๐ Key Takeaways
- HIPAA names no product; it defines standards, and encryption is treated as effectively required.
- Every vendor touching PHI is a business associate and must sign a BAA before a single message flows.
- Unique user IDs and audit logs are required; shared clinic mailboxes fail the Security Rule.
- Retention runs six years for policy docs, and state medical-record laws can stretch it much further.
- HIPAA email disclaimers help policy, but they never turn an unencrypted send into a compliant one.
HIPAA email requirements are a specific subset of the HIPAA Security Rule, and they apply the moment a covered entity or business associate uses email to transmit protected health information. The requirements cover encryption, access controls, audit logging, retention, and vendor agreements.
The rule does not name a product. It defines standards, and any email system used with PHI must satisfy those standards. For most covered entities that means running encrypted email through a vendor that has signed a Business Associate Agreement and configured technical safeguards to match the rule.
This article walks through each requirement, how the Office for Civil Rights interprets it in practice, and where the 2025 proposed Security Rule updates change the picture. It also flags the common configuration gaps that produce breaches.
The Security Rule sets the technical baseline for email
The HIPAA Security Rule at 45 CFR Part 164 Subpart C defines the standards that govern electronic PHI. Email systems that carry ePHI fall under the same standards as any other electronic system. That includes access controls, audit controls, integrity controls, person or entity authentication, and transmission security.
Transmission security at 164.312(e) is the section that most directly governs email. It requires the covered entity to implement technical measures to guard against unauthorized access to ePHI during transmission over an electronic communications network. Encryption is listed as an addressable implementation specification under this standard.
Addressable does not mean optional. It means the covered entity must implement the specification, document why it is not reasonable and appropriate, or implement an equivalent alternative. HHS guidance and enforcement history make clear that for external email carrying PHI, no equivalent alternative to encryption exists in practical terms.
The 2025 proposed Security Rule updates from HHS remove much of the addressable versus required distinction. Under the proposed rule, encryption of ePHI at rest and in transit becomes a required specification, along with multifactor authentication and network segmentation.
A Business Associate Agreement is not optional
Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a business associate. Email service providers meet this definition the moment PHI flows through their infrastructure. A signed BAA is required before any PHI moves through the vendor system.
The BAA must satisfy the requirements at 45 CFR 164.504(e). It has to specify the permitted uses and disclosures of PHI, require the business associate to implement safeguards, mandate reporting of breaches, and grant the covered entity access to the information for compliance purposes.
Consumer email accounts do not include a BAA. Free Gmail, standard iCloud Mail, and consumer Outlook.com accounts all fall into this category. GoDaddy Professional Email product excludes HIPAA-regulated data in its terms of service. Google Workspace and Microsoft 365 offer BAAs on paid business tiers, but the covered entity has to accept the agreement in the admin console.
A signed BAA is a necessary but not sufficient condition. The vendor still has to have the technical safeguards in place, and the covered entity still has to configure them correctly on its own tenant.

Encryption in transit is the controlling email safeguard
Email travels between mail servers using SMTP, and the SMTP session can be secured with TLS. Opportunistic TLS is the standard, but opportunistic means the session falls back to plaintext if the receiving server does not support it. For HIPAA email, opportunistic TLS alone is insufficient because the sender cannot guarantee the message was encrypted end to end.
Enforced TLS with the specific recipient domain closes this gap. The sending server refuses to deliver the message unless the receiving server accepts a TLS 1.2 or higher session. If TLS negotiation fails, the message queues or bounces rather than sending in plaintext.
Where enforced TLS is not possible with an external recipient, portal-based encryption is the fallback. The message body stays on the sending server, and the recipient receives a notification with a link to authenticate and view the message in a secure browser session. This is the standard model for HIPAA-compliant email to patients.
Client-side encryption using S/MIME or PGP satisfies the encryption requirement but creates operational friction. Every recipient needs a certificate or key pair, and lost keys mean lost access to historical messages. Most healthcare organizations use TLS plus portal delivery instead.
Access controls require unique accounts and strong authentication
The Security Rule requires unique user identification at 164.312(a)(2)(i). Every person who accesses PHI must have a distinct account tied to a real identity. Shared clinic mailboxes with a single password used by three front-desk staff violate this requirement even if the mailbox is otherwise properly configured.
Where a shared inbox is operationally necessary, delegated access is the compliant pattern. Each staff member logs in with their own account and is granted read or send-as permission to the shared address. Audit logs then attribute each action to the individual user rather than to a shared credential.
Password requirements are addressable, but weak passwords are treated as a control failure in OCR audits. Length of at least twelve characters, complexity, and rotation on a documented schedule are the practical baseline. The 2025 proposed Security Rule updates would make multifactor authentication a required specification for all systems handling ePHI.
Automatic logoff is another addressable specification. Mail clients configured to lock or sign out after a defined idle period reduce the risk that an unattended workstation exposes PHI to a walk-up visitor.
Audit controls must record who accessed what and when
Audit controls at 164.312(b) require the covered entity to implement hardware, software, or procedural mechanisms that record and examine activity in information systems containing ePHI. For email, this means capturing authentication events, message sends and receives, and mailbox access.
Google Workspace and Microsoft 365 both provide audit log retention on business and enterprise tiers, but the default retention windows vary by license level. A HIPAA compliance program has to check the retention window against the six-year policy documentation requirement and extend it where the license allows.
Log review is a separate requirement. Recording events without reviewing them does not satisfy the audit control standard. A designated security official should sample logs on a documented schedule and investigate anomalies, and the review activity itself needs to be logged.
Dedicated HIPAA email platforms include audit logging as a built-in feature and typically retain logs for the full six-year window without additional configuration. That reduces the operational burden on smaller practices without in-house security staff.
Retention and archiving cover a longer window than most think
HIPAA at 45 CFR 164.316(b)(2) requires that policies, procedures, and related documentation be retained for six years from the date of creation or the date they were last in effect. This is the HIPAA-specific retention window and applies to compliance documentation, risk assessments, training records, and related material.
Individual patient emails that form part of the designated record set are subject to state medical record retention laws. These laws vary widely. New York requires six years from the last patient contact. Texas requires seven years or until a minor patient turns twenty. California requires seven years for adult records. State law prevails where it is more restrictive.
Deleting email at the mailbox level does not remove it from a compliant archive. Journaling captures every message at the transport layer, before any mailbox-level action, and preserves the record for the full retention window.

Workforce training closes the human gap
The Administrative Safeguards at 164.308(a)(5) require security awareness and training for all workforce members, including management. Email is the single largest vector for both accidental disclosure and phishing, which makes email-specific training a required part of any HIPAA program.
Training should cover the identification of PHI, the correct procedure for sending PHI to internal and external recipients, the use of the encryption trigger or button in the mail client, phishing recognition, and the process for reporting a suspected breach or misdirected message.
Documented training records support the compliance program. Annual training with a signed acknowledgment is the standard pattern. Additional training after a policy change or a security incident is expected practice.
The security posture of a healthcare organization extends beyond email to the website, patient portal, and any third-party form that collects PHI. Training that covers only email leaves gaps that OCR audits routinely surface.
Patient consent and the marketing rules apply to email
Treatment, payment, and healthcare operations communications with a patient do not require additional authorization under the Privacy Rule. Appointment reminders, test results, and billing statements sent to a patient email address fall into this category and do not need a separate consent form beyond the general Notice of Privacy Practices.
Marketing communications are different. Under 45 CFR 164.508(a)(3), any communication about a product or service that encourages the recipient to purchase or use it generally requires prior written authorization from the patient, unless it fits a narrow face-to-face or promotional-gift exception.
Patient portal newsletters that discuss third-party products, pharmaceutical company communications relayed through the practice, and referral incentive programs all typically require authorization. The authorization must be specific about what will be sent, from whom, and how the patient can revoke consent.
Practices that operate a general marketing newsletter should segment the marketing list from the clinical patient list and manage it through a separate opted-in platform rather than the clinical email system.
Signature blocks and disclaimers support the program
A HIPAA email signature block is not required by the rule itself, but it is standard practice for any covered entity. The signature identifies the sender, the covered entity, contact information, and a confidentiality notice that states the message may contain PHI protected by federal law.
The confidentiality notice typically instructs unintended recipients to delete the message and notify the sender. It documents the sender expectation of confidentiality and supports the practice policy framework in the event of a misdirected message. The notice does not, on its own, create compliance.
Key elements of a defensible signature block:
- Sender name, title, and covered entity name
- Direct phone and secure email contact
- Notice that the message may contain PHI protected under HIPAA
- Instruction for unintended recipients to delete and notify
- Reference to the practice Notice of Privacy Practices
Every external message benefits from encryption regardless of whether a disclaimer is present. No disclaimer language converts an unencrypted transmission into a compliant one.
Breach notification obligations follow email incidents
The Breach Notification Rule at 45 CFR Part 164 Subpart D applies when unsecured PHI is impermissibly used or disclosed. Unsecured PHI is PHI that has not been encrypted to the standard specified by HHS guidance, which for data in transit means TLS 1.2 or higher using FIPS-validated cryptographic modules.
A misdirected unencrypted email containing PHI is a reportable breach unless the covered entity can demonstrate a low probability that the PHI was compromised, based on the four-factor risk assessment in the rule. The factors include the nature of the PHI, the recipient, whether the PHI was actually viewed, and the extent to which the risk was mitigated.
Notification to the affected patient must occur within sixty days of discovery. Breaches affecting five hundred or more individuals also require prompt notification to HHS and to prominent media outlets in the affected state. Breaches affecting fewer than five hundred are logged and reported to HHS annually.
Encryption of the transmitted message removes the incident from the definition of a breach because encrypted PHI is not unsecured under the safe harbor at 164.402. This is the practical reason encryption is treated as the operational baseline even though the rule text calls it addressable.
The 2025 Security Rule updates raise the technical bar
HHS published a Notice of Proposed Rulemaking for the Security Rule in December 2024, with comments closing in March 2025. The proposed updates are the most significant revision to the Security Rule since 2013, and they change how covered entities need to think about email safeguards.
Key changes affecting email compliance under the proposed rule:
- Encryption of ePHI at rest and in transit becomes a required specification rather than addressable
- Multifactor authentication becomes required for all systems accessing ePHI
- Anti-malware protection becomes required rather than addressable
- Vulnerability scanning every six months and penetration testing annually become required
- Written network segmentation policies become required
- Contingency planning includes a mandatory 72-hour restoration target for critical systems
For email specifically, the required encryption and required MFA changes push consumer-grade configurations out of scope. Practices still relying on ad hoc opportunistic TLS with weak password-only authentication have limited time to migrate. A dedicated secure email service that includes a BAA in the base plan, TLS enforcement, and MFA by default removes the largest gaps. See sibling coverage at hipaa-compliant email security for platform-level considerations.
Guidance from the HHS Office for Civil Rights and the NIST Privacy Framework track the direction of enforcement. The HIPAA Journal reference on email rules is a useful summary of enforcement history for anyone building or auditing a program. Related organizational coverage is available at Redefine Web healthcare marketing hub for practices that need help aligning email, website, and patient acquisition under one compliance framework, and additional detail on core email obligations is available at hipaa email and hipaa email rules.