems were never designed to be secure and compliant by default. Without proper safeguards, routine messages can become entry points for data breaches, compliance violations, and costly penalties. The following examples illustrate how insufficient email security practices can quickly compromise patient privacy and expose healthcare organizations to regulatory risk.
- Lafourche Medical Group disclosed a major breach affecting nearly 35,000 patients after an employee responded to a phishing email that impersonated a company executive. The attackers gained access to a corporate mailbox containing protected health information (PHI). The case resulted in a $480,000 penalty and became a milestone enforcement action involving a phishing attack.
- Eastern Connecticut Health Network reported a privacy incident after an employee emailed multiple patients without using BCC, unintentionally revealing their contact information to others. A routine communication mistake escalated into a reportable HIPAA violation and required organization-wide corrective training.
Let’s see what HIPAA-compliant email communication should look like and what security measures organizations should take to ensure the security of patients’ PHI.
What is a HIPAA-Compliant email?
HIPAA-compliant email is email in which senders properly protect patients’ privacy and ensure the confidentiality, integrity, and availability of their PHI. The examples above demonstrate HIPAA noncompliance in healthcare email communication practices. The first demonstrates a lack of proper employee training, phishing-attack prevention, and, most likely, sufficient authentication. The second shows how the lack of awareness of email protocols compromised the confidentiality of the PHI.
IMPORTANT! A HIPAA-compliant email does not mean a fully secure and untouchable email. HIPAA compliance does not ensure you or your employees will never fall victim to a phishing attack, email compromise, or human error. Rather, it sets a minimum standard for securing email communications and helps mitigate the risks of impermissible disclosures and breaches of unsecured PHI.
The HIPAA Security Rule does not specify requirements for HIPAA-compliant email. Instead, relevant standards and implementation specifications govern PHI handling and transmission across all communication channels, including email.
So, let’s dive deeper into the requirements for making your email HIPAA compliant.
The HIPAA Security Rule and email compliance
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information (ePHI) created, received, used, or maintained by a covered entity. Let’s review these safeguards and see what they say about HIPAA-compliant email communication.
Administrative safeguards for a HIPAA-compliant email
These HIPAA administrative safeguards include policies, procedures, and processes for selecting, developing, implementing, and maintaining security measures to protect ePHI. Here are key administrative safeguards to consider:
- granting appropriate email account access to workforce members (e.g., users, team leaders, admins, etc.);
- establishing procedures to revoke email account access for workforce members when they leave the organization;
- conducting security awareness training for all workforce members, especially addressing secure email use and phishing attacks recognition;
- creating procedures for reporting phishing attacks, login credential disclosures, and other email security incidents;
- developing and testing procedures for email backup and retrieval, emergency mode operations, and disaster recovery plans;
- ensuring that Business Associate Agreements are in place with email service providers.
Read more about HIPAA administrative safeguards to protect ePHI.
Physical Safeguards for HIPAA Email Compliance
The HIPAA Physical Safeguards are highly significant for covered entities and business associates who host their email servers on-premises. Those who subscribe to hosted email services such as Google Workspace or Microsoft 365 can relax. According to a shared responsibility model, service providers are responsible for complying with physical HIPAA email security requirements, such as controlling access to where the mail server is stored, managing maintenance records for mail servers, and ensuring a continuity of service during a disaster or emergency. HIPAA-compliant hosted email service providers may also be responsible for the physical security of email backups and archives.
Whether an email service is hosted internally or outsourced to a service provider, covered entities and business associates must:
- create and maintain an inventory of devices that can access emails containing PHI;
- restrict physical access to devices that can access emails with PHI whenever practical;
- ensure devices used in public areas are positioned to prevent unauthorized users from viewing emails containing PHI;
- monitor the receipt, removal, and movement of devices with access to emails.
Read more about HIPAA physical safeguards to protect PHI.
Technical safeguards for HIPAA email compliance
Compliance with technical safeguards depends on the results of a HIPAA risk assessment. This is because risk assessments help identify areas of vulnerability that vary across organizations, thereby enabling the implementation of the most appropriate technical safeguards for PHI. Some of the common technical safeguards to perform to ensure a HIPAA-compliant email communication include:
- proper user authentication, including strong passwords and multi-factor authentication;
- access authorization, ensuring that individuals can only access PHI necessary for their job roles;
- audit controls to monitor who accesses email accounts;
- integrity controls that ensure PHI in emails is not altered without authorization, such as when using versioning control software;
- automatic logoff preventing unauthorized access to email accounts when devices are left unattended;
- encryption and transmission measures to protect the confidentiality and security of emails.
The HIPAA technical safeguards for email security are better explained below.
Read more about HIPAA technical safeguards to protect PHI.
Best practices to ensure HIPAA compliance in email communication
Encrypt emails and attachments properly
The HIPAA encryption requirements are briefly mentioned within the technical safeguards, yet they are among the most critical for preserving the ePHI confidentiality. Covered entities must ensure that all emails containing PHI are encrypted in transit so that only the intended recipient and authorized personnel can access the messages. When emails are sent between different domains and service providers, the end-to-end encryption cannot be guaranteed. Using a secure email option is the only way to ensure that the message is transmitted over encrypted channels.
Not all service providers offer encryption, so using third-party encryption services is common practice. They offer advanced encryption capabilities and generally use the highest encryption standards.
Note that even when using encryption, ePHI should never be included in the subject line of an email. This is because subject lines cannot be encrypted, and therefore, when providers put PHI in an email subject line, they risk the PHI being viewed by an unauthorized individual.
Implement strong authentication and authorization
To ensure HIPAA compliance for email services, implement strong two- or multi-factor authentication and enforce complex password policies. Apply role-based access control (RBAC) to restrict access based on job responsibilities. Enable detailed activity logging and employ automated monitoring tools to detect anomalies and unauthorized access attempts. These measures, including regular log reviews and alerts, enhance email security and protect ePHI, ensuring that the email service meets HIPAA requirements and maintains the integrity of organizational communications.
Install anti-phishing software
Anti-phishing software is designed to detect and prevent phishing attacks. It employs a combination of techniques, including URL and content analysis, email filtering, behavioral monitoring, machine learning, and other tools.
For example, antiphishing software integrates with email systems to filter out phishing emails, often using spam filters and machine learning algorithms. It analyzes email links for signs of phishing, such as redirects to suspicious websites or URLs that resemble legitimate sites but have slight misspellings (e.g., “paypa1.com” instead of “paypal.com”).
The software can check URLs against a database of known malicious (blacklist) and trusted (whitelist) websites and analyze them for suspicious domain names, IP addresses instead of domain names, unusual URL patterns, and other malicious indicators.
Anti-phishing software also performs behavioral analysis and detects unusual activity patterns, such as logging into a website from a new location or device.
All these functions, in combination with AI and machine learning, immediate alerts, user blocking and reporting, make anti-phishing software a powerful tool for securing sensitive emails.
Learn more tips to fight against phishing.
Implement SPF, DKIM, and DMARC policies
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are three key policies used to improve email security and protect against phishing and spoofing attacks. These technologies help authenticate email senders by verifying that emails come from the domain that they claim to be from. These three authentication methods are important for preventing spam, phishing attacks, and other email security risks.
- SPF helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
- DKIM provides a way to verify that an email message was sent from an authorized mail server and that the message content was not altered in transit.
- DMARC builds on SPF and DKIM by providing a mechanism for domain owners to publish policies for handling emails that fail SPF and/or DKIM checks. It also enables reporting on email authentication results.
Ensure your email service is configured correctly
Even with the most reliable email service providers, there is always a risk of misconfigurations that may lead to non-compliance and inadvertently violating HIPAA Rules. Proper configuration is always the customer’s responsibility. Verify that the email service offers features like encryption, access controls, audit logs, and data backups.
HIPAA-compliant email providers like Google and Microsoft assist covered entities by offering implementation guides to ensure their services support HIPAA compliance. So, read the guidelines accurately to configure your email services properly.
Ensuring HIPAA-compliant email communication with Planet 9 HIPAA compliance services
HIPAA-compliant email communication is only a part of an organization’s overall HIPAA compliance. Planet 9 services can help address overall HIPAA compliance, including your email communication. Our experts can:
- Evaluate HIPAA compliance to identify administrative, physical, and technical safeguards in place.
- Identify compliance gaps that may lead to HIPAA violations.
- Perform a risk analysis to identify specific risks to PHI.
- Develop a roadmap for addressing the identified compliance gaps and risks.
- Assist the client in executing the roadmap.
Depending on the client’s internal resources, expertise, and availability, Planet 9 can implement the entire roadmap, position the client to execute it independently, or supplement the client’s team.
