HIPAA Email Rules

The HIPAA email rules govern when it is permissible to send Protected Health Information (PHI) by email and what safeguards need to be in place to ensure the confidentiality, integrity, and availability of PHI at rest and in transit. In addition to the HIPAA email rules, healthcare providers must also be aware of state legislation governing data privacy.

Because there is no one single section of the HIPAA Administrative Simplification Regulations that stipulates the requirements for HIPAA compliant email, the “HIPAA email rules” is an umbrella term covering the relevant standards and implementation specifications of the General Provisions (*) and the Privacy, Security, and Breach Notification Rules.

(*) The purpose of mentioning the General Provisions (Part 160 Subpart A) is to highlight that HIPAA only applies to healthcare providers that qualify as HIPAA covered entities or that provide a service to or on behalf of covered entities as a business associate. A healthcare provider that (for example) bills clients directly is not required to comply with the HIPAA email rules.

Part 160 also includes a Subpart (Subpart B) relating to the preemption of state law. This Subpart of the General Provisions is relevant to any discussion about the application of HIPAA because it states HIPAA preempts state law unless a provision of state law offers greater protection to personal data than HIPAA or provides individuals with more privacy rights. Examples of when state law preempts the HIPAA email rules are provided later in this article.

Privacy Rule HIPAA Compliance for Email

Many sources discussing the HIPAA email rules tend to concentrate on the Security Rule standards for HIPAA compliant email and overlook Privacy Rule HIPAA compliance for email. Although it is important to understand the Security Rule standards for HIPAA compliant email, it is equally important to know when the HIPAA email rules apply.

What is Protected Health Information?

One of the first considerations for determining when the HIPAA email rules apply is whether an email or an attachment to an email contains Protected Health Information (PHI). If an email or an attachment to an email does not contain PHI (i.e., it does not contain individually identifiable health information), the HIPAA email rules do not apply.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Permissible Disclosures of PHI

The next consideration is whether a disclosure of PHI in an email is a permissible disclosure. Permissible disclosures are limited to when PHI is requested by HHS’ Office for Civil Rights, when PHI is required for treatment, payment, and healthcare operations, and when disclosures are allowed under §164.512 of the Privacy Rule or to a business associate.

Business Associate Agreements

Before a disclosure is permitted to a business associate, it is necessary for a Business Associate Agreement to be in place between the healthcare provider and the business associate. The Business Associate Agreement stipulates the terms under which PHI is disclosed to the business associate and the obligations of the healthcare provider to the business associate.

Patients’ Rights Considerations

In addition to the above, patients have the right to request copies of their PHI, an accounting of disclosures, confidential communications, and a Notice of Privacy Practices by email – not necessarily secured email. Patients also have the right to authorize disclosures of PHI not permitted by the Privacy Rule, which can also be communicated by unsecured email.

Security Rule Safeguards for HIPAA Compliant Email

The Security Rule safeguards for HIPAA compliant email vary depending on whether a provider hosts its email server on-premises (in which case the Physical Safeguards are more significant), or subscribes to a HIPAA compliant hosted email service such as Google Workspace or Proton Mail (in which case the service provider is responsible for most of the Physical Safeguards) .

In all cases, it is important to be aware that  the Security Rule safeguards for HIPAA compliant email are not limited to the Administrative, Physical, and Technical Safeguards. This is because the General Rules of the Security Rule (§164.306) include a standard that requires a covered entity or business associate to:

  • Ensure the confidentiality, integrity, and availability of all PHI created, received, maintained, or transmitted.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures that are not permitted or required by the Privacy Rule.
  • Ensure compliance with this subpart [the Security Rule] by its workforce.

While it is important the standards relating to access controls, audit controls, and integrity controls are implemented, the language of §164.306 implies that if potential threats, hazards, and impermissible disclosures are identified in a HIPAA risk assessment, measures beyond those required by  Administrative, Physical, and Technical Safeguards must be implemented.

For example, the Technical Safeguards do not require the implementation of software to protect against phishing attacks. However, if workforce susceptibility to phishing emails is identified in a risk assessment, it will be necessary to implement an anti-phishing solution. Similarly, if malicious insiders are identified as reasonably anticipated threats, it may be necessary to implement a HIPAA compliant email service with DLP capabilities.

The HIPAA Email Encryption Requirements

The HIPAA email encryption requirements vary depending on whether an email server is hosted on-premises or by a service provider acting as a business associate. In the former scenario, the responsibility for PHI at rest (i.e., in an inbox) belongs to the healthcare provider. In the latter scenario, the responsibility belongs to the business associate.

In both scenarios, there are no minimum requirements for HIPAA compliant email encryption. However, HHS’ Office of Civil Rights recommends healthcare providers and business associates are guided by the National Institutes of Standards and Technology (NIST) – whose current minimum encryption standards for PHI at rest is AES-128.

With regards to PHI in transit, the responsibility for encryption can depend on a number of factors. For example, a healthcare provider might host an email server on premises, but the email service could still be provided by a business associate (i.e., Exchange Server 2019), or the email service could be provided via an intermediary such as a Managed Service Provider.

In cases where a choice of HIPAA compliant encryption options exist, healthcare providers can often choose between TLS (which encrypts the connection between senders and recipients), S/MIME (which encrypts the content of each email), or a proprietary protocol which works similar to TLS, but which overcomes issues of server compatibility and email deliverability.

The HIPAA Email Requirements for Breach Notifications

Despite it appearing logical to notify individuals of a data breach as quickly as possible after the discovery of a breach, the HIPAA email requirements for breach notifications are that individuals can only be notified of data breaches by email “if the individual agrees to [an] electronic notice and such agreement has not been withdrawn” (§164.404).

If consent has not been given to receive breach notifications by email, individuals must be notified of a data breach by first class mail  even though no PHI is disclosed in breach notifications. Healthcare providers are only required to notify individuals of the type(s) of information that has been breached and the steps individuals should take to protect themselves from potential harm resulting from the breach.

However, breach notifications can be potentially sensitive if – for example – a patient is attending a clinic for SAD treatment that partners with access to the patient’s email account  are not aware of. Therefore, it is not safe to assume that because a patient has given their consent (or requested) to receive – for example – appointment reminders by email, the patient also wishes to receive breach notifications by email.

Training the Workforce on HIPAA Email Policy

When PHI must be disclosed through email it is recommended healthcare providers develop a HIPAA email policy. The HIPAA email policy should be consistent with the organization’s existing policies on permissible disclosures of PHI and patients’  rights, and reinforce standards such as patient authorizations and the minimum necessary rule.

Workforce training on HIPAA email policy can either be combined with regular (or refresher) HIPAA training or provided alongside security awareness training. However, it is important that the training is documented and that workforce members are given a copy of the training document(s) and the sanctions policy for violating the organization’s HIPAA email policy.

When Do State Laws Preempt the HIPAA Email Rules?

It was mentioned previously that HIPAA preempts state laws unless a provision of a state law offers greater protection to personal data than HIPAA or provides individuals with more privacy rights. This section of the HIPAA Administrative Simplification Regulations was last updated in 2002, since when multiple states have passed privacy legislation – some of which have provisions that preempt the HIPAA email rules.

Historically – according to HHS guidance published in 2008 – healthcare providers could assume that, if a patient initiates contact by unencrypted email, it is permissible for a healthcare provider to reply to the patient via unencrypted email and continue to communicate with the patient via the same channel of communication unless instructed otherwise.

However, a number of states have recently introduced or extended their privacy laws to include an “affirmative opt-in” requirement for individuals’ email addresses. This means that covered entities can continue to follow HHS guidance only if the individual is not a resident of a state in which greater protection to personal data exists (regardless of where the healthcare provider is located or where the individual was at the time contact was made).

Some state privacy laws (i.e., CCPA, Texas HB 301, etc.) exempt HIPAA covered entities – and sometimes business associates – or do not apply the provisions of the law to individually identifiable health information protected by the Privacy Rule. But not all states have the same exemptions. If you are in any doubt that your organization may not be in compliance with the HIPAA emails rules or a state law that preempts the HIPAA email rules, you are advised to seek professional compliance advice.

HIPAA Email Rules: FAQ

Can PHI be sent via email?

PHI can be sent via email provided the disclosure is permitted by the Privacy Rule, safeguards are implemented to comply with the Security Rule, and – if the email service is provided by a third party – that a Business Associate Agreement exists with the third party.

How can emails lead to HIPAA violations?

Emails can lead to HIPAA violations if they are sent to unauthorized persons, if PHI is disclosed in the email impermissibly, or if an individual is contacted by email after requesting confidential communications via a different channel of communication.

Are business associate agreements needed to use emails in a healthcare setting?

Business Associate Agreements are needed to use emails in a healthcare setting if the email service is provided by a third party service provider and the email service is going to be used to send, receive, or store emails containing Protected Health Information.

What encryption standards are necessary for emails to be HIPAA compliant?

The encryption standards necessary for emails to be HIPAA compliant are a minimum of Advanced Encryption Standard (AES)128 for PHI at rest and Transport Layer Socket (TLS) for data in transit. Although S/MIME is a suitable alternative for TLS, the protocol has a significant management overhead.

Why does the HIPAA Security Rule not require emails to be encrypted?

The HIPAA Security Rule does not require emails to be encrypted, but makes it an addressable implementation specification, because alternative technologies exist (i.e., key-agreement algorithms) that can be equally as effective as encryption for protecting PHI at rest and in transit.

What is the difference between PHI and ePHI?

The difference between PHI and ePHI is that PHI stands for Protected Health Information, which is any individually identifiable health information created, received, stored, or transmitted by a covered entity or business associate in any format, whereas ePHI is electronic PHI, i.e. PHI created, received, stored, or transmitted electronically.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/