Article
Healthcare tech

Is Email HIPAA Compliant?

July 2, 2019
·
5 min read
Last updated on
Is Email HIPAA Compliant?
Table of contents
What workflows
Phone calls

For healthcare providers, understanding HIPAA compliant email is an important part of patient communication in the digital age. The short answer to the question “is email HIPAA compliant?” is no. At least, not without putting strong cybersecurity protections in place alongside proper HIPAA authorizations. However, there are some simple solutions that can help your practice eliminate the issue of HIPAA compliant email and save your staff valuable time.

This article will provide a brief walkthrough of some of the things you can do when considering HIPAA compliant email options — or whether there are more efficient messaging solutions that can benefit your practice.

HIPAA regulation sets specific standards that healthcare providers must address in order to ensure the privacy and security of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, date of birth, Social Security number, telephone number, financial information, insurance ID, or any part of their medical record, to name a few. Any PHI that is communicated in a digital format is considered electronic PHI (ePHI).

The HIPAA Security Rule sets technical safeguards that healthcare providers should have in place, particularly when sending and receiving any form of ePHI. Below, we discuss some of those HIPAA secure email requirements and how you can address them.

HIPAA Compliant Email Requirements

If your practice chooses to use email to communicate with patients, you may be putting yourself at risk of a data breach or HIPAA violation. Unfortunately, free email service providers cannot be used to transmit data in a HIPAA-compliant manner. That includes services like Gmail, Yahoo, or HotMail. These do not allow users to implement the suitable security settings for sending or receiving ePHI, and should be avoided.

Some of the requirements for making your email HIPAA compliant include:

  • End-to-end encryption (E2EE): HIPAA secure email requirements state that all communications conducted over an electronic medium must meet end-to-end encryption requirements. E2EE is a type of encryption, which ensures that only the sender and intended recipient of an electronic message can view the contents of that communication. This may sound rudimentary, however a message sent without E2EE may be intercepted at any time during its transmission. That’s because emails are stored on third-party servers managed by the email service provider. If that service provider experiences a data breach or a hacker gains access to that server, that could mean that any ePHI you’ve sent has been compromised. E2EE ensures that emails containing ePHI can only be accessed by an authorized sender and recipient.
  • Patient authorization: Before any ePHI may be communicated via email, providers must obtain the explicit written consent of each patient with whom they are looking to share ePHI over email. This consent must be obtained via a signed patient authorization form. It’s best to include such authorizations during patient intake.
  • Business associate agreement (BAA): Before sending or receiving any ePHI via email, your practice must execute a business associate agreement (BAA) with your email provider. A BAA is a legally binding agreement, which protects an organization against liability in the event of a data breach caused by a third party with whom they have shared ePHI. BAAs must be in place before any ePHI may be exchanged over email. Failing to execute a BAA means that your practice may be held liable if your email service provider experiences a data breach exposing your patients’ ePHI — even if you had nothing to do with the breach in the first place.

Understanding your HIPAA requirements regarding the use of email to share patient information is critical to protecting your practice from data breaches, federal fines, and patient attrition. Implementing these measures may be costly and time-consuming, but they are required in order to protect your hard-fought reputation against the rising threats of HIPAA fines and data breaches.

Secure Messaging: The Smarter Solution to Email

Secure messaging apps are the best solution to the insecure and complicated issues of email. Unlike email, an effective secure messaging platform will give your practice the ability to send and receive patient data right out of the box, all without having to spend hours configuring security frameworks and working with costly security consultants.

Secure messaging platforms:

  • Give you the power to communicate with patients without worrying about security issues endemic to email
  • Save your practice the hassle of managing email follow-up
  • Boost patient engagement
  • Increase patient retention and loyalty

Klara is a HIPAA compliant secure messaging app that gives you the tools you need to effectively communicate with patients, all while transforming the way you do business. Rather than relying on outdated email or cumbersome patient portals, Klara gives you the ability to text your patients and for them to text you back.

Secure messaging apps like Klara can be used to complete patient intake, gather insurance information, and save your staff hours per day. Klara integrates with your practice’s phone system and website, unifying your patient communications to cut down on email follow-up and phone tag.

Klara centralizes the different channels patients use to reach out, so it's easy for practices to quickly respond to patients. Klara also simplifies how teams coordinate with (and about) patients, with workflow features that streamline the patient intake process and help teams efficiently triage incoming messages. Rather than scattered email mailboxes to manage and check, Klara gives each staff member a dedicated inbox, all managed and monitored by a practice administrator.

To find out more about how Klara can streamline your patient engagement, click here to schedule a time with one of our practice advisors.

Share this article

Frank Sivilli

Former Content Marketing Manager at Klara. He specializes in reporting on trends in healthcare technology, regulatory compliance, data privacy and security, and more.

Related resources
Article
Patient satisfaction
How a Two-Way Messaging Platform Can Help Practices
How a Two-Way Messaging Platform Can Help Practices
Learn more about how Klara can improve your practice’s efficiency
Book a demo
Read our latest articles
Klara Recognized as a Top Healthcare Product in G2’s 2025 Best Software Awards
Article
Klara announcements

Klara Recognized as a Top Healthcare Product in G2’s 2025 Best Software Awards

Leading patient communication platform among the best in the Healthcare Products category

April 23, 2025
·
2
min
read
Read more
GI Alliance to Implement Klara Solution to More than 15 Million Customers Across the Country
Article
Klara announcements

GI Alliance to Implement Klara Solution to More than 15 Million Customers Across the Country

GI Alliance, a leader in managed gastrointestinal healthcare practices, has integrated Klara, a top patient communication and engagement platform, into its operations.

August 23, 2024
·
3
min
read
Read more
Klara Earns High Performance Recognition in G2 Market Reports
Article
Klara announcements

Klara Earns High Performance Recognition in G2 Market Reports

Klara’s software solution was named a top performer in the Spring 2024 G2 Market Reports, including for best estimated ROI in the small-business results index for HIPAA Compliant Messaging.

May 17, 2024
·
2
min
read
Read more

Are you experiencing

Call Chaos?

The impact might be bigger than you think

Learn more