420 Bannister Rd Ste 400 Kansas City, MO 64131
(816) 381-9969

Keeping Your Email HIPAA Compliant

If you are in the medical field, you have most likely heard the term “HIPAA compliance”. Most associate it with the protection of patient health information (PHI) within the office, but HIPAA compliance extends much further than internal dealings. Keeping email HIPAA compliant is one of the most overlooked components of HHIPAA compliance. A common misconception is that an email is secure when you are sending it. However, if the right protective layers are not configured, this is not the case. HIPAA compliant email communication is a necessity in today’s technical landscape.


Encryption is almost always required to be HIPAA Compliant. Simply put, when an email is encrypted, the contents are disguised to everyone but the recipient. There are two different types of encryption:

Transport level encryption: This level of encryption disguises the email contents from email server to email server, or inbox to inbox. Once the email arrives in the inbox, it is no longer encrypted, allowing anyone with access to the inbox the ability to read it.

End-to-end encryption: This means the email message is always encrypted. In order to access the email contents, a user would need login credentials for access. 

Most email includes transport level encryption, such as Google and Outlook. For HIPAA compliance and other industry regulations, transport level encryption does offer enough protection. Truly protecting PHI and other important information must require end-to-end encryption.

Most third-party email providers, such as GoDaddy, BlueHost or IONOS, do not include any encryption, even if you have linked them to your Outlook or Gmail account. To enable encryption, server settings would have to be entered manually by an experienced IT professional.

Often times, in order to enable end-to-end encryption an additional service is required. There are a number of great encryption services that can be put in place, but there are a few things to verify when determining which encryption service will best fit your needs.

  1. Is the encryption easy to enable or does it encrypt every email?

Some encryption providers simply supply you with an add-on for Outlook so you can click a button to encrypt the email, while others may look for a keyword in the subject line or brackets surrounding the subject line.

Whatever service is chosen, it is necessary employees understand how to encrypt the email, as well as the importance of always using it when sending ePHI to make sure they are always sending HIPAA Compliant emails.

  1. Does the service also encrypt the recipient’s response to the email?

Many patients may not know that responding to an email with PHI could leave that email visible to others. If the service doesn’t also encrypt the recipient’s response, it is likely not the best option.

  1. Does the service require the recipient to login to a portal to retrieve the message? If so, does it allow the portal to be personalized?

Logging into a portal can be confusing for users, but many medical offices use them. If you do decide to utilize a portal, it is important that you can personalize the login page so the user can feel comfortable putting in their login credentials. Many medical offices use medical portals which send you a regular email letting you know they have left you a message in the patient portal in order to stay HIPAA compliant. All correspondence is contained within the secured portal.

  1. Does the encryption service integrate with all email provider? Is it compatible with any device or browser?

Some encryption services only work with certain email providers, making them much less effective. In addition, many offices use a combination of devices and browsers, so making sure they are all compatible is necessary for keeping emails HIPAA compliant.

  1. Does the message automatically delete after a period of time has passed?

Some encryption providers will even provide a feature so the message is only available for a certain amount of time, after which the link to the encrypted message is no longer valid.

  1. Are they willing to sign a business associate agreement?

Any vendor that your office is using that have potential access to PHI MUST sign a business associate agreement. HIPAA compliance regulations require this, and not having them in place will likely result in a fine.

  1. Is your Email using a custom domain or are you using a gmail.com or outlook.com account?

Most encryption services will require that you have your own email domain. The only way to encrypt email properly going both directions will be to use your own custom domain. Most established businesses now operate using their own domain and it adds to the legitimacy of emails that are sent.



Below is a list of different types of emails that are commonly sent and whether they need to be encrypted, or should be sent at all. This should clear up any confusion and always keep emails HIPAA Compliant.

Internal emails: Email within the same office, using the same secure email server do not need to be encrypted. It is important that these remain within the internal environment and not forwarded to an outside recipient unless encryption is applied.

Emails to other doctors: If the doctors are outside of your office, any email sent to them including PHI needs to be encrypted. You should also ensure that you are using a service that allows the recipient’s response to be encrypted.

Sending Emails from personal email address: It is important to NEVER send any PHI from personal email addresses. Even if it is the doctor sending an email from their personal email address to their work one. The personal email address likely doesn’t have encryption enabled and would leave the PHI exposed.

Mass Emails: When sending mass emails, it is important to use a mail merge feature or a HIPAA compliant program allowing mass emails to go out without others being able to see who else the email was sent to. In addition, recipients shouldn’t be able to
Reply All” in case they respond with a question including PHI.

Replying to emails: When replying to emails containing PHI, always ensure encryption enabled. Even if the initial sender didn’t encrypt their email, the response being encrypted helps limit the exposure of the PHI.

Emails directly to patients: Emails sent directly to patients should always be encrypted as well as their responses. Any communication with a patient, even if it initially doesn’t include PHI, could lead to questions concerning their health and PHI, in turn, those emails need to be encrypted to prevent exposure.

The practices supporting HIPAA compliant email in your office should be revisited often. Technology is constantly changing, and HIPAA compliance is changing with it. What was considered HIPAA compliant last year, may not be considered compliant this year. Being in the health industry there is a level of responsibility that needs to be met to ensure PHI is kept protected.  Entering into partnerships with auditing companies and HIPAA compliance coaches is becoming a necessity, and if you haven’t implemented either, it is time to do so. As a medical professional, your main focus should be to take care of your patients’, and while it is your responsibility to protect their PHI, technology likely isn’t something you are an expert in. By leveraging auditing companies and HIPAA coaches, you are having the experts provide the processes and procedures, recommendations to tighten cyber security etc. All you need to do is implement them or give the approval for implementation.

If you are looking for in-depth information related to HIPAA compliance or specific recommendations on HIPAA compliant email, please reach out our managed service team and we would be happy to talk with you further.

July 21, 2020