Internal email governance policies that support HIPAA compliance

According to the study "We Got Mail": Electronic Communication Between Physicians and Patients, an estimated 17.5 million adults in the US were already using the internet to find medical information by 1997. By the late 1990s, physicians had also begun using email for various tasks, including consulting with colleagues, accessing lab results, tracking patient outcomes, sharing research, and communicating directly with patients. According to another study, Email in healthcare: pros, cons and efficient use, “The healthcare sector was initially more cautious about the adoption of email than other sectors, but email is now a primary method of correspondence between healthcare professionals. It is the assumption of many healthcare organizations that staff will regularly check and act on their email messages.” This increased reliance on email makes establishing internal email governance policies that support HIPAA compliance essential. This will protect sensitive health data in transit and at rest. It will also ensure that its use aligns with regulatory, ethical, and operational standards in modern healthcare settings.

Why email governance matters for HIPAA

HIPAA mandates specific requirements for the protection of protected health information (PHI), which includes any health information transmitted or maintained in electronic form. The HIPAA Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). As the U.S. Department of Health and Human Services (HHS) explains, “A major goal of the Security Rule is to protect the security of individuals’ ePHI while allowing regulated entities to adopt new technologies that improve the quality and efficiency of health care. Because the health care marketplace is diverse, the Security Rule is designed to be flexible, scalable, and technology neutral, enabling a regulated entity to implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to ePHI.”

Without clearly defined email policies, healthcare organizations risk noncompliance, data breaches, and erosion of patient trust as employees may:

• Share PHI through unencrypted email.
• Fall victim to phishing attacks.
• Use unauthorized email accounts or devices.
• Retain sensitive communications longer than necessary.
• Overlook audit and logging obligations.

Many data breaches originate from simple mistakes or user negligence. As Sarah Varnell, manager of attest services at BARR Advisory, states, “My recommendations for healthcare organizations do not differ significantly from what is considered best practice in other industries. In most cases, the attacks targeting healthcare organizations are not very technical attacks. They rely on tricking users, exploiting weak or reused passwords, or taking advantage of gaps in basic security hygiene. Once attackers have access, they can exfiltrate PHI and either ransom it back to the organization or sell it on the dark web."

This demonstrates that email policies secure communications and address insider risk.

Key elements of internal email governance policies

To create a compliant and effective internal email governance policy, healthcare organizations should address the following core areas:

Acceptable Use Policy (AUP) for email

An Acceptable Use Policy outlines the permissible and prohibited uses of email within the organization. For HIPAA compliance, the AUP should clarify:

• What types of data can be transmitted via email.
• Which email platforms or applications are authorized.
• That PHI may only be emailed using encrypted and approved channels.
• Restrictions on auto-forwarding to personal email addresses.
• Prohibitions on sharing passwords or using unsecured networks.

As Varnell notes, policies on acceptable use and clean workdesks are foundational practices that reinforce organizational security culture.

Email encryption standards

In December 2025, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM). This proposal aims to amend the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), enhancing cybersecurity measures for electronic protected health information (ePHI).

Under the newly proposed updates to the HIPAA Security Rule, encryption would become a mandatory requirement rather than an “addressable” implementation specification.

Encryption is required when:

• Sending PHI externally (e.g., to patients, payers, or other providers).
• Transmitting sensitive information across insecure networks.
• Storing PHI in email archives.

Internal policies should mandate encryption in transit and, where applicable, at rest, and specify how and when encryption must be used.

Email retention and archiving

The HIPAA Privacy Rule requires that “A covered entity must maintain [patient records] until six years after the later of the date of their creation or last effective date.” This requirement extends to any email communications that include protected health information (PHI) or are considered part of a patient’s designated record set. As such, healthcare organizations must implement email retention and archiving policies that align with this rule.

Internal email governance policies should clearly define:

• Retention timelines for emails that include PHI or pertain to treatment, payment, or healthcare operations.
• Automated archiving systems that securely store emails and ensure they are accessible for audits, legal requests, or patient inquiries.
• Procedures for securely disposing of emails that are no longer required, once retention periods have been met.
• Differentiation between routine communications and those that must be preserved as part of the medical or administrative record.

Automated retention tools integrated with your email system can simplify compliance and auditing.

Access controls and least privilege

Email access must be tightly controlled. HIPAA requires that access to ePHI be limited to only those who need it to perform their job functions. This is in line with the principle of least privilege, which Sarah Varnell also recommends, stating, “Enforcing least privilege access controls to ensure that a compromised account can’t freely move throughout the network is also a critical step in a defense plan."

Governance policies should define:

• Role-based access to email accounts.
• Email permissions (e.g., who can send encrypted messages).
• Termination procedures for former employees.

Regular access reviews and email audits can also aid in ensuring that permissions remain current and appropriate.

Multi-factor authentication (MFA) and login security

Strong authentication mechanisms, including MFA, are a technical safeguard under HIPAA’s Security Rule. Governance policies should require:

• The use of MFA for accessing email accounts, especially those containing PHI.
• Strong password policies (length, complexity, rotation).
• Restrictions on password reuse.
• Session timeouts and automatic logout settings.

As Varnell suggests, “Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”

Security awareness and phishing training

A study by IBM, as quoted by The Hacker News, found that human error is “a major contributing cause in 95% of all breaches.” Internal email governance should mandate regular security awareness training, including simulated phishing exercises.

Sarah Varnell emphasizes that “Information security awareness training that covers how to identify and prevent phishing and other social engineering attacks is critical for ensuring employees are equipped with the appropriate knowledge to protect themselves and the organization.”

Training should be:

• Ongoing (quarterly or biannually).
• Tailored to real-world email threats.
• Mandatory for all employees with email access.
• Tracked and documented for compliance purposes.

Policies should also encourage employees to report suspicious emails without fear of punishment.

Incident response and reporting protocols

HIPAA requires covered entities to have policies in place for identifying, reporting, and responding to security incidents. Internal email governance must include:

• Clear definitions of email-related incidents (e.g., misdirected emails, phishing attacks, credential theft).
• A step-by-step response protocol.
• Who to notify internally and externally.
• How to document and investigate incidents.
• Legal and regulatory notification procedures (e.g., breach notification within 60 days).

Varnell notes the importance of a clearly defined incident response plan and regular tabletop exercises to test readiness.

Device management and mobile email access

With more healthcare professionals using mobile devices, laptops, and tablets to check email, mobile governance is essential. Policies should address:

• Which devices are authorized to access email.
• Mobile Device Management (MDM) requirements.
• Remote wipe capabilities for lost or stolen devices.
• Encryption requirements for mobile email.
• Restrictions on downloading attachments to personal devices.

This reduces the risk of PHI exposure in case of theft or loss.

Vendor and business associate communication

Emails to and from business associates must also be governed. Varnell cautions that “It is important to ensure that vendors and partners, especially those that handle PHI, understand what constitutes a breach and have a clear incident response plan of their own. Many healthcare breaches originate in the supply chain, so conducting due diligence as part of a strong vendor management program is also key.”

Internal policies should:

• Require business associate agreements (BAAs) for vendors handling PHI.
• Specify the use of secure email channels for external communication.
• Detail expectations for vendor email security, training, and incident response.

Monitoring, logging, and auditing

To demonstrate HIPAA compliance, organizations must log and monitor email activity. Governance policies should require:

• Logging of all inbound and outbound emails.
• Alerting systems for anomalous behavior (e.g., bulk downloads, unusual login locations).
• Regular audits of email access and transmission.
• Documentation of policy violations or incidents.

These practices can help detect early indicators of compromise.

Integrating policy with technology

A policy is only as effective as its implementation. Healthcare organizations should integrate their email governance policies with:

• HIPAA compliant email platforms, like Paubox, that support encryption, archiving, and audit trails.
• Data loss prevention (DLP) tools to prevent unauthorized transmission of PHI.
• Endpoint detection and response (EDR) systems to identify compromised devices.
• Patch management programs, as Varnell advises, to mitigate technical vulnerabilities.

“From a technical perspective, organizations should build robust vulnerability management programs and conduct regular penetration testing to identify and address security issues before attackers do. Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”

FAQS

What is email governance in a healthcare context?

Email governance refers to the policies, procedures, and technologies used to manage email communications within a healthcare organization. It includes controls for how email is accessed, used, secured, retained, and monitored—especially when handling PHI (Protected Health Information).

Can healthcare staff use personal email accounts to send or receive PHI?

No. Personal email accounts are not HIPAA compliant and typically lack the necessary security controls, such as encryption and audit logging. All PHI-related email communications must be conducted through approved, secure channels.

How often should email policies be reviewed or updated?

At minimum, policies should be reviewed annually or whenever there is a change in regulations, technology, or organizational structure. Regular updates ensure continued relevance, legal alignment, and operational effectiveness.