Medical breaches happen, and they can spell disaster for your company, your clients’ well-being, and your reputation.
If you’re a healthcare provider or business associate handling protected health information (PHI), selecting a HIPAA-compliant email service isn’t optional — it’s a legal necessity.
This article is part of a series discussing various aspects of HIPAA compliance. Proton Mail is the world’s largest secure email provider, used by millions to protect their messages. We provide HIPAA compliant email to thousands of organizations.
Read our past articles about HIPAA
What is a HIPAA-compliant email service?
The United States’ Health Insurance Portability and Accountability Act (HIPAA) is a complex set of laws that secures patients’ protected health information (PHI). Any entity that has contact with PHI is required to be HIPAA compliant.
The Department of Health and Human Services (HHS) mandates that two types of entities — covered entities and business associates — must abide by HIPAA regulations.
Here are some key notes to understand:
Covered entities can exchange relevant PHI with other covered entities and business associates so long as the information is communicated in a HIPAA-compliant way.
Business associates include any third-party service used to facilitate this communication, such as an email provider. The business associate must be HIPAA compliant.
A HIPAA-compliant email service is one that meets the privacy and security requirements outlined in HIPAA’s Privacy and Security Rules. These federal regulations govern how electronic PHI is accessed, transmitted, and stored.
What is HIPAA Compliance?
There is no formal certification for HIPAA email compliance, so the main measure of whether an email service is HIPAA compliant is whether it follows all the regulations in the HIPAA Privacy Rule and the HIPAA Security Rule.
- Privacy Rule — Defines in detail what data constitutes PHI and explains how and when covered entities can access it. Importantly, it permits covered entities to disclose PHI to business associates that have signed a business associate agreement (BAA) contract. Business associates agree to only use PHI for the purpose originally specified by the covered entity when they sign a BAA.
- Security Rule — Defines the physical, electronic, and administrative protections that must be in place for storing, handling, and transmitting ePHI.
The Security Rule includes several provisions that are important for email HIPAA compliance:
- Covered entities must take reasonable steps to ensure that PHI in their inbox is secure.
- They must also take reasonable steps to ensure that PHI is protected in transit when sent to a recipient’s inbox.
- Once the PHI has been transmitted, it becomes the obligation of the recipient to secure it in their inbox.
- Any third-party service used to transmit PHI (i.e., the email provider) must sign a BAA contract to become a business associate.
How can I make my email HIPAA compliant?
If you’re asking, “How can I make my email HIPAA compliant?,” here’s your checklist. These steps ensure that your organization is protected from violations while securing patient trust.
- Choose a HIPAA-compliant email provider like Proton Mail
- Sign a Business Associate Agreement (BAA)
- Enable encryption for data at rest and in transit
- Use strong access controls and train staff on company-wide protocols for HIPAA-compliant email use
- Don’t delete email correspondence containing PHI for at least six years. Properly maintain email logs and archives in the case of an audit
- Always obtain patient consent when sending to non-secure addresses
What to look for in HIPAA-compliant email providers
Not all email services meet HIPAA standards. When evaluating HIPAA-compliant email providers, look for the following security factors:
1. TLS encryption to secure PHI in transit
Note that the recipient’s email service must also use TLS, or the data will be exposed in plaintext. This is unlikely to be a problem if the recipient’s email provider is also HIPAA compliant. A good email service uses SSL certificates from only the most trusted certificate authorities and secures the TLS connection with robust RSA encryption.
2. AES encryption for emails stored at rest on servers
The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that develops security and encryption standards and guidelines for the US government. Advanced Encryption Standard (AES) is a NIST-certified symmetric-key encryption standard that has no known vulnerabilities (when implemented correctly). The NIST recommends using key sizes of at least 128 bits. Stored ePHI must remain secure for at least 50 years after the patient’s death.
3. End-to-end encryption (E2EE) and digital signing of emails
Although not strictly required for HIPAA compliance, end-to-end encryption ensures that only the intended recipient can access the emails you send. This means that even the email service you use can’t access E2EE emails stored on its servers.
4. Strong physical security
A good HIPAA-compliant email service will have total control over its own servers and robust physical security measures in place to prevent unauthorized access to its servers.
5. Proper disposal of data
It is important that when a contract between a covered entity and its business associate email provider ends, all data stored on the email provider’s servers is securely deleted. The email service also must destroy all printed reports or paper copies.
Why encryption should be mandatory for HIPAA-compliant email services
Encryption isn’t mandatory, but without it, your risk of breach — and penalties — rises dramatically.
Technically speaking, encryption is classed as “an addressable implementation specification,” which means that an entity must provide compelling and fully documented reasons for its decision not to use it.
In practical terms, encryption is the backbone of any HIPAA-compliant email service.
Proton Mail is a HIPAA-compliant email service developed by CERN scientists. It uses OpenPGP end-to-end encryption to ensure that only authorized personnel within your organization and your business associates can access PHI data.
How HIPAA-compliant email protects privacy
A good HIPAA-compliant email service should protect PHI in the following ways:
Controlled access and unique identity verification: Only authorized individuals should be able to access ePHI, so your email provider needs strong access controls. A good HIPAA-compliant email service should require that users deploy strong passwords and two-factor authentication to secure their accounts.
Encryption: Encrypting a message in transit and while stored on a server is, in reality, the only way to maintain HIPAA compliance. End-to-end encryption, where the email is encrypted all the way to the recipient’s inbox, is highly recommended.
Data integrity: The recipient of an email containing PHI should feel confident that the email was not improperly modified in transit. OpenPGP and S/MIME allow the sender to digitally sign emails, which guarantees the identity of the sender and provides essential data integrity.
Common HIPAA email violations
To remain compliant, avoid these frequent pitfalls:
1. Lack of patient consent
HIPAA-compliant services should always alert patients who communicate by email of the potential risks this can pose to their PHI. Patients should give informed consent to communicate by email before electronic communications proceed.
2. Insufficient email safeguards
A signed BAA from your email provider is essential, but it is not enough to make you HIPAA compliant. It does not protect PHI when it is transmitted via third-party email providers — like the ones used by your patients. The use of fully end-to-end encrypted email services like Proton Mail can help address this issue.
3. Untrained staff
Even the best system can’t compensate for human error. Regular training on HIPAA compliance is vital.
4. Sending PHI to the wrong person — or by mistake
One of the biggest potential mishaps when dealing with HIPAA-compliant email is the realization that you sent ePHI to the wrong person. It goes without saying, always double-check that you are sending an email with ePHI to the correct recipient. Another common mistake is unintentionally sending ePHI via insecure email. All HIPAA violations should be fully documented, and measures should be taken to mitigate the situation and ensure it never happens again.
How to pick the best HIPAA-compliant email provider
There are several encrypted messaging options that can help you achieve HIPAA compliance. However, given the sensitivity of ePHI, you want to be certain that the solution you choose inspires confidence in your patients. By selecting an easy-to-use email service that meets the criteria listed above, you will be HIPAA compliant and show your patients you take protecting their personal data seriously.
Founded by MIT and CERN scientists, Proton Mail is the world’s largest open-source and end-to-end encrypted email service.
With a Proton for Business plan, you can create custom domain email addresses for your organization, and multiple user control levels and account types let you easily administer your organization and fine-tune security settings.
Proton Mail supports two-factor authentication, and can be accessed via any web browser, through its Android and iOS apps, or using a third-party email client, such as Outlook, Thunderbird, or Apple Mail.
Proton Mail is fully HIPAA compliant:
- You can download our Business Associate Agreement here(neues Fenster). Simply contact us if you need it signed.
- Our servers are all independently certified to adhere to ISO 27001 international corporate security standards. Housed in several data centers in Switzerland, our servers employ both robust physical security measures and use AES-encrypted hard disks with multiple password layers, so data security is preserved even if our hardware is seized.
- We are very careful to properly dispose of data. If clients request physical reports, we shred them immediately after the task is over. When a BAA contract ends, we delete all data stored on our servers.
- Proton Mail uses zero-access encryption and end-to-end encryption, which means that even we can’t access any emails stored on our servers. And because we use OpenPGP, Proton Mail is interoperable with any other system or email software that supports PGP. This ensures secure end-to-end encrypted communication between users of different email providers is possible. Proton Mail also has a system for sending end-to-end encrypted emails to non-PGP users of other services.
Proton Mail is also GDPR compliant. You can read more about our security features or download our white paper(neues Fenster) for a more in-depth look.
How to send HIPAA-compliant email?
- Ensure that your email service is HIPAA compliant
- Sign a BAA contract with your HIPAA-compliant email service
- Configure your email correctly. This is not a concern when using Proton Mail, as all email is end-to-end encrypted until it leaves our service. Other email services, however, may require a more complex setup before emails can be sent in a HIPAA-compliant manner.
- When sending emails containing PHI to recipients who use insecure third-party email services, always take care to ensure they provide informed consent before doing so.
- Retain all emails. The HIPAA Privacy Rule establishes a patient’s right to demand access to their own PHI, so it is important to maintain an archive of all emails in order to comply. Although HIPAA does not specify a time limit for data retention, many US state laws do. In general, a retention policy of at least six years is recommended.
FAQ
Can I send PHI via email?
Yes, but only if your email service is HIPAA compliant. Remember that the recipient’s email service may not be secure, therefore you must obtain prior written consent for email correspondence containing PHI.
Does HIPAA-compliant email need to be encrypted?
Strictly speaking, no. But in practice, yes. If encryption is not used, then the covered entity or business associate must fully explain their reasoning and document the measures it used instead. It is very hard for an email service to be HIPAA compliant without encryption.
Is a BAA enough to be compliant?
No. A BAA is just one requirement. The HIPAA-compliant email provider must implement technical, administrative, and physical safeguards to ensure PHI is secure on its service. Covered entities and business associates must ensure that ePHI sent by email cannot be deliberately accessed by any unauthorized person.
Feel free to share your feedback and questions with us via our official social media channels on Twitter(neues Fenster) and Reddit(neues Fenster).






