HIPAA Email Compliance: Can You Email Patient Information? A Complete Guide

Every healthcare practice sends email. Appointment confirmations, lab results, referral letters, billing questions. But the moment an email contains protected health information (PHI), HIPAA applies. And the consequences of getting it wrong are steep.

This guide covers everything a covered entity or business associate needs to know about emailing PHI under HIPAA. The rules, the risks, and a practical path to compliance.

Does HIPAA Allow You to Email PHI?

Yes. HIPAA does not prohibit sending PHI by email.

That surprises people. HHS has stated explicitly that the Privacy Rule “does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients.” The key phrase is “treatment-related.” The permission comes with conditions.

Those conditions are defined across several sections of the HIPAA Security Rule and Privacy Rule. The most critical ones for email:

1. Transmission Security under 45 CFR 164.312(e)(1)
2. Access Controls under 45 CFR 164.312(a)(1)
3. Integrity Controls under 45 CFR 164.312(e)(2)(i)
4. Minimum Necessary Standard under 45 CFR 164.502(b)
5. Patient Right to Confidential Communications under 45 CFR 164.522(b)

If you meet these requirements, email is a legitimate channel for PHI. If you do not, every email containing PHI is a potential breach.

The Transmission Security Standard: 45 CFR 164.312(e)(1)

The transmission security standard is the centerpiece of HIPAA email compliance. It requires covered entities and business associates to “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

That language covers email directly. When you send an email containing ePHI, it travels across networks you do not control. The transmission security standard says you must protect it during that journey.

The standard includes two implementation specifications:

• Integrity Controls (45 CFR 164.312(e)(2)(i)): Mechanisms to ensure that electronically transmitted ePHI is not improperly modified without detection.
• Encryption (45 CFR 164.312(e)(2)(ii)): A mechanism to encrypt ePHI whenever deemed appropriate.

Under the current rule (as of mid-2026), both of these are classified as “addressable” implementation specifications. That does not mean optional. It means you must assess whether encryption is reasonable and appropriate for your environment, and if you decide not to implement it, you must document why and implement an equivalent alternative measure. In practice, for email sent over the open internet, there is almost never a defensible reason to skip encryption. If you want to understand why “addressable” gets misunderstood so often, read our breakdown: Addressable Doesn’t Mean Optional: A HIPAA Myth That Won’t Die.

TLS Encryption Between Mail Servers: The Baseline

Transport Layer Security (TLS) is the most common method for encrypting email in transit. When your mail server connects to the recipient’s mail server, TLS creates an encrypted tunnel so the message cannot be read by anyone intercepting the connection.

Most modern email platforms (Microsoft 365, Google Workspace, and others) support TLS. Here is where things get complicated: support is not the same as enforcement.

Opportunistic TLS vs. Enforced TLS

There are two modes of TLS for email:

Opportunistic TLS attempts to use TLS when sending a message. If the recipient’s server supports TLS, the connection is encrypted. If it does not, the message is sent in plain text. The sender usually has no idea this happened.

Enforced TLS (also called forced TLS or mandatory TLS) requires TLS for every connection. If the recipient’s server does not support TLS, the message is not delivered. It bounces back, and the sender is notified.

For HIPAA compliance, opportunistic TLS is dangerous. Here is why:

1. No guarantee of encryption. If the receiving server does not support TLS, or if the TLS negotiation fails, your email containing PHI is sent in plain text across the open internet. You have no way to know this happened unless you are monitoring every outbound connection.
2. Vulnerability to downgrade attacks. The initial TLS handshake occurs in plain text. An attacker performing a man-in-the-middle attack can intercept that handshake and force the connection to fall back to unencrypted transmission. The sending server thinks TLS was unavailable. The email goes out in the clear.
3. No compliance documentation. If you cannot prove that every email containing PHI was encrypted in transit, you cannot demonstrate compliance with 45 CFR 164.312(e)(1). Opportunistic TLS does not give you that proof.

Bottom line: Opportunistic TLS alone is not sufficient for HIPAA compliance when sending emails containing PHI. You need either enforced TLS with every recipient domain that receives PHI, or a different encryption method entirely.

Beyond TLS: End-to-End Encryption Options

TLS encrypts the connection between mail servers, but the email itself sits unencrypted on the servers at both ends. If either server is compromised, the PHI is exposed. End-to-end encryption solves this by encrypting the message content before it leaves the sender’s device. Only the recipient’s device can decrypt it.

Common methods include:

• S/MIME: Uses digital certificates. Both parties need certificates. Works within organizations but is difficult to manage with external recipients.
• PGP/GPG: Open standard, powerful, but complex. Requires key exchange. Not practical for patient-facing communication.
• Portal-based encryption: The sender’s system encrypts the message. The recipient gets a notification with a link to a secure portal where they authenticate and read it. PHI never travels through standard email channels.

For most healthcare practices, portal-based encryption or automatic encryption solutions offer the best balance of security and usability.

Portal-Based Secure Messaging: Paubox, Virtru, and Hushmail

Three platforms dominate the HIPAA-compliant email market for small and mid-sized practices. Each takes a different approach.

Paubox

Paubox integrates directly with Microsoft 365 and Google Workspace. Every outbound email is encrypted by default. Recipients open the email in their regular inbox without needing a portal login. For recipients whose servers do not support TLS, Paubox automatically falls back to a secure link.

• BAA included with all paid plans
• HITRUST CSF certified
• Pricing starts around $30 per user per month
• Zero-step encryption (no toggle, no decision point for staff)

The zero-step model matters. When encryption depends on a human remembering to click a button, mistakes happen. Paubox removes that failure point.

Virtru

Virtru works as a browser extension or Outlook add-in with end-to-end encryption. Senders can revoke access to sent emails, set expiration dates, and disable forwarding.

• Supports HIPAA, ITAR, CMMC, and other frameworks
• Persistent protection (encryption stays with the data after delivery)
• Pricing starts around $119 per month for five users
• BAA available with paid plans

Virtru is a strong choice when you need granular control over sent messages, especially when sharing sensitive records with external parties.

Hushmail

Hushmail for Healthcare combines encrypted email with secure web forms and electronic signatures. It is a standalone email service, meaning your team uses Hushmail’s interface rather than Outlook or Gmail.

• BAA included with all Healthcare plans
• Built-in secure forms for patient intake
• Pricing starts around $14 per user per month
• Encryption is not automatic. Senders must toggle it on per message.

That last point matters. The opt-in model means a staff member can forget to toggle encryption and send PHI in plain text. For practices with strong training programs, this may be acceptable. For practices with high staff turnover or inconsistent HIPAA awareness, an automatic solution like Paubox reduces risk.

Choosing the Right Solution

For solo practitioners and small practices wanting minimal configuration, Paubox or Hushmail are straightforward. For organizations needing message-level access control, Virtru provides capabilities the others do not. Our HIPAA consulting team can help you evaluate which solution fits your workflow and risk profile.

Patient Consent for Unencrypted Email

Here is a scenario every practice encounters: a patient says, “Just email it to me. I don’t care about the portal.”

HIPAA has a provision for this. Under 45 CFR 164.522(b), individuals have the right to request confidential communications by alternative means or at alternative locations. This right also works in reverse. A patient can request that you communicate with them via standard, unencrypted email.

If a patient makes this request after being informed of the risks, you may honor it. But the process matters:

1. Warn the patient in writing about the risks of unencrypted email. Be specific: emails can be intercepted, read by unauthorized parties, stored on insecure servers, and accessed if the patient’s email account is compromised.
2. Obtain written consent. Document that the patient understands the risks and still wants to receive communications via unencrypted email.
3. Document both the warning and the consent. Keep this documentation in the patient’s file.
4. Apply the minimum necessary standard. Even with consent, do not send more PHI than necessary. A patient consenting to unencrypted email does not give you permission to send their entire medical record in the body of an email.

A critical nuance: if a patient requests that you NOT use unencrypted email and instead communicate through a secure method, you must accommodate that request if it is reasonable. This is the confidential communications requirement under 45 CFR 164.522(b).

Patient consent does not eliminate your Security Rule obligations. You still need a risk assessment, policies, procedures, and workforce training. Consent addresses the Privacy Rule’s requirement for this specific patient interaction.

The Minimum Necessary Standard Applied to Email

Under 45 CFR 164.502(b), covered entities must make reasonable efforts to limit PHI disclosures to the minimum necessary to accomplish the intended purpose.

For email, this means:

• Do not include more PHI than the message requires. If a patient asks whether their lab results are back, you do not need to include every result in the reply. Confirm they are ready and direct the patient to the portal or a phone call for details.
• Use the subject line carefully. Never put PHI in the subject line. Subject lines are visible in notifications, lock screens, email previews, and forwarded messages. They are often not encrypted even when the message body is.
• Limit recipients. Only include people who need the information. Do not CC or BCC parties who do not have a treatment, payment, or operations reason to receive the PHI.
• Avoid attachments when possible. If you must attach documents containing PHI, ensure they are encrypted or password-protected in addition to the email encryption.
• Strip unnecessary identifiers. If you can accomplish the purpose of the email with a patient’s initials and date of birth instead of their full name, Social Security number, and medical record number, do that.

The minimum necessary standard does not apply to treatment disclosures between providers, but it applies to communications with patients, health plans, and most other recipients. When in doubt, send less.

Email Retention and Access Requirements

HIPAA does not specify a blanket retention period for all emails. But two rules create retention obligations that affect email:

Documentation Retention

Under 45 CFR 164.530(j), covered entities must retain HIPAA-related documentation for six years from the date of creation or the date when it was last in effect, whichever is later. This includes policies, procedures, and records of actions or assessments related to HIPAA compliance. If your emails document HIPAA compliance activities (training records, breach investigations, policy communications), they fall under this six-year requirement.

Security Rule Documentation

Under 45 CFR 164.316(b)(2), Security Rule documentation must also be retained for six years. Risk assessments, security incident records, and policy documents that may exist as emails or email attachments are covered.

Patient Records in Email

Emails that become part of a patient’s medical record or designated record set are subject to state medical record retention laws, which often require seven to ten years (and longer for minors). Check your state’s requirements.

Practical Implications

• Configure email retention policies in your email platform to prevent premature deletion.
• Ensure email archives are searchable and accessible. Under 45 CFR 164.524, patients have the right to access their PHI, including PHI contained in emails.
• Back up email data regularly and include email systems in your disaster recovery plan.
• Do not use auto-delete policies that destroy emails containing PHI before the retention period expires.

Microsoft 365 HIPAA Configuration

Microsoft 365 can support HIPAA compliance, but it is not compliant out of the box. Purchasing a license does not make you compliant. Configuration does.

1. Sign the BAA. Microsoft offers a HIPAA BAA through its Online Services Data Protection Addendum. Without a signed BAA, your use of M365 for PHI violates HIPAA regardless of configuration.

2. Use the correct license tier. HIPAA compliance requires E3, E5, or Business Premium licenses. Standard or Basic plans lack the necessary security features.

3. Enable Office Message Encryption (OME). Configure transport rules that automatically encrypt messages matching criteria such as PHI keywords or external recipients.

4. Enforce MFA. Enable multi-factor authentication for all accounts and disable legacy authentication protocols that bypass MFA. This satisfies access controls under 45 CFR 164.312(d). See our guide: MFA Required Under HIPAA: A Plain English Guide.

5. Configure Data Loss Prevention (DLP). Deploy DLP policies across Exchange, SharePoint, OneDrive, and Teams to detect and block unauthorized PHI sharing.

6. Enable audit logging. HIPAA requires mechanisms to “record and examine activity in information systems that contain or use ePHI” under 45 CFR 164.312(b). Turn on unified audit logging with adequate retention.

7. Disable auto-forwarding to external domains.

8. Implement sensitivity labels. Use Microsoft Purview to classify and label PHI with appropriate retention and protection policies.

Google Workspace HIPAA Configuration

Google Workspace supports HIPAA compliance on paid plans. Like Microsoft, it requires a BAA and specific configuration. Consumer Gmail (free accounts) cannot be used for PHI.

1. Sign the BAA. In the Admin console, navigate to Account settings and accept the BAA. Only certain services are covered: Gmail, Google Drive, Google Calendar, and Google Meet.

2. Enforce TLS for email. Configure Gmail to require TLS for domains that receive PHI. Block delivery to domains without TLS support.

3. Enable 2-Step Verification for all users. Prefer security keys or authenticator apps over SMS.

4. Configure DLP rules. Scan outbound messages for PHI patterns (Social Security numbers, medical record numbers, ICD codes) and block or quarantine violations.

5. Disable POP and IMAP access. These protocols bypass security controls. If needed, restrict them to managed devices.

6. Set email retention. Use Google Vault to configure retention rules meeting HIPAA and state requirements.

7. Restrict external sharing of files and messages containing PHI.

Neither Microsoft 365 nor Google Workspace is “HIPAA compliant” as a product. They are platforms that can be configured to support compliance. The configuration responsibility falls on you. A risk assessment should evaluate your email platform configuration as part of your overall security posture.

Common Email HIPAA Violations

Understanding what goes wrong helps you prevent it. Here are the most common email-related HIPAA violations, with real enforcement examples.

1. Phishing Attacks That Compromise Email Accounts

Phishing remains the most common attack vector for healthcare email breaches. Attackers send convincing emails that trick employees into entering their credentials on fake login pages. Once inside, attackers access every email in the compromised account, including those containing PHI.

PIH Health, Inc. ($600,000 settlement, 2025): A 2019 phishing attack compromised 45 employee email accounts, exposing PHI of 189,763 individuals, including names, Social Security numbers, diagnoses, and lab results. OCR found PIH failed to conduct a compliant risk analysis and delayed breach notification by seven months.

Solara Medical Supplies ($3,000,000 settlement, 2025): A 2019 phishing campaign compromised eight employee email accounts, exposing PHI of 114,007 patients. OCR found Solara lacked an adequate risk analysis and sufficient security measures. The $3 million penalty came with a two-year corrective action plan.

2. Sending PHI to the Wrong Recipient

Autocomplete is the enemy of HIPAA compliance. A staff member types the first few letters of a patient’s name, autocomplete fills in the wrong address, and PHI goes to a stranger. This is a breach, and it must be reported.

3. Unencrypted Email Containing PHI

Sending PHI in plain text email without encryption, without patient consent, and without a documented reason for the alternative approach violates 45 CFR 164.312(e)(1). If an unencrypted email is intercepted, the PHI is considered “unsecured” and the incident triggers breach notification requirements under 45 CFR 164.402.

4. PHI in Subject Lines

Email subject lines are not encrypted by most systems, even when the body is. They appear in notifications, email previews, and search results. Putting a patient’s name, diagnosis, or other PHI in the subject line is a violation of the minimum necessary standard and a potential breach.

5. Using Personal Email Accounts for PHI

Employees who forward work email to personal Gmail, Yahoo, or iCloud accounts create breaches. These personal accounts have no BAA, no encryption guarantees, no audit logging, and no organizational control. Every message containing PHI that reaches a personal account is an impermissible disclosure.

6. Failure to Train Workforce on Email Policies

Under 45 CFR 164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. If your staff does not know how to handle PHI in email, the inevitable violations are your organization’s responsibility. We offer HIPAA training programs designed specifically for small and mid-sized practices.

2026 Proposed Rule Changes Affecting Email Encryption

In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would substantially update the HIPAA Security Rule. The proposed changes would be the most significant revision to the Security Rule since it was first adopted. As of mid-2026, this rule has not been finalized, but organizations should be preparing now.

The key changes relevant to email:

Encryption Becomes Mandatory

The proposed rule eliminates the distinction between “required” and “addressable” implementation specifications. Encryption of ePHI in transit would become required, with only narrow, specific exceptions. The flexibility that currently allows organizations to justify not encrypting email would disappear. If finalized as proposed, every email containing ePHI must be encrypted.

Specified Encryption Standards

The NPRM specifies minimum encryption standards: AES-256 or equivalent for data at rest, and TLS 1.2 or higher for data in transit. Organizations still using TLS 1.0 or 1.1 would need to upgrade. Most modern email platforms already support TLS 1.2 and 1.3, but older systems and on-premises mail servers may not.

MFA Becomes Universally Required

The proposed rule would require multi-factor authentication for all information systems containing ePHI, with limited exceptions for legacy technology that cannot support MFA. Email systems are explicitly included. If your email platform does not have MFA enabled, the proposed rule would make that a clear violation. Read our full analysis: New HIPAA Security Rule Changes in 2026.

What This Means for Your Practice

The direction is clear, even though the rule is not final. Organizations relying on “addressable” documentation to avoid encrypting email should begin implementing encryption now. When the final rule is published, the compliance timeline may be tight. For a deeper look, see our guide: HIPAA Encryption Requirements in 2026.

Practical Setup Guide: Choosing an Email Encryption Solution for Small Practices

If you are a small practice, a specialty clinic, or a solo practitioner trying to get email right, here is a step-by-step approach.

Step 1: Determine Your Current State

Before selecting a solution, answer these questions:

• What email platform do you use?
• Do you have a signed BAA with your email provider?
• Is encryption enabled for outbound email?
• Is MFA enabled for all email accounts?
• Do you have email retention policies configured?
• Does your risk assessment address email?

If you answered “no” or “I don’t know” to any of these, you have work to do before evaluating encryption solutions.

Step 2: Sign a BAA With Your Email Platform

If your email provider does not offer a BAA (many budget hosting companies do not), switch to one that does. You cannot be HIPAA compliant without a BAA for any service that handles ePHI.

Step 3: Enable MFA on All Accounts

Non-negotiable. Enable MFA for every account with email access. Use authenticator apps or security keys. Avoid SMS-based MFA where possible, as it is vulnerable to SIM-swapping attacks.

Step 4: Choose Your Encryption Approach

You have three main paths:

Option A: Built-in platform encryption (lowest cost, moderate protection) Configure Microsoft 365 OME or Google Workspace TLS enforcement. This provides encryption in transit but does not provide end-to-end encryption. Good for practices where most email recipients support TLS. Risk: messages to recipients without TLS support may fail to deliver or fall back to unencrypted.

Option B: Add-on encryption service (moderate cost, strong protection) Layer Paubox, Virtru, or a similar service on top of your existing platform. These handle encryption automatically, provide a BAA, and offer fallback mechanisms for recipients without TLS. This is the recommended approach for most small practices.

Option C: Standalone encrypted email platform (variable cost, strong protection) Use Hushmail or a similar dedicated service as your primary email. Provides strong encryption and a BAA, but requires your team to learn a new interface. Best for practices starting fresh or with very small teams.

Step 5: Configure Email Policies

Regardless of which encryption solution you choose:

• Block auto-forwarding to external domains.
• Require encryption for all outbound messages containing PHI. Prefer automatic encryption over manual toggles.
• Create email templates for common PHI communications to ensure minimum necessary compliance.
• Set retention policies that meet HIPAA’s six-year requirement and your state’s medical record retention laws.
• Enable audit logging so you can track who sent what, when, and to whom.

Step 6: Train Your Workforce

Your encryption solution is only as good as the people using it. Train every person who touches email on:

• What PHI is and how to identify it
• Your organization’s email policies
• How to use the encryption tool
• What to do if they send PHI to the wrong recipient (report it immediately)
• Why they must never use personal email for work
• How to recognize phishing attempts

Document the training. Repeat it annually at minimum. Update it when your tools or policies change. Our HIPAA training programs cover email security as part of a comprehensive workforce education plan.

Step 7: Test and Verify

• Send test emails to external addresses and verify encryption is applied.
• Send to a domain without TLS support and confirm the fallback mechanism works.
• Review audit logs to confirm they capture what you need.
• Conduct a phishing simulation to gauge staff readiness.
• Update your risk assessment to document your email encryption implementation and residual risks.

Step 8: Document Everything

HIPAA compliance is about proving you did the right thing. Document your encryption solution selection, BAAs with email and encryption vendors, email policies, workforce training records, risk assessment findings, and patient consent forms for unencrypted email. If OCR investigates, the first thing they ask for is documentation. If it is not documented, it did not happen.

Bringing It All Together

Emailing PHI is not inherently a HIPAA violation. But emailing PHI without the right protections is one of the fastest ways to end up in an enforcement action. Encrypt transmissions, limit what you send, train your workforce, document your decisions, and get a BAA from every vendor that touches ePHI.

The 2026 proposed rule changes are pushing the industry toward mandatory encryption. The safest move is to treat encryption as required today, regardless of whether the final rule has been published.

For practices that want help with email compliance, encryption vendor selection, or the upcoming rule changes, One Guy Consulting offers HIPAA consulting services for small and mid-sized healthcare organizations. We also provide HIPAA compliance packages for medical practices that include email security as a core component.

Get your email right. The cost of compliance is monthly subscription fees and training hours. The cost of non-compliance is six- and seven-figure settlements, corrective action plans, and broken patient trust.

---

This article is for informational purposes and does not constitute legal advice. Consult with a qualified HIPAA compliance professional or attorney for guidance specific to your organization.