Does your healthcare practice use email to send and/or receive Electronic Protected Health Information (EPHI). If you answered yes, then you are not alone. Nearly every major healthcare provider in the U.S. now uses email for this purpose. It's a faster and more efficient way to send data. But like all forms of digital communication, there's an inherit risk of a breach when using email, which is why it's important for healthcare providers to remain compliant with the Health Insurance Portability and Accountability Act (HIPAA) when using email.


The golden rule of using email to send or receive EPHI is to encrypt your messages. While the Office for Civil Rights (OCR) doesn't specifically state “encryption” as being a requirement for email, it's still viewed as a technical safeguard nonetheless, which is required by the OCR. If a hacker or some other individual with nefarious intent happens to intercept an email containing EPHI, he or she won't be able to read the message – not easily, at least.

Business Associates Agreement

Unless you intend on using your own practice's servers for sending and receiving email, you'll need to create a Business Associates Agreement (BAA) with your respective email service provider. This document, which is required by all third-parties who access or otherwise handle Protected Health Information, lays out the ways in which the associate can access private data. Allowing a third-party entity to control your healthcare practice's email without having a BAA could place you at risk for fines or other penalties, so don't make this mistake.

Double-Check the Recipient

When sending emails, make sure you enter the recipient's address correctly. Something as seemingly harmless as a missed key or double key press could result in EPHI landing in the inbox of a stranger. Problems such as this are easily avoided by double checking the recipient's address before sending emails.

Is Gmail OK to Use?

Gmail has become one of the largest and most widely used email service platforms on the web. The Google-owned and operated service is even used for commercial purposes by some businesses. But is it okay for doctors and other covered entities to use Gmail?

In a nutshell, it's perfectly fine to use Gmail for your healthcare practice's email, assuming you follow some basic security measures. Back in 2013, Google announced that it will sign BAAs, in addition to implementing physical, technical and administrative safeguards. Gmail is already one of the most secure email platforms available, as it offers free two-factor authentication to prevent hack attacks.

Subscribe to our mailing list

* indicates required