HIPAA Compliant Email – What Makes Email HIPAA Compliant?

HIPAA Compliant Email is at the heart of modern medical practices. It makes administrative processes more efficient. It also saves time by automating communication (like reminding patients about appointments).

Emails also help both the provider and the patient stay connected. A staggering 93% of adult patients prefer to communicate with physicians through email!

HIPAA regulations will kick in if you send Protected Health Information (PHI) via email. You have to be very careful because HIPAA violations equal a lot of trouble.

So this begs the question, is email HIPAA compliant?

Email can be made HIPAA compliant, but you need to be careful and do it the right way.

The big mistake we see a lot of practices make is that they sign up for a “HIPAA compliant email service“ and think that their problem is solved. But it’s not that easy, as we’ll cover in this article.

Is secure email HIPAA compliant?

Here’s another big mistake we see all the time. Practices buy “secure email” and assume that they’re HIPAA compliant.

Some "secure email" services are HIPAA compliant, but not all.

"Secure" usually means that the service uses encryption (covered below). But HIPAA compliance demands much more than encryption.

Most email providers these days offer some level of encryption as part of their standard package. But there’s a big difference between the kind of encryption that’s available for free and the kind you need in a HIPAA compliant email service.

What’s email encryption?

Encryption is a data protection tool used to shield sensitive data from prying eyes. It uses cryptography to encode raw data. So even if your email is intercepted, hackers won't be able to read it as it'll look like gibberish. This article has an excellent example of HIPAA email encryption.

What makes email HIPAA compliant?

Ultimately, your annual HIPAA risk analysis will help you to decide what you need to do to make your email HIPAA compliant.

In our work with practices, we typically look for email systems that check all of these boxes. We think of these as the nine must-have HIPAA email rules:

1. HIPAA guidelines ask medical practices to go the extra mile to protect patient data. It starts with your provider signing a HIPAA business associate agreement (HIPAA BAA). Don’t go with a provider that refuses to sign one!
2. When your email is HIPAA compliant, it's configured so that it’s hard for hackers to access. That includes strong, unique passwords and multi-factor authentication
3. Emails stored on your computer are encrypted
4. The connection from your computer (e.g., Outlook, Apple Mail) or smartphone to your email server is encrypted.
5. Emails stored on your email server are encrypted.
6. Emails sent between people inside your company are encrypted.
7. Emails that contain PHI are encrypted when sent outside your company (or better yet, all emails are encrypted!).
8. They should also have a log management system in place to meet the logging requirements of HIPAA. This will help you create an audit trail and investigate a potential breach.
9. HIPAA email compliance also requires many layers of protection against phishing, as it is the biggest threat to companies today. The best companies have two layers of protection against phishing.

Other HIPAA compliant email best practices?

Also, it's a good idea (though not required) to get the patient to give you written consent to email them.

Lastly, add a message to each email's footer to remind them that email is inherently insecure.

The bottom line is this. More than half of the HIPAA email rules above involve encryption. If you want to make your email HIPAA compliant, encryption is critical.

What is email encryption?

Emails are encrypted in several ways, at various points in the communication process. For complete email encryption, messages have to be encrypted when they are moving from your inbox to the patient's inbox. Encryption is required when messages are stored on a desktop or on a private cloud. HIPAA also demands that emails downloaded onto computers and smartphones are encrypted.

To satisfy regulatory compliance you need to have end-to-end encryption. So practices must take reasonable steps to secure PHI on their computers. They also have to ensure protection when an email is sent all the way to the recipient’s inbox.

True end-to-end email encryption means if a hacker gets lucky and manages to intercept one of your emails, they won't be able to read it. The same applies to sensitive files saved on your computer or stored on a cloud.

Here are crucial tips to make sure that you’re using a HIPAA compliant email service.

What are the best HIPAA compliant email providers for small practices?

The services listed below CAN be made HIPAA compliant with the right setup:

• Google Workspace (the paid version of Gmail can be made HIPAA compliant)
• Microsoft365 (the paid version of Microsoft365 ’s email service can be made HIPAA compliant)
• Your own email server

Free Gmail (@gmail.com) accounts can never ever be made HIPAA compliant. But the Gmail encryption with the paid version of Google email, Google Workspace, registered under a custom domain can be set up to be HIPAA compliant.

But is outlook HIPAA compliant? Like Gmail, the free version of Outlook.com can never be made HIPAA compliant. But a paid version of Microsoft365 (registered under a domain) can be set up to send and receive encrypted emails.

You might also be wondering, ‘Is Yahoo Mail HIPAA compliant?’ Or maybe, ‘Is Zoho HIPAA compliant email?’

These email clients CAN’T be made HIPAA compliant:

• Yahoo! Mail
• Zoho Mail
• AOL Mail
• Free email accounts from your phone company or cable provider (e.g., comcast.net)

If you’re using any of the providers listed above, you should switch right away to avoid HIPAA violations. In the meantime, you shouldn’t use these email accounts to send, receive, or handle PHI.

Why aren’t there free HIPAA compliant email providers?

First and foremost, they’re not HIPAA compliant because they will not sign a HIPAA Business Associate Agreement (BAA).

If you look back to our nine rules above, you’ll also see that they only meet a few of them, at best. They might use something called “TLS encryption” for sending and receiving emails, but that’s not nearly enough. Transport Layer Security or TLS encryption doesn't guarantee secure delivery.

This is because the recipient’s email provider may not support TLS. So your HIPAA secure email will be downgraded and will appear as unencrypted plain text. You can learn more about TLS and encryption in this article.

These services usually don’t have the kind of logging you need to be compliant. Also, many of them haven’t invested in the kind of security necessary to make sure that their staff can’t get into the system and read your emails.

If you’re searching for a free HIPAA compliant email service, let me make it easy for you. There isn’t one!

When the stakes are high, don’t start with the cheapest HIPAA compliant email solution. Instead, approach it from the perspective of finding the best way to secure your PHI.

What about computer and smartphone email programs?

Lots of our clients ask if their favorite email program is HIPAA compliant.

On a computer, that could be the desktop version of Outlook, Apple Mail, Thunderbird, or any other email program.

On a smartphone, that could be Apple Mail, Outlook, Android Mail, etc.

Your favorite email program should be HIPAA compliant if it meets these criteria:

1. When you download the email, it’s encrypted.
2. When you connect to the email server, it’s encrypted.
3. Ideally, you’ll have some way to break the connection between your email and your device in case your computer/smartphone are ever lost or stolen.
4. Your email service logs which messages you downloaded.

Is encryption for HIPAA compliant email mandatory?

We get asked this question all the time. HIPAA compliant email providers usually encrypt all emails moving from one computer to another. But -- believe it or not -- this is not mandatory!

According to the HIPAA Security Rule, you only have to assess your need for encryption. HIPAA covered entities may not have to encrypt emails if they have an alternative (or equivalent) solution. In practice, this is hard to do and even harder to manage. And, it may not work for your practice in the long run as you continue to grow!

Here’s how we’ve seen clients avoid the use of encryption:

• Never send or store PHI in their email system
• Never send emails with PHI outside of their company. So no emailing patients, insurance companies, billing services, other providers, labs, etc.
• Get written consent from every patient before sending them email (though this doesn’t necessarily give you consent to email non-patient entities like other practices, insurance, labs, etc.)
• Use a technical utility like CheckTLS to verify that TLS encryption is working for every email they send (this can only work in very small practices)
• Only communicate outside of the company using a fax machine or HIPAA-compliant fax service

For most practices who want to use email, a HIPAA compliant system with a secure email add-on service is the easiest and safest way forward. 

Still feeling a bit overwhelmed?

Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.

Talk to us!

Have questions or feedback? Please share them in the comments below.

Like this article? Share it!