1 min read

What are HIPAA email encryption requirements?

Rick Kuwahara June 1, 2022

HIPAA compliant email
Business professional on phone at desk with laptop

HIPAA email encryption requirements can be confusing because of the lack of clear instruction that leaves the rules open to interpretation. As a result, some question whether email encryption is truly a HIPAA requirement.

For example, the encryption requirements around Protected Health Information (PHI) are called “addressable” in the security rule. HIPAA encryption requirements for transmission state that covered entities should encrypt PHI “whenever deemed appropriate.”

 

What are HIPAA email encryption requirements?

HIPAA encryption requirements are specified by two main terms, “required” and “addressable.”  Those labeled “required” must be put in place or it’s considered a failure to comply with HIPAA. Those that are called “addressable” only have to be implemented after a risk assessment has determined that encryption is needed for managing risks to PHI.  You must document your reasoning behind that decision.

In addition, implement an equivalent solution to safeguard PHI if your organization determines that encryption is not appropriate. Since there is not an appropriate alternative for protecting PHI other than encryption, it’s effectively required.

Not using encryption is risky for your patient’s information and your organization. 

 

Understanding HIPAA email encryption

The Department of Health and Human Services (HHS) wants to allow organizations to select the best solution for their individual needs.  HHS realizes they can't demand covered entities use specific security technologies because of the constant need to stay current. 

This doesn’t mean that encryption can be overlooked, only that an organization has to document a reason why action hasn’t been taken.

Plus, an alternative method must be used and its details made available to the Office for Civil Rights (OCR) in the case of an audit. 

 

HIPAA email security and encryption requirements

HIPAA encryption requirements apply to every part of an organization’s IT system, including cloud servers and smartphones.  The increased use of mobile devices in the work environment make it more complicated to comply with the encryption requirements. So, it is a challenge to include safeguarding PHI both at rest and in transit. 

 
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Image of someone typing on a laptop.

Can therapists email clients? What HIPAA says

Picture of Tshedimoso Makhene Tshedimoso Makhene : December 25, 2025

Therapists are increasingly relying on electronic communication to coordinate care, share resources, and stay connected with clients between...

HIPAA compliant email
Read More
White padlock icon with keyhole on digital wave background

Better safe than sorry: why email encryption is a must for healthcare

Picture of Kapua Iao Kapua Iao : July 26, 2021

Email encryption is an essential element of any layered approach to healthcare cybersecurity for two reasons. First, to ensure HIPAA compliance. And...

HIPAA compliant email
Read More
Digital lock icons connected by glowing lines on a blue digital grid background

The HIPAA security rule and encryption in dental practice

Picture of Liyanda Tembani Liyanda Tembani : June 23, 2023

Dental practices, as covered entities, must adhere to regulations that safeguard patient data. Encryption can help dental offices comply with the...

HIPAA compliant email
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.