HIPAA-Compliant Email for Healthcare Practices

by Jon Lober | NOC Technology

What It Actually Takes

Email is the communication backbone of most medical and dental practices: appointment confirmations, referral coordination, lab results, billing questions. And it’s one of the most common sources of HIPAA violations. The gap between “we use Outlook” and “we have HIPAA-compliant email” is wider than most practice managers realize.

This guide covers what HIPAA actually requires for email, what “compliant” really means for platforms like Microsoft 365 and Google Workspace, and what St. Louis healthcare practices need to have in place before treating email as a secure channel.

Why Standard Email Isn't HIPAA Compliant

HIPAA doesn’t prohibit email communication, but it does require that any electronic protected health information (ePHI) transmitted via email be safeguarded appropriately. Standard consumer email accounts don’t meet that bar for several reasons.

First, encryption: email in transit between mail servers is often unencrypted or uses opportunistic encryption that can’t be guaranteed. HIPAA requires you to protect ePHI “in transit” which means end-to-end or at-rest encryption you can verify and document.

Second, access controls: consumer accounts (free email–like gmail or outlook.com) don’t enforce the kind of role-based access controls, audit logging, and automatic logoff that HIPAA’s technical safeguard standards require.

Third, Business Associate Agreements: any vendor who handles ePHI on your behalf must sign a BAA with your practice. Free consumer email services don’t offer BAAs. Without one, using that service to transmit patient information is a HIPAA violation regardless of how secure the platform is technically.

What a Business Associate Agreement (BAA) Actually Is

A BAA is a legally binding contract between your practice and any vendor who processes, stores, or transmits ePHI on your behalf. It establishes the vendor’s responsibility to safeguard that information and report any breaches to you. Under HIPAA, you cannot use any service that handles patient data without a signed BAA.

Microsoft offers a BAA for Microsoft 365 Business and Enterprise plans, not for personal or consumer Microsoft accounts. Google offers a BAA for Google Workspace (formerly G Suite) Business and Enterprise plans. The BAA is a prerequisite, but signing one doesn’t automatically make your email setup compliant. You still need to configure the platform correctly.

Making Microsoft 365 HIPAA Compliant

Microsoft 365 Business Premium and Enterprise plans can be configured for HIPAA compliance, but the default settings aren’t compliant out of the box. Here’s what needs to be configured:

Sign the Microsoft HIPAA BAA (available through the Microsoft 365 admin portal under Service Trust Portal).

Enable Microsoft Purview Message Encryption (formerly Office 365 Message Encryption) to encrypt outbound email containing ePHI.

Configure Data Loss Prevention (DLP) policies to detect and block or encrypt outbound messages containing protected health information.

Enable audit logging in the Microsoft 365 Security & Compliance Center.

Configure multi-factor authentication for all accounts. This is a HIPAA technical safeguard requirement.

Set automatic session timeouts and screen lock policies.

Review and restrict external email forwarding rules that could expose ePHI.

The right Microsoft 365 license matters here. Microsoft 365 Business Basic doesn’t include the full DLP and compliance features. Business Premium or an E3/E5 Enterprise plan gives you the tools you need. If you’re on a lower-tier license, upgrading is part of the compliance equation.

Google Workspace as a HIPAA-Compliant Option

Google Workspace Business Starter and above support a HIPAA BAA, but like Microsoft, configuration matters. Key steps for Google Workspace compliance:

Sign the Google Workspace HIPAA BAA through the Google Admin console under Account > Legal.

Enable Gmail S/MIME encryption for messages containing ePHI (requires Business Plus or Enterprise).

Configure Data Loss Prevention rules in the Admin console to flag or quarantine outbound messages with sensitive data.

Enable audit logs for Gmail and Admin actions.

Enforce two-factor authentication for all user accounts.

Review which Google services are covered under the BAA—not all Google services are included, and using covered ePHI in an uncovered service is a violation.

Encryption: What You Actually Need

HIPAA requires “encryption and decryption” as an addressable safeguard for ePHI, which in practice means you need to encrypt email containing patient information. The two main approaches are:

Transport Layer Security (TLS): encrypts email in transit between mail servers. Both Microsoft 365 and Google Workspace support TLS, but it’s only effective when both the sending and receiving server support it. You can’t guarantee the recipient’s server does.

End-to-end encryption (S/MIME or message-level encryption): encrypts the message itself so only the intended recipient can read it, regardless of what servers it passes through. This is the more robust option for sensitive patient communications.

For most medical and dental practices, the practical approach is: use Microsoft’s built-in message encryption for outbound email containing ePHI, configure DLP policies to catch and encrypt messages that staff might send without thinking, and train staff on when to use encrypted communication.

Patient-Initiated Emails and the Consent Exception

If a patient emails you first using their personal Gmail or Yahoo account, they’ve accepted the risks of standard email for that communication. HIPAA allows you to respond via the same channel, provided you’ve warned the patient about the risks and they’ve consented to unencrypted communication.

This doesn’t mean patient-initiated emails give you blanket permission to skip encryption. It applies to individual exchanges where the patient has acknowledged the risk. If your practice routinely sends appointment reminders, lab results, or treatment plans via unencrypted email, that requires either documented patient consent for each communication or an encrypted email solution.

Staff Training and Policy

Technical controls reduce risk, but they don’t eliminate human error. Your staff need to understand what constitutes ePHI, when email is and isn’t appropriate for sharing patient information, and what to do if they accidentally send an unencrypted message containing patient data.

Practical training topics to cover:

What counts as ePHI (patient name + any health information = ePHI, even if the health information seems minor)

When to use the encrypted email option vs. standard email

How to handle patients who email from personal accounts

What constitutes a potential breach and how to report it internally

The practice’s email retention and deletion policy

Email Retention Requirements Under HIPAA

HIPAA doesn’t specify a retention period for email specifically, but your retention obligations come from two sources: HIPAA’s requirement to retain policies and documentation for six years, and your state’s medical records retention law. In Missouri, medical records must be retained for a minimum of 10 years for adults. If your email contains patient records or clinical communications, those records fall under the longer retention requirement.

Practically, this means your email archiving solution needs to retain messages for at least six years (for HIPAA documentation) and up to 10+ years if the messages constitute patient records. Microsoft 365 and Google Workspace both have archiving and retention policy features—but they need to be configured. Default retention settings typically aren’t sufficient.

Getting Your Practice to Compliance

Here’s a practical checklist for a St. Louis medical or dental practice:

Confirm you’re on a Microsoft 365 or Google Workspace plan that supports a HIPAA BAA.

Sign the BAA with your email provider.

Configure message encryption and DLP policies.

Enable audit logging and review logs at least quarterly.

Enforce multi-factor authentication across all accounts.

Document your email security configuration as part of your HIPAA security risk analysis.

Train all staff on email handling policies annually.

Review your email archiving and retention settings against state and federal requirements.

We've set up HIPAA-compliant email for medical practices, dental offices, and healthcare organizations across Greater St. Louis. See how we support healthcare IT on our managed IT for medical and dental practices page, or check our pricing to see what’s included.

Frequently Asked Questions

Is regular Gmail or Outlook HIPAA compliant? +

No — not in their standard consumer form. Free Gmail and personal Outlook accounts don't offer Business Associate Agreements, which are required before using any service to transmit patient information. Business versions of both platforms (Google Workspace and Microsoft 365) can be configured to meet HIPAA requirements, but the BAA and proper configuration are both required.

Does Microsoft 365 require additional software to be HIPAA compliant? +

Microsoft 365 includes the tools you need (message encryption, DLP policies, audit logging, MFA), but those features must be configured — they're not on by default. You also need to be on a plan that supports HIPAA compliance (Business Premium or Enterprise) and must sign the Microsoft HIPAA BAA separately. The software itself is sufficient; no third-party add-on is required if it's set up correctly.

What is a Business Associate Agreement (BAA) and why do I need one? +

A BAA is a legally required contract between your healthcare practice and any vendor that processes, stores, or transmits patient health information on your behalf. It establishes the vendor's responsibility to protect that information and notify you of any breaches. Under HIPAA, using any service to transmit patient data without a signed BAA is a violation — regardless of how secure the platform is technically.

Can patients email us first and bypass HIPAA requirements? +

If a patient contacts you via personal email, they've accepted the risks of unencrypted communication for that message. HIPAA allows you to respond via the same channel, provided you inform the patient about the risks. This doesn't give you blanket permission to send ePHI via unencrypted email. It applies to individual exchanges with informed patient consent — not to routine practice communications like lab results or treatment plans.

How long must we keep email records for HIPAA compliance? +

HIPAA requires retaining security policies and documentation for six years. Missouri law requires medical records to be retained for a minimum of 10 years for adult patients. If your emails contain clinical communications or patient records, the longer retention period applies. Microsoft 365 and Google Workspace both have archiving features that can be configured to meet these requirements — but default settings usually aren't sufficient.

What happens if staff accidentally send PHI through personal email? +

An unencrypted email containing PHI sent through an unapproved account is a potential HIPAA breach. You need to document what happened, assess whether the transmission meets the definition of a breach under HIPAA's rules, and determine if notification is required. Your incident response plan should cover this scenario. The best defense is a combination of technical controls (DLP policies that catch PHI before it leaves your system) and regular staff training.

How much does HIPAA-compliant email cost? +

Microsoft 365 Business Premium, which includes the compliance features needed for HIPAA, runs approximately $22/user/month. Google Workspace Business Plus, which includes S/MIME encryption and enhanced audit logging, runs approximately $18/user/month. Factor in setup time and ongoing management. For most small practices, the monthly cost difference between a basic plan and a HIPAA-capable plan is modest — but the configuration work is where most practices need help.