In 2023, OCR settled with a healthcare provider for over $100,000 after an investigation revealed that staff routinely sent unencrypted emails containing protected health information to patients and third parties. The organization had no email security policy, no encryption tools, and no workforce training on electronic PHI transmission. Sending compliant email isn't optional — it's a core requirement of the HIPAA Security Rule, and OCR has repeatedly demonstrated its willingness to enforce it.

What Makes Email HIPAA Compliant?

A compliant email system requires more than just hitting "send" through a major email provider. Under 45 CFR § 164.312(a)(1) and § 164.312(e)(1), covered entities must implement access controls and transmission security to protect electronic PHI in transit and at rest. In practical terms, this means encryption, authentication, and audit controls.

Three elements must be in place before your organization sends any email containing PHI:

  • Encryption in transit: TLS (Transport Layer Security) 1.2 or higher must protect emails between sender and recipient servers. End-to-end encryption is the gold standard.
  • Encryption at rest: Emails stored on servers — including sent folders and archives — must be encrypted so unauthorized access doesn't expose PHI.
  • Business associate agreement (BAA): Your email service provider is a business associate. Without a signed BAA, using their platform to transmit PHI is a HIPAA violation regardless of encryption status.

Google Workspace, Microsoft 365, and several other platforms will sign BAAs — but only on specific paid plans. Free consumer email accounts (Gmail, Yahoo, Outlook.com personal) are never appropriate for PHI transmission, even with a password-protected attachment.

The Encryption Requirement Most Organizations Get Wrong

Encryption is listed as an "addressable" specification in the Security Rule, which creates dangerous confusion. Healthcare organizations consistently interpret "addressable" as "optional." It is not. Under the Security Rule, an addressable specification must be implemented if it is reasonable and appropriate. If you determine it is not, you must document why and implement an equivalent alternative measure.

For email, encryption is virtually always reasonable and appropriate. The cost of email encryption solutions has dropped dramatically, with several HIPAA-focused platforms available for under $10 per user per month. OCR has stated in multiple guidance documents that unencrypted email transmission of PHI over an open network is a significant risk that covered entities must address.

If your organization's risk analysis identifies email transmission as a vulnerability — and it should — failing to implement encryption exposes you to enforcement action and breach notification obligations under 45 CFR §§ 164.400-414.

One area where covered entities frequently stumble is patient-initiated communication. Under the Privacy Rule, a patient may request to receive PHI via unencrypted email. If the patient makes this request and is informed of the risks, the covered entity may honor it. However, this does not eliminate your obligations.

You must document the patient's request and the warning you provided. Your Notice of Privacy Practices should reference electronic communication options. And critically, the minimum necessary standard still applies — send only the PHI the patient requested, nothing more. A patient asking for appointment reminders via email does not authorize you to send their full lab panel results in the body of an unencrypted message.

Business Associate Agreements: The Step Organizations Skip

In my work with covered entities, I've found that email BAAs are one of the most commonly overlooked compliance requirements. Your email hosting provider stores, processes, and transmits PHI on your behalf. That makes them a business associate under the Omnibus Rule.

Without a signed BAA, every email containing PHI sent through that platform constitutes a potential HIPAA violation — even if the email itself is encrypted. OCR has pursued enforcement actions specifically targeting the absence of BAAs, including a $1.55 million settlement in 2016 involving a business associate relationship with no formal agreement.

Verify that your email provider offers a BAA, ensure it covers all relevant Security Rule and Breach Notification Rule requirements, and keep a signed copy accessible during audits.

Workforce Training on Compliant Email Practices

Technical safeguards alone won't protect your organization. Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures relevant to their job functions. For any staff member who handles PHI, that includes email security.

Your workforce needs to understand:

  • When PHI can and cannot be sent via email
  • How to use your organization's encryption tools correctly
  • How to verify recipient addresses before sending PHI (misdirected emails are a leading cause of reportable breaches)
  • What to do if they accidentally send PHI to the wrong recipient
  • How to recognize phishing emails that target healthcare credentials

Providing comprehensive HIPAA training and certification to every workforce member is the most effective way to reduce human error — the single largest source of email-related breaches reported to OCR.

Building a Compliant Email Policy for Your Organization

A written email policy is essential. Your policy should specify approved email platforms, encryption standards, prohibited content in email subject lines (never include patient names or diagnoses), and the process for handling misdirected emails as potential breaches.

The policy must be reviewed annually as part of your ongoing risk analysis and updated whenever you change email providers, add new communication tools, or experience a security incident. Staff must acknowledge the policy in writing, and that documentation must be retained for six years per HIPAA requirements.

Compliant email is not achieved by installing one tool or signing one agreement. It requires layered technical safeguards, current BAAs, clear policies, and a trained workforce operating together. Organizations that treat email compliance as an afterthought consistently appear in OCR's enforcement actions.

If your organization hasn't assessed its email practices against Security Rule requirements, start now. Equip your team with the knowledge they need through HIPAA Certify's workforce compliance program, and close the gaps before OCR finds them for you.