Unencrypted Email
What is Unencrypted Email?
Unencrypted email refers to electronic messages that are sent without encryption protections that make the contents unreadable to unauthorized users. In healthcare, unencrypted email is one of the most common causes of HIPAA violations, which is why it is frequently addressed during HIPAA compliance training and reviewed closely during HIPAA risk assessments.
HIPAA compliance consulting often identifies unencrypted email as a primary risk area because email is used so frequently in daily healthcare operations. Without proper safeguards, sending protected health information (PHI) through standard email can expose patient data during transmission or after delivery, increasing the likelihood of reportable breaches.
When an email is unencrypted, its contents can potentially be accessed by internet service providers, email servers, hackers, or unintended recipients. This creates a serious privacy risk when emails contain patient names, medical details, test results, appointment information, billing data, or any other identifiable health information.
PHI sent through regular email or to a free use webmail account (such as gmail) creates additional risk since many email providers read messages in user inboxes for marketing purposes. Additionally, regular email use increases the risk of a healthcare organization falling victim to phishing attacks and ransomware infections that lead to massive HIPAA violations.
Why Unencrypted Email Is a HIPAA Risk
HIPAA’s Security Rule requires covered entities to implement reasonable technical safeguards to protect electronic PHI (ePHI). While HIPAA does not explicitly prohibit email, it does require that PHI be protected from unauthorized access. Unencrypted email fails to meet this standard because:
- messages travel across multiple unidentified servers in readable form
- emails can be intercepted during transmission
- inboxes may be accessed by unauthorized users and service providers
- messages can be forwarded or stored insecurely
- misdirected emails cannot be recalled
As a result, HIPAA compliance consultants routinely flag unencrypted email as non-compliant unless strong compensating controls are in place.
HIPAA Expectations Around Email
HIPAA expects organizations to assess email-related risks and implement encryption or equivalent safeguards. Healthcare organizations and their business associates that handle ePHI are also required to train their staff on secure communication practices, document communication policies, and apply the Minimum Necessary Standard. This is why email safety is a core component of HIPAA compliance training programs.
Covered entities are allowed to use traditional email if a patient insists on that channel. However, they must have an acceptably secure option in place to offer first, and the patient cannot absolve the covered entity of their responsibility to protect health data if a breach happens
Why Training Matters
Technology alone is not enough. Staff must know when PHI is present and how to send it securely. Effective HIPAA compliance training helps employees recognize risky email behavior and consistently choose secure communication methods.
Related Terms
Is Your Team Properly Trained in HIPAA Compliance?
Brightsquid supports thousands of healthcare organizations with practical privacy compliance training that helps prevent breaches and improve efficiency.