Back to blog home
Contrary to popular belief, standard email is not secure enough for healthcare information, nor is it the most efficient tool for healthcare communication. Implementing HIPAA compliant email requires significant additional work for your practice and is not the most effective way to communicate with patients.
Let’s take a look at some background before we dive into why HIPAA compliant texting makes more sense.
Is using an email address to communicate with patients HIPAA compliant?
In most cases, no. Standard email is not HIPAA compliant out of the box. While it’s convenient, email lacks the necessary encryption, access controls, and audit capabilities required by the HIPAA Security Rule. Unless your email service is configured specifically for HIPAA compliance, and you’ve signed a Business Associate Agreement (BAA) with the provider, sending protected health information (PHI) over email can be a serious violation.
There are exceptions, such as when a patient explicitly consents to receiving unencrypted emails. However, this approach still requires careful documentation and clear communication about the risks involved. For providers, the burden of compliance, patient education, and risk management makes email a poor fit for healthcare communication compared to purpose-built HIPAA compliant texting platforms.
HIPAA compliance explanations per email provider
Not all email platforms are created equal when it comes to HIPAA compliance. To legally send or receive protected health information (PHI), your platform must offer encryption, access control, and, most importantly, sign a Business Associate Agreement (BAA). Here’s how the most popular providers stack up:
Gmail (Google Workspace)
- HIPAA compliant? Yes, with configuration
- You must be a paid Google Workspace user.
- Google will sign a BAA with covered entities.
- Admins must configure email routing rules and enforce TLS encryption.
- Users must still obtain patient consent when sending unencrypted emails.
Outlook/Exchange Online (Microsoft 365)
- HIPAA compliant? Yes, with configuration
- Microsoft offers a BAA for Microsoft 365 accounts.
- Admin settings must enforce encryption, and staff should be trained on secure use.
- As with Gmail, you must obtain patient consent for unencrypted communication.
Yahoo Mail
- HIPAA compliant? No
- Yahoo does not offer HIPAA-compliant email services or sign BAAs.
- No end-to-end encryption or admin controls that meet HIPAA standards.
Apple iCloud Mail
- HIPAA compliant? No
- Apple does not sign BAAs and explicitly states its services are not HIPAA compliant.
- Not designed for enterprise-level healthcare use.
ProtonMail (now Proton Mail)
- HIPAA compliant? Not fully
- ProtonMail offers end-to-end encryption but does not sign BAAs.
- It may be more secure than most, but without a BAA, it does not meet HIPAA requirements.
Zoho Mail
- HIPAA compliant? Partially
- Zoho offers HIPAA-friendly settings and a BAA—but only for certain enterprise plans.
- Additional configuration is required to ensure compliance.
GoDaddy Email
- HIPAA compliant? No
- GoDaddy does not sign BAAs.
- No support for HIPAA-grade encryption or healthcare-specific protections.
- Not designed for handling PHI and not recommended for healthcare providers.
What is HIPAA compliance?
In 1996, President Bill Clinton signed the Healthcare Insurance Portability and Accountability Act (HIPAA) legislation into law to “improve the portability and accountability of health insurance coverage”. Later in 2003, the US Department of Health and Human Services created the first HIPAA Privacy and Security Rules.
The Privacy Rule outlined the proper treatment and sharing of protected health information (PHI), defined as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
In combination with the Privacy Rule, the Security Rule “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity”. In essence, it becomes the duty of any covered entity to ensure the security of patient information.
Today, HIPAA compliance takes measures to prevent unauthorized users from gaining access to private health information. Fining noncompliant organizations up to $50,000 per incident and granting individuals the right to pursue legal action help ensure patients’ medical information is safe at all times. So, maybe you want to have a HIPAA compliant email option at your practice. But do you need to be HIPAA compliant?
Who does HIPAA apply to?
All healthcare providers who transmit health information are considered a covered entity. This means that all healthcare providers are subject to HIPAA regulations. The HIPAA Privacy Rule and the Security Rule applies to all providers, health insurance companies and employees, and any entities that handle PHI.
Healthcare providers include all “providers of services” (such as institutional providers like hospitals) and “providers of medical or health services” (including non-institutional providers such as physicians, dentists, and other practitioners).
Unfortunately, email is generally not encrypted, and does not meet the requirements that HIPAA rules set. Rather, the transmission of information must adhere to an additional layer of security set by HIPAA guidelines.
HIPAA compliant email
Email was designed for message delivery, not security. This means using this service for the transaction of medical information does not guarantee HIPAA compliance.
Google, for example, has admitted to allowing other companies to scan and share email information from Gmail. When we use email platforms for personal purposes, this is more so annoying than troubling. But if email is being used to disclose health information, the sharing of this data is highly concerning, and easily becomes a HIPAA violation.
How would your patients feel if they discovered your use of Gmail may be exposing their medical information to third-party developers? They’d likely be pretty unhappy.
Making standard email HIPAA compliant is a long and arduous process. From becoming a paid Gmail customer and signing a BAA with Google, to getting patient consent and warning patients of insecure email, there are many nuances to making email HIPAA compliant. Not to mention the valuable time spent training staff about your expectations of email communication and the dangers of phishing.
Alternatively, you can make use of a HIPAA compliant secure messaging platforms and save your healthcare organization time and energy.
Implementing HIPAA compliant texting
Email is no longer the standard for communication, so HIPAA compliant secure email should not be your primary method of patient communication.
Texting is now the go-to form of communication. In fact, in 2019, around 18.1 million text messages were sent every minute. Moreover, a recent study found 62% of patients prefer text message communication over traditional methods.
A HIPAA compliant texting solution takes advantage of patents’ desire to text. With a HIPAA compliant texting service, a healthcare provider would be able to securely message patients within minutes. And the best part is that compliance has been accounted for. This is because platforms, like OhMD, were made with HIPAA requirements in mind.
Patients can easily contact their provider with questions regarding treatment plans, medication, and overall health. Better yet, they can expect to hear back within minutes.
How OhMD can help your healthcare organization
OhMD offers a mobile app and a web-based platform to provide seamless communication between patient and provider. We are also able to offer a higher level of security when compared to a HIPAA compliant email service. Additionally, OhMD has a variety of tools to improve communication throughout your entire organization.
- Two-way Messaging: Use secure messaging to contact patients or colleagues instantly without worrying about security. We use encryption on all messages in transit and at rest, ensuring patient data security at all times.
- Live Website Chat: Allow patients to set up an appointment or ask a question quickly and easily through our live chat feature.
- File Delivery: Share X-rays, insurance information, or pictures with patients and colleagues in seconds. OhMD encrypts all shared files, ensuring only authorized user can access the files.
- Broadcast and Reminder System: Send individual appointment reminders or broadcast a change in your practice to several patients at once.
- Autopilot: Put your most common patient requests on an automated workflow. Give patients the care they need while reducing the manual efforts by staff members.
To learn more about OhMD’s HIPAA compliant messaging solution, schedule a demo today!
