Sending HIPAA compliant e-mails

I think the most common way is to send a plain text email (as it may be read on iphone, android, etc - a device that does not have built in email decryption). OTOH, all devices understand HTTPS. So the plain text email says something like, "You have a secure message from your health care provider. Please click this link to login to view your message."


You are required to encrypt the data end to end. You can use TLS to send the email to their systems. Note that you cannot send email to another firm without them also being HIPAA and hitech compliant. Since their ePHI must already be stored in an encrypted format you do not have to worry about encrypting the data prior to transmission. That being said since encryption of the message is an addressable security measure, you would have to show why this was unreasonable. You also have to ensure that only the person that the email is addressed to can open the email. the simplest solution is to use outlooks ability to sign and encrypt messages and send the recipient your certificate (by sending signed message to each other first.

I do not recommend any sort of separate website based mail as it makes it requires a whole lot of infrastructure to make secure. this could also open up liabilities should the end user do some thing like share their password. It's best to let the other party remain liable for their security.