According to the study "We Got Mail": Electronic Communication Between Physicians and Patients, an estimated 17.5 million adults in the US were already using the internet to find medical information by 1997. By the late 1990s, physicians had also begun using email for various tasks, including consulting with colleagues, accessing lab results, tracking patient outcomes, sharing research, and communicating directly with patients. According to another study, Email in healthcare: pros, cons and efficient use, “The healthcare sector was initially more cautious about the adoption of email than other sectors, but email is now a primary method of correspondence between healthcare professionals. It is the assumption of many healthcare organizations that staff will regularly check and act on their email messages.” This increased reliance on email makes establishing internal email governance policies that support HIPAA compliance essential. This will protect sensitive health data in transit and at rest. It will also ensure that its use aligns with regulatory, ethical, and operational standards in modern healthcare settings.
HIPAA mandates specific requirements for the protection of protected health information (PHI), which includes any health information transmitted or maintained in electronic form. The HIPAA Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). As the U.S. Department of Health and Human Services (HHS) explains, “A major goal of the Security Rule is to protect the security of individuals’ ePHI while allowing regulated entities to adopt new technologies that improve the quality and efficiency of health care. Because the health care marketplace is diverse, the Security Rule is designed to be flexible, scalable, and technology neutral, enabling a regulated entity to implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to ePHI.”
Without clearly defined email policies, healthcare organizations risk noncompliance, data breaches, and erosion of patient trust as employees may:
Many data breaches originate from simple mistakes or user negligence. As Sarah Varnell, manager of attest services at BARR Advisory, states, “My recommendations for healthcare organizations do not differ significantly from what is considered best practice in other industries. In most cases, the attacks targeting healthcare organizations are not very technical attacks. They rely on tricking users, exploiting weak or reused passwords, or taking advantage of gaps in basic security hygiene. Once attackers have access, they can exfiltrate PHI and either ransom it back to the organization or sell it on the dark web."
This demonstrates that email policies secure communications and address insider risk.
To create a compliant and effective internal email governance policy, healthcare organizations should address the following core areas:
An Acceptable Use Policy outlines the permissible and prohibited uses of email within the organization. For HIPAA compliance, the AUP should clarify:
As Varnell notes, policies on acceptable use and clean workdesks are foundational practices that reinforce organizational security culture.
In December 2025, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM). This proposal aims to amend the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), enhancing cybersecurity measures for electronic protected health information (ePHI).
Under the newly proposed updates to the HIPAA Security Rule, encryption would become a mandatory requirement rather than an “addressable” implementation specification.
Encryption is required when:
Internal policies should mandate encryption in transit and, where applicable, at rest, and specify how and when encryption must be used.
The HIPAA Privacy Rule requires that “A covered entity must maintain [patient records] until six years after the later of the date of their creation or last effective date.” This requirement extends to any email communications that include protected health information (PHI) or are considered part of a patient’s designated record set. As such, healthcare organizations must implement email retention and archiving policies that align with this rule.
Internal email governance policies should clearly define:
Automated retention tools integrated with your email system can simplify compliance and auditing.
Email access must be tightly controlled. HIPAA requires that access to ePHI be limited to only those who need it to perform their job functions. This is in line with the principle of least privilege, which Sarah Varnell also recommends, stating, “Enforcing least privilege access controls to ensure that a compromised account can’t freely move throughout the network is also a critical step in a defense plan."
Governance policies should define:
Regular access reviews and email audits can also aid in ensuring that permissions remain current and appropriate.
Strong authentication mechanisms, including MFA, are a technical safeguard under HIPAA’s Security Rule. Governance policies should require:
As Varnell suggests, “Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”
A study by IBM, as quoted by The Hacker News, found that human error is “a major contributing cause in 95% of all breaches.” Internal email governance should mandate regular security awareness training, including simulated phishing exercises.
Sarah Varnell emphasizes that “Information security awareness training that covers how to identify and prevent phishing and other social engineering attacks is critical for ensuring employees are equipped with the appropriate knowledge to protect themselves and the organization.”
Training should be:
Policies should also encourage employees to report suspicious emails without fear of punishment.
HIPAA requires covered entities to have policies in place for identifying, reporting, and responding to security incidents. Internal email governance must include:
Varnell notes the importance of a clearly defined incident response plan and regular tabletop exercises to test readiness.
With more healthcare professionals using mobile devices, laptops, and tablets to check email, mobile governance is essential. Policies should address:
This reduces the risk of PHI exposure in case of theft or loss.
Emails to and from business associates must also be governed. Varnell cautions that “It is important to ensure that vendors and partners, especially those that handle PHI, understand what constitutes a breach and have a clear incident response plan of their own. Many healthcare breaches originate in the supply chain, so conducting due diligence as part of a strong vendor management program is also key.”
Internal policies should:
To demonstrate HIPAA compliance, organizations must log and monitor email activity. Governance policies should require:
These practices can help detect early indicators of compromise.
A policy is only as effective as its implementation. Healthcare organizations should integrate their email governance policies with:
“From a technical perspective, organizations should build robust vulnerability management programs and conduct regular penetration testing to identify and address security issues before attackers do. Additional technical controls to implement include timely patch management, endpoint detection and response, and strong multifactor authentication, potentially in the form of hardware security keys where appropriate.”
Email governance refers to the policies, procedures, and technologies used to manage email communications within a healthcare organization. It includes controls for how email is accessed, used, secured, retained, and monitored—especially when handling PHI (Protected Health Information).
No. Personal email accounts are not HIPAA compliant and typically lack the necessary security controls, such as encryption and audit logging. All PHI-related email communications must be conducted through approved, secure channels.
At minimum, policies should be reviewed annually or whenever there is a change in regulations, technology, or organizational structure. Regular updates ensure continued relevance, legal alignment, and operational effectiveness.