View blogs | Login

How to be HIPAA Compliant with Emails

HIPAA and Emails

Working in the medical field requires you to be in constant, quick contact with not you’re your colleagues but patients as well. Emails are quick, efficient, and accessible to everyone. However, while sending both personal and private records through the web medical departments must make sure the sensitive information follows the HIPAA compliance. HIPAA is a legislation to protect patient's medical information. It has 2 main rules; the security rule and the privacy rule:

  1. The privacy rule secures the patients' right to keep their health information private. Additionally, it provides rules on what must be done to protect them.

  2. The security rule gives organizations rules to follow for keeping health information safe and secure.
In terms of emails, does the HIPAA rules permit PHI to be sent via email? The answer is yes. According to, the privacy rule for HIPAA "allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so."

Monitoring Secure Logins

Guidelines to be HIPAA Complaint with Emails

There should be certain guidelines you need to follow in order to be compliant with HIPAA when sending emails. The list below helps to make sure the Protect Health Information (PHI) is secure:

1. Obtain a BAA ( Business Associate Agreement ) - If you are using a third party email server, consider getting a BAA prior to using the server to send messages that contain PHI. The Business Associate Agreement lays out the responsibilities of the third party server along with the necessary requirements to make sure their server is capable of sending ePHI (electronic PHI) with HIPAA compliance.

2. Train your staff - If you are using an in-house email server it's imperative to teach your employees about the importance of sending a secure email. The best way to do so is to create a policy that fulfills the requirements of sending a secure email and ensure that employees follow it.

Additionally, let your users know the dangers of vulnerabilities in an email- such as phishing attacks. Some examples to note are to avoid opening external links, double-check the sender's email address, and keep an eye out on any social engineering attacks. There's no point in having your email server fully secure if a poorly trained user leaks secure data.

3. Use encryption for sending and receiving emails - It's important to make sure when an email goes to a recipient, no one else is looking at the message. TLS/SSL protocol is a standard that encrypts email communication between two email servers. This encryption makes sure no one else in the middle is able to look at the message. Consider obtaining a valid SSL certificate so that TLS can be implemented in your server.

Besides SSL/TLS, there are other standards that help ensure emails are valid and not forged. These protocols are SPF, DKIM and DMARC. These protocols use different methods to detect if an email came from their respective legitimate source. With these secure protocols, it will help against many email vulnerabilities.

4. Obtain patient's consent - Before you can send ePHI to the patient, you must obtain a written permission where they consent to use email as a method of communication. The patients must be warned that there are risks to sending PHI through an email. If they accept the risks, the emails containing their information can be sent without the violating HIPAA compliance.

Another important factor to keep in mind is that you can ONLY send an email to the patient themselves, not to another individual. Doing this will violate the HIPAA compliance. According to, there was an incident where an individual, who was a patient and an employee at a hospital, who's PHI was disclosed to their supervisor. In their case, the supervisor was "not part of the employee's treatment team, and did not need the information for payment, health care operations, or other permissible purposes."

5. Use end to end encryption email - Although SSL/TLS encrypts emails so that no one else can look at the message, it only encrypts emails during the transit phase of the message. Once the message is delivered to the destination server, the emails are in plain view and can be viewed by anyone who has access to the server. If end-to-end encryption is added, ONLY the sender and the recipient can see the original email. This works by encrypting the message and only allowing the recipient to unlock the email using a password. Take a look at this page on an example of end to end encryption.


Email is used very frequently in today's medical world. Making sure emails are secure and encrypted is a key to having your messages be HIPAA compliant. Besides adding software security, employee training is essential to prevent data breaches through social engineering attacks. To make sure emails are secure in transit and in destination, use a secure email server that helps you benefit in reaching the goal of being HIPAA compliant.

Created on: Oct 8, 2020
Last updated on: Jul 19, 2024


Your email address will not be published.