How HIPAA treats email and encryption

HIPAA’s Security Rule requires covered entities and business associates to put administrative, physical, and technical safeguards in place to protect ePHI. Encryption is a core technical safeguard for ePHI in transit and at rest, and while the rule treats encryption as an “addressable” specification, regulators and guidance strongly expect encryption or an equally effective alternative.

Bottom line: treat email that contains PHI as high risk and implement proven encryption plus supporting controls.

What “secure PHI email” need to cover

To keep PHI safe when emailed, a solution must address these areas:

• Encryption in transit and at rest. Use modern protocols and algorithms (TLS for transport; AES-256 or equivalent for stored data).
• Access control and authentication. Require strong passwords and multi-factor authentication.
• Audit logging and retention. Keep logs that show who accessed what and when.
• Business Associate Agreement (BAA). Use vendors that will sign a BAA.
• User training and policy. Make secure email procedures part of onboarding and recurring training.

These five pillars are the core of HIPAA-compliant email practice.

Why you cannot rely on consumer email alone

Standard consumer email services may use TLS while messages are in motion, but they do not give you end-to-end control of keys, audit logs, or a vendor BAA by default. For PHI, you need more than transport protection. Implementing a purpose-built secure mailer or an enterprise-grade encryption layer is the safest route.

Why evaluate Safe Mailer

You asked for Safe Mailer. When evaluating any secure mailer, including Safe Mailer, confirm it provides:

• End-to-end encryption so only the sender and authorized recipient can read the message.
• BAA availability and clear contractual commitments for handling ePHI.
• Seamless user experience so clinicians and staff can adopt it without workflow friction.
• Admin controls and reporting for audits and compliance evidence.
• Retention, archive, and search capabilities that meet your records policies.

If Safe Mailer meets those requirements in its product documentation and will sign a BAA, it can be a practical option. Always validate the vendor’s claims and ask for architecture and encryption details before procurement.

Step-by-step: How to send PHI securely by email

1. Classify the message. Identify whether the email contains PHI. If not PHI, follow normal secure email policy. If yes, proceed.
2. Choose the secure channel. Use your organization’s approved secure mailer or encrypted gateway. Do not send PHI over unapproved consumer accounts.
3. Authenticate the recipient. Verify the recipient’s identity or require a secure portal login. If you cannot verify the recipient, use a patient portal or phone verification instead.
4. Encrypt the message and attachments. Ensure the mailer encrypts content before it leaves your device or uses client-side encryption.
5. Apply access controls and expiration. If the mailer supports it, set message expiration, disable forwarding, or require a passcode.
6. Log the transaction. Ensure the send event is logged with sender, recipient, timestamp, and delivery status.
7. Document consent or notification. If sending PHI to a patient or third party, document consent when required by your policy.
8. Follow up via email if needed. For high-risk files, use secure file transfer or the EHR portal instead of email.

This workflow reduces the common failure points that lead to breaches.

HIPAA-compliant email encryption checklist

Technical safeguards

• Encrypt ePHI in transit and at rest. Use modern TLS for transport and AES-level encryption for stored data.
• Implement MFA for all accounts that access ePHI.
• Use proven key management and, if possible, client-side or end-to-end encryption.
• Maintain system and software patching schedules.

Administrative safeguards

• Conduct and document a Security Risk Assessment (SRA) at least annually and after major changes. Use available HHS tools and guidance.
• Assign roles and least privilege access.
• Train staff on PHI handling and secure email procedures.

Physical safeguards

• Encrypt devices that store email archives and attachments.
• Control physical access to servers or workstations that store ePHI.

Vendor management

• Sign a BAA with any email vendor that handles ePHI. Verify the vendor’s security posture and audit reports.

Monitoring and audit

• Enable logging and alerts for suspicious access and exfiltration attempts.
• Retain logs and message records according to policy and legal requirements.

Use this checklist as the basis for your policies and audits.

Example vendors and tools to consider

• Safe Mailer. Evaluate for end-to-end encryption, BAA, admin controls, and ease of use. Confirm the vendor will sign a BAA and provide architecture details.
• Paubox and other healthcare-focused email platforms. These vendors publish HIPAA-specific guidance and often offer turnkey compliance features.
• Secure gateways and portals. For some use cases, a secure patient portal with message notifications can be safer than sending PHI to external inboxes.
• Encryption add-ons like client-side solutions, when integrated cleanly into your mail flow.

Do not pick a vendor solely on marketing claims. Require documentation, third-party audit reports, and a signed BAA.

Common pitfalls and how to avoid them

• Pitfall: Sending PHI over personal email accounts.
  Fix: Block export of PHI to personal addresses and require use of approved mailers.
• Pitfall: Relying on TLS only.
  Fix: Use end-to-end or client-side encryption, and ensure data at rest is encrypted.
• Pitfall: No audit records.
  Fix: Enable logging and make reporting part of regular compliance reviews.
• Pitfall: Using vendors that will not sign a BAA.
  Fix: Remove or replace those vendors immediately for any PHI handling.

Avoid these common failures, and your risk profile will drop significantly.

Final recommendations

• Run or update your Security Risk Assessment. Focus on email flows that handle PHI. Use HHS and health IT guidance.
• Pilot Safe Mailer or another vetted secure mailer with one department and validate BAA, encryption claims, logging, and user experience.
• Create an enforceable email policy that requires approved channels for PHI and defines roles and training schedules.
• Require MFA and device encryption for staff who handle PHI.
• Document everything so you can demonstrate compliance in audits.

Closing

Protecting PHI in email is both a legal obligation and a trust issue. Use this HIPAA checklist and follow the workflow above to reduce risk. If you plan to adopt Safe Mailer, verify the encryption architecture, request a BAA, and pilot the product before organization-wide rollout. When secure tools, documented policy, and staff training work together, you can safely use email without putting patients at risk.