HIPAA Email Rules

HIPAA stands for Health Insurance Portability and Accountability Act and it was introduced in 1996 by Congress in U.S. The purpose of this act was to improve the efficiency of the health care organizations and also to protect the data and PHI of individuals.

Soon after the act came into force, privacy rule was also introduced within this act. Privacy rule introduced within the act regulates the use and disclosure of individual’s data that can be verbal, written, or electronic (both via email and file transfer.

All the covered entities and business associates have to follow this rule. The rule that was later introduced within this HIPAA act was security rule.  This security rule defines all the security standards for the management of PHI in electronic form (ePHI) by health care providers, health plans, and health care clearing houses.

Both privacy rule and security rule under HIPAA does not prohibit the use of email for sending ePHI. The only thing that needs to consider while sending the PHI through email is the security, and privacy of the PHI of an individual.

There are several rules set by HIPAA for the email and these rules needs to be followed to protect the ePHI. These rules and regulations are set by HIPAA security rule and were updated by the Omnibus Final Rule. If any organization that fails to comply with HIPAA email regulation while sending ePHI online then they have to pay heavy fines and penalties for it.

HIPAA email rules require health care organizations to safeguard, secure and keep the ePHI data confidential while transferring it online. Covered entities should fulfill the points mentioned below to safeguard the ePHI transferred through email.

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Below we have mention two important rules that needs to be followed while sending PHI though Email

  1. Encryption Requirements
  2. Secure Messaging Solutions

Encryption Requirements

If an email that contains PHI is sent beyond the covered entities firewall, it must be protected with encryption.  Only the messages are protected with encryption in transit so covered entities should never put the patient’s name or other PHI in subject lines of emails as the information could easily be viewed by unauthorized individuals.

Secure Messaging Solutions

HIPAAsupport Bring Your Own Device (BYOD) policies. Health care workers can use their own personal devices as part of their daily work, but it is required that they use secure messaging solutions. With secure messaging solution, all activities on platform are recorded and an audit trail is maintained. All the emails that will be sent through secure messaging solutions will be encrypted and also the messages cannot be sent outside the organizations secure network.


HIPAA does not prohibit the use of email for sending ePHI but it require covered entities to protect, secure and keep the ePHI data confidential while transferring it online.