HIPAA Compliant Email: some proactive strategies

hipaa-compliant-email-lock pic

Part two of a two-part series on HIPAA Compliant Email

In Part I of this post, we reviewed some of the statements that the Office of Civil Rights (OCR), the Privacy Rule enforcers, include in their online FAQs relevant to HIPAA and email rules for covered entities.  And now that we’ve got a better understanding of those rules,  let’s explore how hospitals, medical practices, and other healthcare organizations can ensure they’re using HIPAA compliant email.  After all, knowing the rules is one thing … but putting them into practice is what’s going to keep you and your healthcare organization out of trouble. So let’s explore some HIPAA compliant solutions for your email services.

In this Article …


5 strategies for achieving HIPAA compliant email

Like so many other things with HIPAA compliance, there’s not one, singular answer that addresses the question of what constitutes HIPAA compliant email.  However, the options addressed below represent a collection of first-line strategies that go a long way toward addressing the implementation of HIPAA email rules. And I’ll discuss some related non-email alternatives as well.

  1. Be the expert on the topic of HIPAA compliant email on behalf of your patients.

    This means making sure you have appropriate notices visible, both online and in the real world, warning patients about the potential security risks of transmitting protected health information (PHI) using email over the non-secure portion of the Internet.  For instance, many practices include a page for submitting questions to the office via email.  Consider posting a statement that warns about security prominently on that page, such as:

  • “Please keep in mind that communications via email over the internet are not secure.  Although it is unlikely, there is a possibility that information you include in an email can be intercepted and read by other parties besides the person to whom it is addressed.
  • Please do not include personal identifying information such as your birth date, or personal health information in any emails you send to us.  No one can diagnose your condition from email or other written communications, and communication via our website cannot replace the relationship you have with a physician or another healthcare practitioner.” 
  1. Don’t assume that because your patient sent an email requesting PHI or sharing PHI, that he or she understands the risks of sending or receiving such emails.  Consider using a form like this “Emergency Contact Sheet” to document the patient’s preferences in many areas.  If you’re using an EHR system, do not enter a patient’s email address without making sure the patient knows they may get appointment reminders and other email notices without sensitive information.

  1. Use an EHR system with a web portal function for patient access and communication.

    If you’re using an EHR system with a web portal function, encourage patients to use the portal’s capabilities for secure messages.  Most portals utilize secure channels for the information available via the portal, but make sure the vendor certifies that to you – and then test it yourself prior to encouraging patients to use it.

    An EHR system with this type of function encrypts patient information so that it can only be accessed by authorized users. This connection is HIPAA compliant and allows the patient to access their medical records, schedule appointments, and communicate with their care team. It also allows the healthcare provider to encrypt and send messages to the patient.

  1. Consider exploring options with HIPAA compliant email services.

    • If you must use email to communicate with patients,  a secure email service will protect your communications by using secure channels to send them. These email providers have to meet certain requirements in order to be HIPAA compliant. For example, they must have a way to encrypt emails so that only the intended recipient can read them. They must also have a way to verify that the email was not altered in transit, and they must provide a way for the sender to recall an email if it was sent to the wrong person.There are many HIPAA compliant email providers out there, so you should choose one that meets your needs. If you do go this route, be sure to sign a business associate agreement (BAA) with the selected email provider.
  2. Manually encrypt transmitted files to maintain HIPAA compliance.

    If you don’t have a patient portal and don’t want to use a secure, HIPAA compliant email provider, avoid including PHI in the text of the email, and use end to end encryption for any messages or files containing PHI that you are sending to patients.

    An end-to-end encryption system ensures that only the intended email recipients can read your emails and their attachments. This prevents unauthorized access to sensitive patient information, and helps ensure communications between healthcare providers remain private as well! In addition, end to end encryption can help to prevent email spoofing, phishing attacks, and other online threats. So the usefulness of email encryption extends beyond HIPAA compliance.


SMS text messaging (regular texting) is not “secure messaging”.

While not technically “email” security, the context is the same when it comes to text messaging. Specifically, covered entities sending PHI via texting when using an unsecured electronic format was deemed unlawful in 2013 when the U.S. government updated HIPAA laws and enacted specific safeguards into the Security Rule. Those safeguards include …

  • Controlling how people access PHI.
  • Managing how people utilize PHI.
  • Ensuring that people sending and receiving the text messages are who they say they are.
  • For PHI being transmitted outside of the organization via text messaging, or any other form of transmission, the data must be encrypted.


A HIPAA violation for email mishandling can be costly.

It is not far-fetched to think that one of these days, the OCR, while investigating a complaint from a patient about a privacy violation, determines that a provider was disclosing PHI when communicating via email with a patient.  And that every such email constituted an unauthorized disclosure – a HIPAA breach.  And that every such email to any patient was a breach.  It might not take long to get to a breach involving more than 500 patients, with all the attendant notices to the media and reports to the Secretary of HHS that would entail. Not to mention financial penalties ranging from $127 to $1,919,173 in today’s dollars depending on the specific circumstances. These figures are adjusted annually to take inflation into account.


Send HIPAA compliant email … sleep well at night

Don’t be the practice or other healthcare provider that finds itself in the unenviable position described above, simply because you didn’t pay enough attention to establishing a HIPAA compliant email strategy with your patients!

Email will be around for a while, in the healthcare industry and so many other areas of our lives.  It’s a great tool, but like any tool, it must be respected for its power – both for communications we want and for the potential to disclose sensitive information we want to be kept private.

Using email in healthcare requires more effort and safeguards than in other areas, but it certainly is possible to mix the two. By following the HIPAA email rules we’ve outlined in this post, you can minimize your risk of violating HIPAA law and protect the privacy and security of your patients’ protected health information. Remember, these are just guidelines – if you have any questions or need help implementing them to ensure your practices are HIPAA compliant, please reach out to The Fox Group for assistance.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Comments are closed.