As a covered entity, your email communication must be HIPAA compliant to secure protected health information (PHI) and meet HIPAA requirements.

Why it matters: According to the HHS breach report, over 125 email-related breaches happened in 2024, and of those around 35% were small practices. Without the proper security in place, you risk being non-compliant.

How to make your email HIPAA compliant

Follow these steps to be HIPAA compliant - we’ll dive into each step:

1. Choose a HIPAA compliant email provider like Paubox
2. Encrypt all emails containing PHI
3. Sign a BAA with all vendors
4. Put policies in place and train employees
5. Set up automatic email archiving
6. Get consent to send emails to patients

Choose a HIPAA compliant email provider

You’ll need to have a HIPAA compliant email provider if you send any PHI externally like sending emails to patients about upcoming appointments or their care treatments, email referrals to specialists, or emails to insurance agencies. Remember that any identifiable patient information (event a patient name) will need to be sent in a HIPAA compliant manner. 

If you use Google Workspace or Microsoft 365, you’ll need to add on additional security like Paubox Email Suite, in order to be fully compliant. Both Google Workspace and Microsoft 365 protect PHI that is housed within their systems (within drive, docs, sheets, etc.) but do not ensure that all emails sent are encrypted, and therefore are not fully HIPAA compliant for sending emails.

Paubox Email Suite is an add-on that ensures that any emails sent via your Google Workspace or Microsoft 365 account is sent encrypted, guaranteeing compliance. 

Read more: Google Workspace HIPAA compliance–what you need to know

Encrypt all emails containing PHI

Email is a convenient and effective way to communicate with patients or partners, but it’s not inherently secure. Err on the safe side and make sure all emails sent are encrypted. Encryption protects outgoing emails during transmission.

Some encryption services require that you click a button or type in a special keyword in the subject line to send an email as an encrypted email. These services leave room for human error. There will ultimately be a time when you or someone in your organization mistakenly forgets to encrypt an email with PHI, leading to a potential data breach.

To be safe, use an encryption service like Paubox Email Suite that encrypts every outgoing email, no matter what the contents. Automatic encryption guarantees compliance.

Sign a BAA with all vendors

HIPAA regulations require that all covered entities have a business associates agreement (BAA) signed with any third-party service that is handling PHI. Before using any service, confirm that you can get a signed BAA.

Note, if you are using the free version of Google (@gmail.com) or Microsoft 365 (@on.microsoft.com) you do not have access to a BAA. You need to use the paid business services from each platform for a signed BAA.

Put policies in place and train employees

No matter what size your organization, it’s important to have a written policy in place on how to handle email communications. Here are some topics that a written policy should include:

• How to safely store patient data and who has access to data
• How to safely share patient data via email, other digital methods, verbally, and written
• The type of patient information that can be shared 
• Device security and personal email policy
• How to report and respond to a breach of privacy

Review these policies with all employees on an annual basis.

Read more: HIPAA compliant email in cybersecurity training

Set up automatic email archiving

To abide by HIPAA regulations, you’ll need to keep an archive of all emails containing PHI for at least 6 years. You’ll need access to these emails in case of an audit or if a patient requests email records containing PHI.

Paubox Email Suite Premium archiving services will automatically save all emails and attachments securely, even if those emails are deleted from your email platform. 

Get consent to send email to patients

Lastly, ensure that you have consent from all of your patients to send PHI via email. You can easily add a consent form in your new patient intake forms. Patients should be advised of any risks involved with the use of email communications. You can also use this opportunity to advise patients of email encryption that you do have in place to prevent a breach of data.

The bottom line

Almost all healthcare organizations will need a HIPAA compliant email solution, whether you're sending emails to patients, partners, or agencies. Using a solution like Paubox Email Suite with Google Workspace or Microsoft 365 ensures that every email is sent encrypted, every time.