Email Encryption and Maintaining HIPAA Compliance

October 18, 2019
Share this post

We use email every day, and it’s easy to forget how vulnerable email actually can be. When you’re dealing with HIPAA and patient health information, you want to make sure that anything emailed is properly protected.

The National Institute of Standards and Technology (NIST)  held a conference this week. Representatives from the Office of Civil Rights (OCR) shared that email is dramatically increasing as the source of major health data breaches. 

Email breaches averaged 17% of all breaches in the past decade. This year alone 40% of all major breaches have come from email. It’s more important than ever to make sure we’re all aware of what best practices to use and how to keep information secure when emailing.

Email Encryption

When you send an email within your organization, your email is encrypted; however, if you send it to someone outside your company, it is unencrypted. If that email contains ePHI, it’s considered a data breach.

Gmail, Yahoo, AOL, etc. capture information that goes in and out of your email account - ever wonder how you get an ad in your Gmail inbox about something that you’ve discussed, or related to another email you’ve gotten? That’s one way they use the information they’ve gleaned from your account, and how the service can remain free. 

Paid systems like Office 365 have encryption built in - you just need to enable it. Microsoft details how you can do that here

Additionally, you can add plugins or browser extensions to encrypt email that you send outside your organization. This means that whoever receives the email will need to enter a password, or potentially create an account, to view the contents. How-To Geek has some services listed here. You can (and should) also talk to your IT team or provider about what will work in your environment.

Let's say your email isn’t encrypted, but you need to share and receive information with PHI, credit card numbers, etc. included.  Look at a program like ShareFile where you can create secure folders where invited contributors can upload and download files.

Other Email Dangers


While the percentage of people clicking on phishing emails has gone down, phishing attacks are still one of the biggest types of breaches to email. Phishing attacks can occur via email, telephone, or text and involve someone posing as a legitimate company to lure the recipient into providing personal information, passwords, credit card details, and more. Many phishing emails ask you to click on a link to make a payment. Others say you must confirm personal information, say you’re eligible to register for a government refund, and more. Check out the FTC’s guide on recognizing and avoiding phishing scams here.


On average, there have been 4,000 daily ransomware attacks since 2016. Ransomware is a type of malware where hackers get into a system, encrypt data so you can no longer access it, and demand a ransom to unencrypt the data. Ransomware attacks are on the rise, and hospitals are one of the major targets. Opening suspicious emails and clicking on the links within them is one major way ransomware can find its way into your system. 

In the case of a ransomware attack, the OCR presumes there has been a data breach. You should follow your data breach procedures (as well as immediately notifying law enforcement). Check out the HHS fact sheet on Ransomware and HIPAA to see what is required to be HIPAA compliant, and see the FBI’s summary on how to protect your networks from ransomware for more information.

Important Steps to Take

It’s more important than ever to make sure you’re educating yourself and your co-workers/employees and utilizing encryption to protect the data you may be sending in your email.

  1. Make sure you have the encryption settings enabled on your email. Or take steps to be able to encrypt emails as needed/ upload information in a secure environment.
  2. Include cybersecurity in your employee training and as part of your continuing conversations on your operations.
  3. Educate yourself and your co-workers/employees on what to look out for when using email or browsing on the internet to avoid phishing and ransomware attacks.
  4. Make sure your systems have appropriate firewalls, spam filters, antivirus programs, etc.
  5. Educate everyone about what to do in the event of a ransomware attack or data breach, and list it out in your policies and procedures.