HIPAA-Compliant Email for Healthcare

Standard email — Gmail, Outlook, Yahoo Mail, and most consumer and business email services — is not HIPAA compliant for transmitting PHI because:

• Emails in transit may not be encrypted end-to-end (TLS between mail servers is opportunistic, not guaranteed)
• Email providers typically do not offer HIPAA BAAs for standard accounts
• Email is stored in the provider's servers, which constitute a third-party ePHI repository without a BAA
• Email is easily forwarded, shared, or accessed by unauthorized parties
• Standard email provides no audit trail of who has accessed sensitive messages

The risks are not theoretical — email is consistently one of the top sources of HIPAA breaches reported to HHS. Misdirected emails (sent to wrong recipient) and unauthorized forwarding to personal accounts are common breach causes.

HIPAA-compliant email requires three elements working together:

1. Encrypted transmission: Email containing PHI must be encrypted during transmission. S/MIME or TLS with enforced delivery are common approaches. Some solutions use secure message portals where the email notifies the recipient to log in to retrieve a secured message.
2. Encrypted storage: Email stored on servers must be encrypted at rest. This applies to both your mail server and any backup systems.
3. Business Associate Agreement: Your email provider must sign a HIPAA BAA before you use their services to send or store PHI.

Additionally, your organization must have policies governing when email can be used for PHI, staff training on those policies, and access controls to email systems that limit exposure.

Several major email providers offer HIPAA BAAs for business accounts:

• Google Workspace (Business or Enterprise): Google offers a BAA that covers Gmail and Google Drive for Workspace users. Must be explicitly activated in account settings — it is not automatic.
• Microsoft 365 (Business Premium or higher): Microsoft includes a BAA in its Online Services Terms for qualifying plans. Review which specific M365 services are covered.
• Proton Mail for Business: End-to-end encrypted email with HIPAA BAA available for business accounts.
• Paubox: HIPAA-compliant email service designed specifically for healthcare, with end-to-end encryption and BAA included.
• LuxSci: Healthcare-focused email provider with BAA, encryption, and detailed compliance documentation.

One of the most overlooked HIPAA email risks is the automated notification email generated by website forms. When a patient submits an appointment request or health questionnaire, many form platforms automatically email the submission contents to staff. If this notification email goes to a standard inbox without HIPAA controls, it creates a violation.

• Configure form notifications to send a link to the secure submission rather than the PHI itself
• If you must send PHI via form notification emails, ensure the destination email account is covered by a BAA
• Do not allow form notification emails to be auto-forwarded to personal accounts
• Review all automated email workflows in your website platform — CMS plugins, booking systems, and intake tools often have undocumented email notification behaviors

Patients have the right to request communication by any means they choose, including unencrypted email. If a patient requests to receive their health information via standard email after being informed of the risks, you may honor that request. Document the patient's informed preference.

However, this patient preference exception is narrow:

• The patient must initiate the preference for unencrypted communication
• You must inform the patient of the risks of unencrypted email
• The preference should be documented in their record
• This exception covers communications with the patient — it does not authorize unencrypted email among your own staff or with business associates