Can Hotmail Be Considered as HIPAA Compliant?

Hotmail considered HIPAA compliant-

Hotmail cannot be considered HIPAA compliant for sending or receiving emails containing PHI unless a user’s Hotmail account is connected to a Microsoft 365 or Office 365 Enterprise account that supports HIPAA compliance and is configured to comply with the Security Rule. However, it is permissible to send emails to a Hotmail account if an individual has requested “confidential” communications via Hotmail. was retired by Microsoft in 2012 and rebranded as Hotmail users were allowed to keep their Hotmail email addresses and can continue to use their accounts via the Outlook extension, the Outlook app, or an email platform such as Thunderbird. However, neither the free version of Hotmail nor the free version of Outlook contains the security and administrative controls to be considered HIPAA compliant.

This means it is not permissible for HIPAA covered entities or business associates to create, receive, maintain, or transmit Protected Health Information (PHI) using a free version of the email service. In order for Hotmail to be considered HIPAA compliant, the account has to be connected to a Microsoft 365 or Outlook 365 account that supports HIPAA compliance. Covered entities and business associates must also agree to the terms of Microsoft’s BAA.

In addition to connecting a Hotmail account to an appropriate Microsoft 365 or Outlook 365  account, the Microsoft 365 or Outlook 365 account has to be configured to support HIPAA compliance. The process for configuring “in-scope” services to support HIPAA compliance varies depending on which services are being used with Hotmail/Outlook, but Microsoft provides plenty of help in the community and support areas of its website.

Sending PHI to a Free Hotmail Account

Although it is not possible for covered entities to create, receive, maintain, or transmit PHI using a free Hotmail account, there is a scenario in which it is permissible to send PHI to a free Hotmail account. This scenario exists when an individual (i.e., patient or plan member) exercises their right to request confidential communications under §164.522(b) of the Privacy Rule. As this is a “reasonable request”, it should be accommodated by covered entities.

If the request is agreed to, it is a best practice to advise the individual of the risks of receiving PHI in unencrypted emails and document the warning. Further best practices when sending PHI to a free Hotmail account include verifying the recipient’s email address before sending communications containing PHI, not writing PHI in the subject line of an email, and ensuring disclosures of PHI are kept to the minimum necessary to fulfil the purpose of the email.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Due to the decreasing number of Hotmail accounts in existence, this scenario will become less likely over time. However, it is important for workforce members to receive HIPAA training on the procedures and best practices for sending unencrypted PHI in emails to comply with individuals’ requests due to the number of alternative free email services that exist (i.e., Outlook, Gmail, Yahoo, etc.). Organizations that require help with the provision of training should seek professional HIPAA compliance advice.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through or