Is Email HIPAA Compliant? How to Send HIPAA Compliant Emails

Posted by Michael Hsu on 5/22/20 1:00 PM
Michael Hsu

Recent events have shown us that in-person visits to the doctor’s aren’t always a viable option. The COVID-19 outbreak presented many challenges for countries all over the world and their healthcare systems. 

Among the many challenges healthcare professionals face an emergency situation, like the COVID-19 pandemic, is the need to find a suitable solution that would enable them to communicate with patients and share protected health information (PHI) in a HIPAA compliant manner. 

For most people, the first communication channel that comes to mind is email. This shouldn’t come as a surprise since most businesses are already using email for all sorts of internal and client communication. 

You’re already using email, and so are your clients, so it makes perfect sense, right? There’s no need to search for a new solution, download an app, or set up a new system. That said, there are quite a few conditions that need to be met before you can even consider sending out emails with sensitive medical information. 

On average, over 200 billion emails are exchanged on a daily basis, and a good portion of them — those including PHI — need to be HIPAA compliant. Let’s take a closer look at what conditions must be met before the emails you send to your patients or that you staff members exchange can be considered HIPAA compliant.

Is email HIPAA compliant?

Debates regarding HIPAA compliance of email have been raging ever since changes to the Health Insurance Portability and Accountability Act (HIPAA) were first introduced back in 2013. 

Despite various interpretations, The Security Rule clearly states that all forms of communication must be accompanied by the “appropriate administrative, physical, and technical safeguards” as a way to ensure the confidentiality and integrity of ePHI.

Whereas the rule doesn’t explicitly prevent healthcare providers from using email as a means of communication and sharing PHI, it does enforce several requirements. Healthcare providers must implement access control, ID authentication, and provide audit, integrity, and transmission control mechanisms to:

  1. Restrict access to PHI
  2. Continuously monitor how PHI is transferred
  3. Introduce message accountability and integrity of PHI at rest
  4. Prevent unauthorized access

This suggests that, in theory, emails can be made HIPAA compliant. It’s just that you will likely need an IT wizard to properly configure the emails before you can use them as a HIPAA compliant communication channel. The trouble is, most consumer email providers, like Gmail and Yahoo, don’t offer sufficient security mechanisms necessary to meet the HIPAA requirements. 

The only option healthcare professionals have is seeking out email providers that offer these advanced security mechanisms and entering a Business Associate Agreement (BAA) with them.

Email providers that offer HIPAA compliant email services





VM Racks



MD OfficeMail


Protected Trust

Signing a Business Associate Agreement with your email provider

HIPAA rules and regulations require you to enter a BAA with an email service provider if you intend to use the email service to share electronic protected health information (ePHI). This isn’t the case only for email but any third-party service provider that offers communication services to healthcare professions.

The need for an associate agreement stems from the fact that your business associates — the email provider in this instance — need to follow the same HIPAA standards when handling PHI. The agreement outlines their responsibilities and ensures that they are capable of providing mechanisms required to protect sensitive health information. This includes:

  • Technical safeguards
  • Administrative safeguards
  • Physical safeguards

It’s important to note that a BAA isn’t optional. If the email provider doesn’t want to sign the agreement with your practice, that simply means they’re unable to fulfill the HIPAA requirements. Another thing to keep in mind is that, apart from an IT expert who will need to properly configure the emails, you will likely need to consult a lawyer who specializes in medical law before you can start sending out emails containing PHI.

During the COVID-19 pandemic, the U.S. Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion, allowing for temporary use of non-compliant solutions during the crisis. 

A crucial thing to remember is that this is merely an exception, and it does not excuse failing to comply with HIPAA regulations in the future. If you continue to use email in the future, keep in mind that penalties for email HIPAA violations can be rather severe.

Penalties for email HIPAA violations



Violations that couldn’t have been avoided with reasonable care

$100 – $50,000

HIPAA violations despite reasonable care

$1,000 – $50,000

Willful neglect — corrected with reasonable time

$10,000 – $50,000

Willful neglect — not corrected

$50,000 – $1,500,000

Despite the fact that this legislation allows for the use of non-compliant solutions during the COVID-19 pandemic, compromising the medical information of your patients in any way will do irreparable damage to the reputation of your practice. Although you may avoid the fines, you will still lose a ton of money when the patients learn your communication channels aren’t secure and start switching to other healthcare providers.

What would constitute a HIPAA compliant email practice? 

Even after you’ve found a HIPAA compliant email service provider and signed an agreement with them, the necessary work before you can start using emails to send PHI is far from over. There are still multiple areas you need to take care of:

  1. Ensure end-to-end encryption
  2. Figure out how to retain emails
  3. Create strict policies and train your staff
  4. Obtain patient consent

End-to-end encryption

When it comes to the HIPAA Security Rule, the encryption of medical data is of utmost importance. The rule states that messages must be encrypted both in transit and when messages are stored. 

Even if a service provider has the capabilities to encrypt the emails you send in transit, you must also have access controls in place that ensure only the intended recipient and the sender have access to the emails containing PHI. 

Note that some service providers allow you to encrypt the emails you send but do not do this by default. In these cases, you must either:

  • Manually select to have the email encrypted before sending it 
  • Or enable the option to encrypt all emails — if such an option exists — to eliminate the human error factor from the equation

The type of encryption is something to consider as well. Note that, as technology advances, new encryption standards become available. It’s always best to consult the National Institute of Standards and Technology and inquire about the latest recommended encryption standards. 

If you don’t have a dedicated IT expert who could integrate those standards with your emails, make sure to check what type of encryption the email service provider is offering before opting to use their services. 

Email retention

Although HIPAA rules don’t specifically address email retention, they do require healthcare providers to have a backup archive, so data can be separately stored, accessed, and recovered in case of an emergency. This means you’ll have to find a separate solution, apart from the HIPAA compliant email service provider, that will enable you to store the PHI shared via email.

From a legal standpoint, you should also figure out how to retain the emails themselves. This is the case because individuals may request information regarding the disclosure of PHI and if legal action is taken against your practice, you may have to provide all the relevant email communication. 

Storing all email communication, including all the attachments, such as health records and visit summaries, takes a lot of storage space. 

Depending on where your practice is located, state laws may also require you to store the emails for a certain period of time, so it’s highly advisable to consult a lawyer before you send out a single email that contains PHI. 

With a comprehensive, fully HIPAA compliant solution, like Curogram, you don’t have to bang your head against the table to figure out how to store large amounts of data. Curogram uses automatic backups on AWS (Amazon Web Services) servers, which you can easily access in an emergency. 

Creating strict policies and training your staff

After implementing a HIPAA compliant email service, you need to develop strict policies that clearly define how email should be used and for what purposes. Your staff should be properly trained on how to send encrypted emails in accordance with HIPAA rules and regulations. Every employee should be fully aware of their individual responsibilities, as well as the consequences that may arise as a result of data breaches. 

Human errors cannot be tolerated when sending ePHI via email, so the policies you implement need to ensure that the right information is always sent to the right recipient using the necessary encryption methods. 

Obtaining patient consent

Even if your emails are fully HIPAA compliant, you can’t start sending ePHI to patients out of the blue. You must first introduce them to the dangers and risks of communicating protected health information via email and obtain their explicit, written consent. Only after the patients have accepted the associated risks with email communication can you start sending emails containing PHI without violating any HIPAA rules and regulations. 

Apart from all these requirements, there are two more considerations when using email to provide remote health services. Make sure to protect your email account with a strong password and two-way authentication to prevent unauthorized access. Consider including disclaimers in your emails as a means of notifying the patients that the message contains PHI and they should view it at their own discretion, rather than on public PCs and unsecured networks. 

Curogram as a fully HIPAA compliant alternative to email

Curogram offers a 100% secure, fully HIPAA compliant two-way messaging platform that enables healthcare professionals to quickly and easily interact with their patients without having to worry about the underlying technical aspects.

That’s just one of Curogram’s functionalities — it also enables HIPAA compliant staff messaging and HIPAA compliant texting allows you to set up a virtual clinic that enables you to admit patients online. 

As we’ve mentioned, email might seem like a quick and easy solution on paper, but considering the amount of time and effort necessary to ensure your emails are HIPAA compliant, it’s miles away from being the best solution. 

Even with all the HIPAA rules and regulations taken care of, you’ll still encounter multiple problems and hurdles when using email to communicate with your patients. The prevalent issues with email include:

  1. There is no EHR integration 
  2. It’s extremely time-consuming and distracting 
  3. There’s no video appointment capability

Email doesn’t integrate with EHR

Patients may send you emails regarding their conditions, prescriptions, treatments, and appointments. You might also receive test results from labs or share PHI with a specialist via email. 

Whether you provide medical advice or simply share medical information via email, apart from ensuring the communication is HIPAA compliant, you’ll also need to worry about entering the data into your EHR. 

Curogram EHR integrations







Practice Fusion




See More Integrations Here

This could be tedious since your employees would have to manually input all the information, taking valuable time they could be spending treating patients and wasting it on administrative tasks. Curogram integrates with over 700 EHRs, eliminates redundant administrative work, and allows you to focus on doing what you do best — helping people in need. 

Email communication is overwhelming and time-consuming

Apart from asking yourself whether or not you can use emails in a HIPAA compliant way, you should also consider how efficient email communication is in the first place. 

When you use email to allow patients to schedule and reschedule visits, as well as send out appointment reminders, what benefits do you gain compared to doing it over the phone? If anything, you’re only creating more work for your employees and making it more difficult for patients to get in touch with your practice. 

Realistically, only one person should manage your organization’s email account. This means they would have to dedicate most, if not all, of their time to handling all email communication — both direct communication with the patients and exchanging information with other staff. 

They would have to keep track of dozens, if not hundreds of email chains, which can be quite overwhelming, not to mention the fact that emails might get lost. It would also take a while to answer all the customer emails, especially if you need to request additional information from your patients. 

If you choose to rely on email as the primary form of staff communication, every employee will have to regularly check their inbox to see if they received any messages. This can be quite distracting and will likely hinder the performance of your employees. 

That’s why email isn’t a viable communication channel — it’s just too clunky and inefficient. Curogram offers a much better alternative — a solution that’s specifically designed with the needs of medical professionals in mind that enables fast, secure, and HIPAA compliant staff and doctor-to-patient communication, all from a single dashboard. 

Email has no video consulting capability

During the COVID-19 pandemic, the need to implement mechanisms that would allow healthcare professionals to treat their patients remotely became rather obvious. That said, remote healthcare services aren’t simply a necessity in extreme situations. 

Now that people are aware of the capabilities of telemedicine and the fact that they could schedule and attend appointments online without ever having to leave their home, they will expect remote healthcare services. 

The golden standard of telemedicine is video calls. Telemedicine is based on the idea of convenience. Patients are highly unlikely to sit down and take half an hour writing an email to their doctor when they can just hop on a video call and get medical advice and treatment within minutes. 

Curogram’s telemedicine platform enables patients to instantly get in touch with their healthcare providers and receive medical care in the most convenient way possible. All they have to do is click a link that you can send them in an SMS via our secure two-way messaging platform, and spend a few minutes in the waiting room before an available doctor attends to them.

The bottom line is — email still has its uses as a communication channel, but there are far more efficient solutions for healthcare professionals that ensure HIPAA compliant staff and doctor-to-patient messaging. 

Ensure a quick and successful telemedicine start with Curogram

Whether you want to transition to telemedicine completely or offer virtual appointments as an addition to your services — Curogram is the perfect, fully HIPAA compliant solution. 

The main appeal of Curogram comes from the following facts:

  • It’s easy for patients to use
  • It’s easy for doctors and medical staff to use
  • It provides an environment your employees are used to working in

Curogram is easy for patients to use

Patients don’t have to worry about downloading different apps, checking notifications, going through complex processes to set up their accounts, or anything of the sort. With Curogram, they receive a simple text message with a link they can click to join the virtual waiting room and attend an online appointment. 

As we’ve mentioned, Curogram offers a two-way messaging platform, so patients can simply respond to the message if they need to reschedule or have any questions prior to the appointment. 

They can easily download the Curogram patient app with a single click and receive all the medical information, such as prescription and visit summaries, as downloadable files. 

Curogram is easy for doctors and medical staff to use

With Curogram, you do everything from a single, intuitive, browser-based dashboard. You can see all your colleagues that are online, quickly exchange medical information with them in a secure environment, message patients, and initiate video chats. 

The best part about it is the fact that, once you send the visit summary to the patient, you’re done. Curogram integrates with your EHR and automatically enters all the relevant medical data, so you don’t have to waste time on administrative tasks. 

Curogram provides an environment your employees are used to working in

Our platform mimics the same workflows of in-person visits. You can see all the patients in the virtual waiting room and even create multiple online clinics based on types of medical conditions and assign appropriate doctors and MAs to them. 

The MAs can prep the patients before the doctors take over by having them fill the intake forms and requesting additional medical information when necessary. Each of your employees can see how long every patient has been in the waiting room, and available doctors can tend to patients as soon as they are ready for the video chat. 

This enables doctors to focus on treating the patients, while the MAs take care of the preparation and visit summaries, increasing their productivity and allowing each doctor to admit up to 40 patients a day. 

Have a successful telemedicine start with a robust, HIPAA compliant solution that takes care of all the technical aspects for you, so you can give undivided attention to your patients. 

Wondering if other solutions are HIPAA compliant?

Are they HIPAA compliant?

Is Zoom HIPAA Compliant?

Is RingCentral HIPAA Compliant?

Is WhatsApp HIPAA Compliant?

Is Google Hangouts HIPAA Compliant?

Is FaceTime HIPAA Compliant?

Is GoToMeeting HIPAA Compliant?

Is Google Voice HIPAA Compliant?

Is HelloFax HIPAA Compliant?

Is eFax HIPAA Compliant?

Is Facebook Messenger HIPAA Compliant?

Is Skype HIPAA Compliant?

Is Texting HIPAA Compliant?

Is Slack HIPAA Compliant?


Topics: HIPAA, email

Patient 2-Way Texting

Curogram provides “All-In-One” texting and HIPAA compliant messaging platform for independent practices, physician groups, and clinically integrated networks.

Subscribe Here!

Recent Posts