4 Must Know Facts About HIPAA Compliant Emails


Every medical practice knows that emails are not HIPAA compliant, but still the details are hazy and no one is really sure about what is exactly compliant and what is not. We took a deep dive and found out all the information you need. So, let’s get rolling-

Are Emails HIPAA Compliant?

Answer: NO. All free email services such as Hotmail, Yahoo mail, Gmail etc. are not secure and no patient health information should be sent through them. The information sent either as text or an attachment, both are a risk to a physician.

If you want to use HIPAA compliant email systems than you must first check with the email service provider and see if they support secure communication. If they do, then you need to sign BAA (Business Associate Agreement) which permits you to use email in HIPAA compliant way. If you or your medical practice is sending emails to patients then you should STOP NOW, because every email you send out is a data breach and you are at risk. The minimum fines for a security violation starts at $50,000!


If Patient is sending me email, it is fine if I reply him back.

Answer: NO. If patient is sending you email using one of the regular email service providers such as Gmail, Yahoo, Hotmail etc., it is your duty to inform them first that this channel is not secure and take their consent if they would still like to receive the reply over the insecure channel. Also, you need to make sure that you document your email conversation for record keeping.

Here is the extract from the official HIPAA OMNIBUS FINAL RULE (page 5634) —

We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

Patient Emails

My image attachment, fax or MRI directed to emails is secure.

Answer: NO. Today pretty much everything can be directed to your emails for e.g. faxes are sent as emails, voice messages are sent as emails etc. To comply with HIPAA, anything sent electronically containing patient health information—image, text or voice, should be encrypted before sending.

All emails with patient health data must be encrypted.

Answer: NO. Email sent within the office using a secure service does not require to be encrypted, having said that emails sent to different branches have to be encrypted in order to remain compliant. As a rule of thumb avoid sending unencrypted email to any friend or staff or business partner on personal email ids.