← All Resources

HIPAA Compliant Email: What You Actually Need to Know in 2026

March 20, 2026 · 8 min read

“Can I just email the patient their lab results?”

It’s one of the most common questions in small practice healthcare, and the answer you’ll find online ranges from “absolutely not” to “sure, just encrypt it.” Neither is quite right. The real answer, like most things in HIPAA, is more nuanced — but it’s also more manageable than you think once you understand the actual rules.

Here’s what HIPAA actually requires for email, what the proposed 2026 Security Rule would change, and how to set up your practice so email doesn’t become a compliance liability.

Can You Email Patient Information Under HIPAA?

Yes. HIPAA does not prohibit email communication containing protected health information (PHI). It never has.

What HIPAA requires is that you implement reasonable safeguards to protect PHI in transit and at rest, and that you document what those safeguards are. Email is treated like any other transmission medium — it’s allowed, but only with appropriate protections in place.

The confusion comes from the fact that standard, unencrypted email is not inherently secure. Sending a patient’s diagnosis over regular Gmail is roughly equivalent to sending it on a postcard — anyone handling it along the way can read it. That doesn’t mean email is off-limits. It means you need to handle it correctly.

The HIPAA Security Rule (45 CFR 164.312) requires covered entities to implement technical safeguards for electronic PHI, including:

That last point is where email gets complicated.

What Makes Email HIPAA Compliant

There’s no official “HIPAA certified email” stamp. No government agency certifies email platforms for HIPAA compliance. Instead, HIPAA compliance for email depends on meeting specific technical and administrative requirements.

Encryption in Transit

At minimum, email containing PHI must be encrypted during transmission. This means TLS (Transport Layer Security) 1.2 or higher between your email server and the recipient’s email server. Most major email providers support TLS, but support isn’t the same as enforcement — if the recipient’s server doesn’t support TLS, many systems will fall back to unencrypted delivery without telling you.

A truly HIPAA-compliant email setup either enforces TLS (refusing to send if the recipient can’t receive encrypted mail) or uses end-to-end encryption where the message content is encrypted before it leaves your system.

Encryption at Rest

PHI stored in your email system — in your inbox, sent folder, drafts, and archives — must also be encrypted. This means the email platform needs to encrypt stored data on its servers using AES-256 or equivalent encryption.

Access Controls and Authentication

Your email accounts must be protected with strong, unique passwords and multi-factor authentication. Shared email accounts (info@yourpractice.com used by three different staff members with the same password) are a compliance problem because you can’t track individual access.

Audit Logging

You need the ability to see who accessed email containing PHI, when they accessed it, and what they did with it. This is standard functionality in business email platforms but is often unavailable in consumer-grade email.

The encryption question simplified: Your email must be encrypted both while it’s being sent (in transit) and while it’s sitting in your mailbox (at rest). Most business-tier email platforms handle encryption at rest automatically. Encryption in transit is where practices most commonly fall short.

The BAA Requirement: The Step Most Practices Miss

Here is the part that trips up more practices than encryption does.

Under HIPAA, any vendor that handles PHI on your behalf is a Business Associate. Your email provider stores, processes, and transmits PHI — that makes them a Business Associate. And you are required to have a signed Business Associate Agreement (BAA) with every Business Associate before they touch any PHI.

A BAA is a legal contract that:

Without a signed BAA, you’re in violation of HIPAA even if your email is fully encrypted and technically secure. The BAA isn’t optional and it isn’t a formality. OCR has issued penalties specifically for failure to have BAAs in place.

In 2018, Advanced Care Hospitalists paid $500,000 to settle HIPAA violations that included failure to have a BAA with a vendor handling patient data. The technical security was only part of the problem — the missing contract was a separate, independent violation.

The key takeaway: Before you send a single email containing PHI, confirm that you have a signed BAA with your email provider. If your provider won’t sign one, you cannot use that service for PHI.

Which Email Providers Offer HIPAA-Compliant Plans

Not every email provider will sign a BAA. Not every plan from providers who do sign BAAs is covered. Here’s where things stand in 2026.

Google Workspace (Paid Business Plans)

Google will sign a BAA covering Gmail, Google Drive, Google Calendar, and other Workspace services — but only on paid Google Workspace plans (Business Starter, Business Standard, Business Plus, or Enterprise). The BAA must be explicitly accepted by an admin in the Workspace admin console. Google encrypts data in transit with TLS and at rest with AES-256. You also get audit logging, DLP (data loss prevention) rules, and retention controls.

Microsoft 365 (Business and Enterprise Plans)

Microsoft will sign a BAA for Microsoft 365 Business Basic, Business Standard, Business Premium, and Enterprise plans. Like Google, the BAA covers Exchange Online (Outlook), OneDrive, SharePoint, and Teams. Microsoft 365 supports TLS encryption, message encryption (OME) for sending encrypted emails to external recipients, and comprehensive audit logs.

Paubox

Paubox is purpose-built for HIPAA-compliant email. It integrates with your existing email platform (Google Workspace or Microsoft 365) and adds seamless encryption — recipients read encrypted emails directly in their inbox without needing to log into a portal or enter a password. Paubox signs a BAA and provides email DLP, inbound security, and compliance reporting.

Hushmail for Healthcare

Hushmail offers HIPAA-compliant email specifically designed for healthcare providers. It includes built-in encryption, electronic forms, and a signed BAA. It’s a standalone email platform rather than an add-on, which means migrating your email to their system. Popular with solo practitioners and therapists who want a simple, all-in-one solution.

Virtru

Virtru is an encryption layer that integrates with Gmail and Outlook. It provides end-to-end encryption, access controls (you can revoke access to sent emails), and audit trails. Virtru signs a BAA for its healthcare plans. Like Paubox, it adds encryption capabilities to your existing email infrastructure rather than replacing it.

Free Gmail and Outlook.com Are NOT HIPAA Compliant

This is worth stating plainly because it remains the single most common email-related HIPAA mistake in small practices.

Free, consumer email accounts — Gmail (@gmail.com), Outlook.com (@outlook.com, @hotmail.com), Yahoo Mail, iCloud Mail, AOL — cannot be used for PHI. These providers will not sign a BAA for their free consumer products. Without a BAA, using them for PHI is an automatic HIPAA violation, regardless of what security settings you configure.

This applies even if you:

None of these workarounds make a consumer email account HIPAA compliant. The BAA requirement is non-negotiable.

OCR has investigated multiple cases where practices used free email accounts for patient communication. In one widely cited case, a provider’s use of a personal Gmail account for patient communications was identified as a contributing violation during a breach investigation, compounding the penalties.

Bottom line: If your practice email address ends in @gmail.com, @outlook.com, @yahoo.com, or any other free consumer domain, you cannot send or receive PHI through it. Period. Upgrade to a business plan with a BAA or switch to a HIPAA-compliant email provider.

Here’s a nuance that most “HIPAA email” guides get wrong or oversimplify.

HIPAA does allow patients to request that their PHI be sent via unencrypted email. Under 45 CFR 164.522(b), patients have the right to receive communications by alternative means or at alternative locations. HHS guidance (from its FAQ) states that if a patient requests unencrypted email and you’ve warned them of the risks, you can honor that request.

However, this is narrower than most practices realize:

  1. The patient must initiate the request. You can’t ask patients to sign a blanket waiver giving you permission to email them without encryption. The request must come from them.
  2. You must warn them of the risks. Document that you informed the patient that unencrypted email could be intercepted, and that they still want to proceed.
  3. This only covers communications to that patient. Patient consent to receive unencrypted email does not waive your obligations for how you store, process, or manage that email internally. You still need encryption at rest, access controls, and audit logging on your end.
  4. This doesn’t eliminate the BAA requirement. Even if a patient consents to unencrypted email, you still need a BAA with your email provider because the provider is storing and processing PHI.
  5. Document everything. Keep a record of the patient’s request, your risk warning, and their acknowledgment.

The practical recommendation: don’t rely on patient consent as your email strategy. Set up properly encrypted email and use patient consent as an exception for specific situations, not a workaround to avoid upgrading your email infrastructure.

Email vs. Patient Portal Messaging

If you have an EHR with a patient portal — and most practices do at this point — you already have a HIPAA-compliant messaging channel built in. Patient portal messages are sent within a secured, encrypted environment that’s covered under your EHR vendor’s BAA.

Use the patient portal for:

Email is reasonable for:

The general principle: if the message contains clinical PHI, use the portal. If it’s administrative or logistical, email with proper safeguards can work.

That said, patients often prefer email because it’s familiar and convenient. The challenge is training your staff to redirect clinical conversations to the portal without making patients feel like they’re being brushed off.

Common Email HIPAA Violations (With Real Examples)

These aren’t hypothetical scenarios. They’re patterns OCR has identified in investigations and enforcement actions.

1. Sending PHI to the Wrong Recipient

Misdirected emails are one of the most common reported breaches. Autocomplete fills in the wrong “Smith,” and a patient’s records go to a stranger. In 2019, a healthcare provider reported a breach to OCR after an employee emailed PHI for 577 patients to the wrong email address. The error was compounded by the fact that the email was unencrypted — meaning the data was fully readable by the unintended recipient.

2. Using CC or BCC Incorrectly

A practice sends a group email to patients — perhaps a notice about a schedule change — and puts all patient email addresses in the CC field instead of BCC. Now every recipient can see every other recipient’s email address, which constitutes unauthorized disclosure if the email context reveals they’re patients of the practice.

3. PHI in the Subject Line

Email subject lines are not encrypted, even when the body of the email is encrypted via TLS or end-to-end encryption. Putting “Lab Results: John Smith - HIV Test” in the subject line exposes PHI regardless of your encryption setup.

4. Unencrypted Email on Shared Devices

A provider checks their email on a shared office computer without logging out, or accesses email on a personal phone without device-level encryption or a passcode. The email itself might be encrypted in transit, but the device it’s accessed on has no access controls.

5. Forwarding PHI to Personal Accounts

Staff forwarding patient emails to personal accounts to “work from home” is a common violation. The personal account doesn’t have a BAA, the device may not be encrypted, and there’s no audit trail. This practice was a contributing factor in the $1.55 million settlement with North Memorial Health Care in 2016, where a business associate’s employee had PHI on an unencrypted personal laptop.

6. No Retention or Disposal Policy

HIPAA requires policies for retaining and disposing of PHI. Emails containing PHI that sit in an inbox for years, with no retention schedule and no secure deletion process, create ongoing risk. When a staff member leaves the practice and their email account persists with years of PHI in it, that’s a compliance gap.

Internal Staff Email Is Not Exempt

A common misconception: HIPAA email requirements only apply to patient-facing communication. Not true.

Email between staff members within your practice is still subject to HIPAA requirements if it contains PHI. When a physician emails a nurse with patient details, when the front desk emails billing staff with insurance information, when your office manager emails patient lists to your IT provider — all of these are transmissions of ePHI and all require appropriate safeguards.

This means your internal email infrastructure needs the same protections as your external communications: encryption, access controls, audit logging, and a BAA with the email provider.

The Proposed 2026 HIPAA Security Rule and Email Encryption

The proposed 2026 HIPAA Security Rule changes would significantly affect email compliance. The most relevant change: encryption would no longer be “addressable.”

Under the current rule, encryption is an “addressable” specification, meaning you can evaluate whether it’s reasonable and appropriate for your environment. If you determine it’s not, you can document why and implement an equivalent alternative measure. In practice, this has allowed some organizations to operate without encryption by citing cost or technical barriers.

The proposed rule would eliminate the addressable/required distinction entirely. Encryption of ePHI — both at rest and in transit — would be a flat requirement for every covered entity and business associate, regardless of size.

For email, this means:

The proposed rule is expected to be finalized around mid-2026 with a compliance deadline roughly 240 days after publication. If your email system doesn’t support encryption today, now is the time to fix it — not after the final rule drops.

For a deeper look at all the proposed 2026 changes, see our full breakdown: Proposed 2026 HIPAA Security Rule: What Small Practices Must Do Now.

Quick Email Compliance Checklist

Use this to evaluate whether your practice’s email setup meets HIPAA requirements today.

If you’re missing more than two or three items on this list, your email setup has compliance gaps that need attention. The good news: most of these are configuration and policy changes, not expensive infrastructure overhauls.

Want to see where you stand across all of HIPAA, not just email? Take our HIPAA Risk Assessment Quiz or download the 93-Point HIPAA Compliance Checklist.

How ComplyMD Helps With Email Compliance

Email is one piece of your overall HIPAA compliance program — and it’s hard to evaluate in isolation. Your email setup connects to your risk assessment, your policies and procedures, your staff training, and your vendor management (BAA tracking).

ComplyMD connects all of these pieces. The guided risk assessment evaluates your email infrastructure alongside your other systems. Policy templates cover email-specific requirements like acceptable use, retention, and mobile device access. Staff training modules include email scenarios your team will actually encounter. And the BAA tracker ensures you never lose track of which vendors have signed agreements and when they expire.

Instead of piecing together email compliance from blog posts and hoping you haven’t missed anything, ComplyMD gives you a structured program that covers email as part of the complete picture.

Stop guessing about email compliance

ComplyMD walks your practice through every HIPAA requirement — including email, encryption, BAAs, and staff training — with guided assessments built for small and mid-sized practices.

Get Early Access →

Check your current compliance posture: 93-Point HIPAA Compliance Checklist →

Ready to simplify your HIPAA compliance?

ComplyMD helps small healthcare practices build and maintain a complete HIPAA compliance program — without the consultant price tag.

Join the Waitlist