Back to main menu


HIPAA compliance and email: What you need to know

HIPAA compliance isn’t easy. It involves understanding the law and knowing how it applies to you. To avoid potential data breaches that could result in costly fines, here’s how to safely email patient health information.



HIPAA is all about protecting and securing patient information. Even if you don’t send marketing emails, you’ll still send transactional and informational emails to patients. 

As with many government regulations, it’s often easier to write laws than to explain and enforce them. HIPAA, passed originally in 1996, is no different, and that includes email compliance.

Over the years, HIPAA, the Health Insurance Portability and Accountability Act, has been updated and clarified as email and other technology advanced. And fines have increased, too. If you could turn HIPAA fines into a business, you’d be a multi-millionaire. Here’s a list of fines from the last few years that might get your attention.

To be clear, that list pertains to all HIPAA fines and violations, and HIPAA email compliance is only one aspect that healthcare organizations need to worry about in their overall compliance strategy. 

But it’s a major one, because email is an essential method of communication, and HIPAA is all about protecting and securing patient information. Even if you don’t send marketing emails,you’ll still send transactional and informational emails to patients, vendors, doctors, and others…and these all include personal health information.

What is HIPAA compliance?

In short, HIPAA compliance means that you’ll do everything in your power to protect the disclosure of personal health information (PHI). 

HIPAA is broken down into several categories. There’s a HIPAA privacy rule, a cybersecurity rule, a data breach notification rule, an enforcement rule, and several others. Here’s the official government page for all the main HIPAA rules. 

One of the most common causes of HIPAA trouble is violating the minimum necessary rule, which falls under the privacy rule. It means employees should only work with the minimum amount of PHI to complete a certain task.

In other words, do not collect or use more PHI than you will necessarily need. If data gets exposed and it’s found this rule wasn’t followed, you can be fined.

What are some examples of personal health information?

Well, PHI includes some pretty basic stuff, like names and contact information – including email addresses –, as well as medical, financial, and facial information. And of course, Social Security numbers. The idea is to prevent an unauthorized person from accessing private medical data and being able to link it to a specific individual. 

Two types of organizations must comply with HIPAA requirements for all their email, and other communications and record-keeping: 

  • Covered entities: Healthcare providers and businesses that deal directly with patients, including insurance companies.

  • Business associates: Companies that encounter PHI as part of doing business with a covered entity. Business associates include email service providers like Mailgun by Pathwire, as well as cloud storage companies, billing companies, and many others that process PHI. 

HIPAA compliance requires annual self-audits, employee trainings, documentation of everything you do to be compliant, processes for handling data breaches, and more. 

We’ll get to the specifics of how to comply with HIPAA in your email communications in just a bit.

Why HIPAA compliance is important in healthcare emails

First, there’s the obvious – you don’t want to get fined. Exposing patient information – even inadvertently – will get you in hot water if it’s reasonably determined that you could have done more to prevent it from happening.

The other primary reason why email HIPAA compliance is so important is because people have a basic right to privacy. As a business working with patients, protecting their privacy is part of your service. It comes with the trust they put in you. 

And there are a lot of threats to that privacy today, especially in the online world. 

When you send out an email, there are four points of contact between you and the intended recipient. There’s the software you use to send the email, the actual transmission of the email, the receipt of that email by the person you send it to, and the storage of that email on their end. 

You can’t do much about the recipient’s end, and HIPAA doesn’t require you to. But you must do everything in your power to protect their sensitive information on your end, including when the email is in transit.

Medical data is a hot target for identity thieves, which is one reason there have been so many hospitals victimized by cyberattacks in recent years. 

Sadly though, it’s not villains and miscreants who are to blame for most violations. The primary culprit in most HIPAA violations is human error, like sending an email with PHI to the wrong email address. 

HIPAA was designed to make it easier for certain medical professionals to safely share information with other professionals who might be treating the same patient. There used to be a lot of red tape in the way, which put patient safety at risk by delaying treatments. So, once HIPAA compliant communication systems are in place, healthcare providers can confidently communicate with other providers about a patient and know they’re in compliance, protecting patient privacy.

HIPAA Compliance badge

Key steps to ensure HIPAA compliance in email communications

Okay, you made it this far. Here are the nuts and bolts of email HIPAA compliance. 

1. Make sure emails are encrypted

Emails must have end-to-end encryption, not just when the email is in transit. This means that however you’re storing email records of past communications also needs to be encrypted. The easiest way to do this is to use email service providers and storage technology that encrypts everything by default. 

If you have to manually encrypt the email each time you send it, you invite human error into the mix (not to mention the time for each manual manoeuver).

2. Specify who has access to patient data

Who within your team needs to access PHI so they can send communications about a patient? You need to make sure only the staff that is required to have access has such access. Whoever sends email communications to patients would obviously need access to PHI, unless you’re using a secure portal, which we’ll discuss in a moment.

3. Specify when it’s okay to send PHI via email, and to whom

In what situations might you need to send patient information via email? It’s not just to the patient. It could also be as a reply to an email from the patient. You might also send emails with PHI to other doctors, insurance companies, billing companies, and more. And you’ll send emails within your own office between staff members. 

Email HIPAA compliance addresses each of these scenarios. Here are some more email security recommendations.

4. Back up all email communications

If anyone needs access to patient history and communications, you need to be able to provide it. So you need secure storage technology that stores and also protects that information. Anyone from lawyers, to insurance companies, to government auditors, to other doctors may need this information, besides just the patient. 

But make sure you also document all the steps you take to securely store PHI, including email communications. You may want to contract with a third-party email archiving service. 

5. Get patient consent to receive emails

Patients must give written authorization that they agree to receive emails from you that may contain their personal medical information. When you ask for this consent, you must also inform them that their email client, such as Google, Yahoo, or Microsoft Outlook, may not be secure. 

If they prefer not to give such authorization, you must be able to offer another secure option for communicating with them. A common solution is a secure online portal with its own password and account. In that case, your email communications with that patient would consist of little more than notifications telling them when they have a new secure message, and to log in to their portal account. 

6. Use the right software

This one is critical. Popular mailbox providers like Gmail and Yahoo, as well as web-based email services such as those offered by Bluehost and GoDaddy, are not considered HIPAA compliant.

You must use an email service provider that is HIPAA compliant. The HIPAA Journal recommends using a third-party email service provider, such as Mailgun, for both smaller healthcare providers (dentists, physical therapists…) and larger healthcare facilities. It’s easier than building your own system.

How do you know if your chosen email provider is compliant? Look for email providers with a Business Associate Agreement (BAA). Yes, the acronyms are piling up. This is government we’re talking about here.

Remember from earlier that there are two types of entities required to comply with HIPAA: Covered entities and business associates. Any business associate you work with should have a BAA. The BAA spells out that company’s compliance with HIPAA. Here’s Mailgun’s BAA policy

7. Get legal advice from a healthcare attorney

We’re not healthcare attorneys, so no matter what policies you put in place, you should work with one to make sure you’re in compliance. And, of course, always be sure the attorney specializes in HIPAA compliance.

8. Protect devices that have access to PHI

Do any of your employees work from home and work with patient medical information? If so, you need a way to secure their devices. One of the most common HIPAA violations happens when devices like laptops, USB devices, and mobile phones get stolen. You don’t get fined for the theft, you get fined because you didn’t properly secure the device with encryption, passwords, or other protective security measures.

If staff members are sending any emails from mobile technology devices that may have PHI, all the same safeguard measures need to be taken. Here’s more on how to comply with the HIPAA security rule for devices

9. Train your staff

As you can see, this is a lot – for everyone, including your staff members who have to follow all of this. But remember, it’s done to protect patient privacy. It’s important.

You must conduct annual staff training as part of HIPAA compliance and confirm that each person has completed it. This would cover topics like how to secure devices, who has access to information, what can and cannot be included in emails to various entities – basically most of the stuff in this article.

Be sure to also include training on how to identify and avoid email phishing scams. It doesn’t do much good to create policies for email HIPAA compliance if no one knows how to follow them.

Finding a HIPAA compliant email provider 

There’s a lot to do when it comes to HIPAA compliance. And we’ve just covered email! 

The more work you can save yourself and your team, the easier it will be on your staff and your budget. Working with business associates that are already HIPAA compliant will save you some of that time and money. This is because there are certain tasks, such as proper email encryption and data storage, that you won’t have to worry about.

Mailgun provides HIPAA compliant email services, and you’ve already seen our business associate addendum. 

If you need a HIPAA compliant email provider, you’ve found your solution. Create an account today, sign our BAA, and use Mailgun to simplify and protect your email communications.

Learn about email security and compliance

Email security and compliance

Email security isn't easy. But you need to protect your business, brand, employees, and subscribers. Find out about the benefits of continually improving email security and compliance from our industry experts. It's yours to explore. No form filling required.

Related readings

Pseudonymization and you – optimizing data protection

Everyone hated the privacy policy email armageddon, businesses included...

Read more

Explicit consent and the GDPR

GDPR is real (and enforceable) to anyone that does business with EU residents...

Read more

This is why your data privacy is so important

There’s been yet another shift in the ever-changing world of data privacy, and we wanted to make sure (as always) that we’re keeping you aware of the changes. So, here we go...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon