A medical practice sent appointment reminders via their regular email system—no encryption, no special protections. The emails included patient names, appointment types, and provider names. When a patient complained to the Office for Civil Rights, the investigation revealed years of non-compliant email practices. The resulting settlement cost hundreds of thousands of dollars, plus the expense of overhauling their entire communication system.
Healthcare email operates under HIPAA's strict requirements for protecting patient health information. These requirements affect what you can send, how you send it, and who you can send it through. Understanding HIPAA's email requirements is essential for any healthcare organization or health tech company.
What HIPAA requires
HIPAA's Privacy Rule and Security Rule together govern email containing protected health information (PHI).
The Privacy Rule limits how PHI can be used and disclosed. Email containing PHI can only be sent for permitted purposes—treatment, payment, healthcare operations, or with patient authorization.
The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For email, this means encryption, access controls, audit trails, and integrity controls.
The Minimum Necessary standard requires limiting PHI in communications to what's needed for the purpose. Don't include more patient information than necessary in any email.
Business Associate Agreements (BAAs) are required with any vendor that handles PHI on your behalf, including email service providers. Without a BAA, you can't use that vendor for PHI-containing email.
What counts as PHI in email
Understanding what constitutes PHI helps you know when HIPAA requirements apply.
PHI includes any individually identifiable health information. This encompasses obvious items like diagnoses, medications, and test results, but also less obvious items like appointment information, provider names, and even the fact that someone is a patient.
The combination matters. A patient's name alone isn't PHI. Their diagnosis alone isn't PHI. But their name combined with their diagnosis is PHI. Email that connects an individual to health information triggers HIPAA requirements.
De-identified information isn't PHI. If you remove all 18 HIPAA identifiers (name, address, dates, etc.), the remaining information isn't subject to HIPAA. But proper de-identification is complex and usually requires expert guidance.
For practical purposes, assume any email about a specific patient's health matters is PHI and handle it accordingly.
Encryption requirements
HIPAA requires encryption for ePHI in transit and at rest, with some nuance.
Encryption is an "addressable" requirement, meaning you must implement it or document why an alternative is equally protective. In practice, encryption is expected for email containing PHI.
TLS encryption for email in transit is the baseline. Ensure your email system uses TLS for all connections. But TLS alone may not be sufficient—it protects data in transit but not at rest.
End-to-end encryption provides stronger protection. The email is encrypted on your system and only decrypted by the recipient. This protects against interception and unauthorized access at intermediate servers.
Secure messaging portals are a common alternative. Instead of sending PHI in email, send a notification that a secure message is available, with a link to a portal where the patient logs in to view it.
Patient consent for unencrypted email is possible. Patients can choose to receive unencrypted email after being informed of the risks. Document this consent carefully.
Email service provider requirements
Your email provider must be HIPAA-compliant if you're sending PHI through them.
Business Associate Agreement is mandatory. The BAA establishes the provider's obligations for protecting PHI. Major email services like Google Workspace and Microsoft 365 offer BAAs for their healthcare-eligible plans.
Not all plans are HIPAA-eligible. Consumer Gmail isn't HIPAA-compliant even with a BAA. You need Google Workspace with specific configurations. Similarly for Microsoft—consumer Outlook differs from Microsoft 365 business plans.
Transactional email services vary in HIPAA support. Some (like Paubox or certain configurations of major providers) support HIPAA-compliant sending. Others explicitly don't support PHI. Verify before using any service for healthcare email.
Configuration matters beyond the BAA. Even with a HIPAA-eligible service, you must configure it correctly—enabling encryption, setting appropriate access controls, configuring audit logging.
Practical email scenarios
Different healthcare email scenarios have different requirements.
Appointment reminders can be sent with minimal information. "You have an appointment on Tuesday at 2 PM" doesn't reveal health information. Adding "with Dr. Smith in Oncology" starts to reveal health details.
Test results and clinical information are clearly PHI. These should go through secure channels—patient portals, encrypted email, or secure messaging—not standard email.
Billing communications may contain PHI if they reveal services provided. An invoice for "cardiac surgery" reveals health information. Consider what billing details actually need to be in email.
Provider-to-provider communication about patients is PHI. Clinical consultations, referrals, and care coordination emails need appropriate protection.
Marketing and general communications that don't reference specific patient health information may not require HIPAA protections, but other regulations (CAN-SPAM, state laws) still apply.
Patient communication preferences
HIPAA allows patients to request specific communication methods.
Patients can request communications go to specific addresses or through specific channels. You must accommodate reasonable requests.
Patients can consent to less secure communication. If a patient prefers unencrypted email despite the risks, document their informed consent. But you can't require patients to accept insecure communication.
Verification of patient identity before sending PHI is important. Ensure you're sending to the right person, especially for sensitive information.
Opt-out preferences for non-essential communications should be respected. Patients can decline marketing communications while still receiving necessary clinical communications.
Audit and documentation
HIPAA requires maintaining records of your email practices.
Audit logs should capture who sent what to whom and when. For PHI-containing email, you need records that support compliance verification and breach investigation.
Policies and procedures for email use should be documented. Who can send PHI via email? What encryption is required? How are patient preferences handled?
Training records demonstrate that workforce members understand email policies. Regular training on HIPAA email requirements is expected.
Risk assessments should include email systems. Identify risks to PHI in your email infrastructure and document how you're addressing them.
Breach documentation is required if PHI is improperly disclosed via email. This includes what happened, who was affected, and what remediation occurred.
Common HIPAA email mistakes
Several errors frequently cause HIPAA problems.
Using consumer email services for PHI. Gmail, Yahoo, and consumer Outlook aren't HIPAA-compliant. Even if you're careful about content, using these services for patient communication creates compliance risk.
Sending PHI to wrong recipients happens more than it should. Autocomplete errors, reply-all mistakes, and forwarding errors can expose PHI. Technical controls and training help prevent these.
Including unnecessary PHI violates the minimum necessary standard. If you only need to confirm an appointment, don't include diagnosis information.
Missing BAAs with email vendors is a common gap. Every vendor that handles PHI needs a BAA—not just your primary email provider but also any tools that touch email containing PHI.
Inadequate encryption leaves PHI exposed. TLS for transit is good but may not be sufficient. Evaluate whether your encryption approach adequately protects PHI.
Building HIPAA-compliant email infrastructure
Creating compliant email systems requires deliberate design.
Choose HIPAA-eligible services and obtain BAAs before sending any PHI. Verify the specific plan and configuration requirements.
Implement encryption appropriate to your risk assessment. At minimum, TLS for all connections. Consider end-to-end encryption or secure portals for sensitive communications.
Configure access controls so only authorized personnel can send PHI-containing email. Limit who has access to patient email addresses and communication systems.
Enable comprehensive audit logging. You need records of email activity for compliance verification and incident investigation.
Train all workforce members on email policies. Everyone who might send email containing PHI needs to understand the requirements.
Regularly assess and update your email practices. HIPAA compliance isn't one-time—it requires ongoing attention as systems and threats evolve.
Frequently asked questions
Can I use Gmail for healthcare email?
Consumer Gmail, no. Google Workspace with a BAA and proper configuration can be HIPAA-compliant. The distinction matters—verify you have the right plan and configuration.
Do appointment reminders require encryption?
It depends on content. A reminder with just date and time may not be PHI. A reminder that reveals the type of appointment or provider specialty may be PHI requiring protection. Err on the side of caution.
What if a patient emails me PHI?
You're not responsible for how patients choose to communicate. But your response should use appropriate protections. Consider replying through a secure channel rather than continuing an unencrypted email thread.
Are there HIPAA-compliant transactional email services?
Yes, several services offer HIPAA-compliant email with BAAs. Paubox, certain Mailgun configurations, and others support healthcare use cases. Verify BAA availability and configuration requirements before use.