Healthcare organisations — hospitals, health systems, physician practices, telehealth companies, and healthcare technology platforms — face the most complex email compliance environment of any industry. HIPAA (Health Insurance Portability and Accountability Act) regulates how protected health information (PHI) is handled in electronic communications, including email. The intersection of HIPAA compliance requirements, ISP filtering behaviour, and the medical necessity of reliable patient communication creates a deliverability challenge that requires both technical expertise and regulatory knowledge. This guide covers the specific email compliance and deliverability requirements for covered entities and business associates under HIPAA.
Healthcare Email Categories and Compliance Requirements
Healthcare email falls into distinct categories with different HIPAA compliance requirements:
Treatment communications containing PHI: Appointment reminders, test results, care plan communications, medication reminders. These communications contain or reference PHI and are subject to HIPAA's Security Rule (requiring encryption and access controls) and Privacy Rule (limiting disclosure of PHI). They qualify as Treatment communications under the HIPAA exception framework — explicit patient consent is not required for Treatment communications sent to the patient's known email address, but the communication must be appropriately secured.
Marketing communications to patients: Health system newsletters, wellness programme promotions, new service announcements. These are marketing communications and require explicit patient authorisation under HIPAA's Marketing provisions if they discuss specific health products or services related to the patient's health condition. Generic wellness newsletter to all patients: generally permissible. Targeted promotional email referencing the patient's specific condition or treatment: requires authorisation.
Healthcare provider B2B communications: Medical education, continuing education (CME), pharmaceutical marketing to physicians, health system administrative communications. These involve PHI only if they reference specific patient cases — most B2B healthcare marketing does not involve PHI and is subject to standard CAN-SPAM requirements rather than HIPAA's patient privacy provisions.
Operational and transactional communications: Billing statements, insurance verification, patient portal account notifications, password resets. These typically involve PHI (billing data links to specific patient health services) and require HIPAA-appropriate handling. Patient portal account management email in particular must deliver reliably — a failed password reset email prevents the patient from accessing their own health records.
HIPAA Requirements for Email Communications
HIPAA's Security Rule (45 CFR § 164.312) requires covered entities to implement technical safeguards for electronic PHI, including: (1) Access controls — limiting access to ePHI to authorised persons. (2) Audit controls — recording and examining activity in systems containing ePHI. (3) Transmission security — protecting ePHI when transmitted over electronic networks.
The transmission security requirement is the primary HIPAA concern for email: email transmitted without encryption is not HIPAA-compliant for communications containing PHI. Standard email encryption options for HIPAA-compliant email:
TLS encryption (minimum requirement): All SMTP connections transmitting PHI must use TLS encryption. SMTP TLS is now required by most major ISPs for all commercial email (MAGY requirements include TLS). For email to patient email addresses at major consumer ISPs (Gmail, Yahoo, Outlook), TLS is applied automatically. For email to smaller or less common email providers that may not support TLS, additional controls are needed.
End-to-end encryption or secure portal: For the most sensitive PHI (test results, diagnostic information, detailed treatment information), best practice and in some cases required practice is to send a notification email that prompts the patient to access the PHI through a secure patient portal rather than transmitting the PHI in the email body itself. The email says "Your test results are ready — log in to your patient portal to view them" without including the actual results. This approach provides HIPAA-appropriate PHI handling regardless of the patient's email provider's TLS capabilities.
Business Associate Agreements with ESPs
Under HIPAA, any vendor that processes, stores, or transmits PHI on behalf of a covered entity is a Business Associate and must sign a Business Associate Agreement (BAA). For healthcare email programmes, this means any ESP through which PHI-containing email is sent must sign a BAA.
ESPs that offer HIPAA BAAs and HIPAA-compliant email services include: Google Workspace (for organisations using Gmail for patient communications), Microsoft 365 (Healthcare plans), Mailchimp (Enterprise plan with BAA), Salesforce Marketing Cloud (Healthcare edition), and Twilio SendGrid (BAA available on enterprise plans). ESPs that do NOT offer BAAs (including many standard ESP tiers from Klaviyo, Mailchimp standard, and Brevo standard) cannot be used for email containing PHI — using them for PHI-containing patient communication constitutes a HIPAA violation.
The practical implication: healthcare organisations must audit all email sending platforms to determine which are processing PHI and whether BAAs are in place with each vendor. Appointment reminder systems, patient portal email, and billing communication systems that send patient-specific information must have BAAs with their email infrastructure providers. Generic marketing email to patient populations that does not reference specific health information does not require a BAA (though the organisation must still comply with HIPAA's Marketing authorisation requirements).
PHI in Email: What Is Allowed and What Is Not
PHI (Protected Health Information) is individually identifiable health information. In email, PHI includes: patient name combined with any health information (diagnosis, treatment, prescription, health plan status), medical record numbers, dates of service combined with patient identification, clinical notes, lab results, and similar data. Under HIPAA, transmitting PHI requires appropriate safeguards — the primary concern for email is encryption and access control.
The practical framework for email PHI decisions: (1) Does the email reference a specific patient's specific health information? If yes — the email contains PHI and requires HIPAA-appropriate handling (TLS encryption at minimum, BAA with the ESP, and ideally secure portal redirection for sensitive clinical data). (2) Does the email address a patient population without referencing individual patient health data? If yes — the email likely does not contain PHI and requires standard commercial email compliance (CAN-SPAM/GDPR) rather than HIPAA-specific controls, though the HIPAA Marketing authorisation requirement still applies if the email promotes specific health products or services.
Authentication for Healthcare Email Domains
Healthcare organisations are among the most frequently impersonated in phishing attacks. Emails purporting to be from hospitals, insurance companies, and pharmacies are used to steal patient credentials, insurance information, and payment data. DMARC at p=reject is the most effective technical control against phishing that impersonates a healthcare organisation's email domain — it prevents fraudulent emails from reaching patient inboxes with the organisation's From address.
Healthcare DMARC adoption has accelerated following guidance from HHS (the Department of Health and Human Services) and health information security frameworks (HITRUST, SOC 2) that include DMARC enforcement as a recommended or required control. The 55% enforcement rate in healthcare (DMARC at p=quarantine or p=reject) is above most non-financial industry averages, though significant room remains to reach the full protection of p=reject for all healthcare email domains.
Healthcare DMARC implementation complexity: large health systems may have dozens of email sending systems across clinical, administrative, patient communication, and marketing functions. Each system must be authenticated under the health system's primary domain before DMARC enforcement can be applied. The pre-enforcement audit that identifies all sending sources is often the most time-consuming part of healthcare DMARC implementation — but it is also the most valuable, as it reveals unauthorised sending sources that the security team was unaware of.
Healthcare-Specific Deliverability Challenges
Healthcare email deliverability has characteristics that differ from commercial email: patients may not immediately recognise an appointment reminder from a health system they visited once, generating complaint rates from confused or privacy-concerned recipients. Patient email addresses in healthcare CRM systems have often not been verified at collection (patient registration forms with handwritten email addresses transcribed by staff) — producing higher hard bounce rates than electronically collected addresses.
Corporate email gateway filtering at healthcare employers: many patients receive healthcare email at corporate email addresses. Corporate email security gateways (Proofpoint, Barracuda) at these employers may filter healthcare email more aggressively due to the personal health information risk that healthcare domain email represents. Healthcare senders sometimes experience lower inbox placement at corporate email addresses than at personal Gmail/Yahoo addresses — not because of reputation issues but because corporate gateway content scoring is more sensitive to the health-related content patterns in clinical communications.
Patient Portal and Appointment Reminder Deliverability
Patient portal notifications and appointment reminders are the most commercially and clinically critical healthcare email. A patient who misses an appointment because the reminder landed in spam creates a revenue loss for the practice and a care gap for the patient. A patient who cannot access their portal because the password reset email never arrived generates a support ticket and a frustrating patient experience.
The deliverability requirements for patient portal email: (1) Dedicated sending infrastructure separate from any bulk or marketing email sent by the health system. (2) Custom domain DKIM signing from the health system's own domain. (3) TLS required for all SMTP connections. (4) Sub-60-second delivery target for time-sensitive communications (MFA codes, urgent test result alerts). (5) HIPAA BAA with all email infrastructure providers in the delivery chain.
Appointment reminder sender recognition: use consistent, immediately recognisable sender names for appointment reminders — "Memorial Health Center" rather than "noreply@mhc.com" or "Appointments@mhcsystem.healthcare.internal.com". Patients who do not immediately recognise the sender of an appointment reminder are more likely to mark it as spam than to open it — and complaint-marked appointment reminders damage the health system's domain reputation during exactly the sending period (high-frequency reminder sending before major appointment dates) when reputation management is most critical.
HIPAA-Compliant Email Infrastructure Architecture
The HIPAA-compliant email infrastructure for a healthcare organisation separates PHI-containing and non-PHI email across different sending streams with appropriate controls at each level:
Stream 1 — Clinical communications (PHI): Appointment reminders, test result notifications (via secure portal link), care plan updates, prescription reminders. Requires: dedicated sending IPs, HIPAA BAA with all vendors, TLS required for all connections, encryption at rest for queued messages, full per-message audit logging with 6-year minimum retention (HIPAA retention requirement). Recommended infrastructure: health system's own MTA (Postfix or PowerMTA) on HIPAA-compliant hosting, or a healthcare-specific transactional ESP (Twilio SendGrid Healthcare, Microsoft 365 Healthcare).
Stream 2 — Patient marketing (no PHI): Wellness newsletters, health education content, new service announcements. Requires: HIPAA marketing authorisation documentation for targeted health condition communications, standard commercial email compliance (CAN-SPAM, GDPR). Infrastructure: Salesforce Marketing Cloud Healthcare, or other marketing ESP with BAA for audit purposes even if specific emails do not contain PHI — the platform stores patient demographic data that is PHI adjacent.
Stream 3 — B2B healthcare (no PHI): Medical education, provider communications, administrative email. Requires: standard commercial email compliance. Infrastructure: standard commercial ESP with no BAA required (unless patient data is referenced).
Healthcare email, managed with the compliance and deliverability discipline that the sector's regulatory requirements mandate, actually produces above-average inbox placement — because the compliance infrastructure (authentication, dedicated IPs, careful list management, TLS everywhere) is the same infrastructure that drives deliverability excellence. The healthcare organisation that does email right for HIPAA compliance will also be doing email right for deliverability. The regulatory obligation and the commercial best practice point in the same direction.
Healthcare email deliverability and HIPAA compliance are not competing priorities — they are the same priority viewed from different regulatory and operational angles. The authentication infrastructure that protects patients from phishing (DMARC p=reject) also improves inbox placement. The dedicated sending infrastructure that provides HIPAA-required audit logging also provides the accounting log data needed for deliverability diagnosis. The list management practices that comply with HIPAA's minimum necessary standard also reduce bounce rates and complaint rates. Invest in HIPAA-compliant email infrastructure; the deliverability excellence and the regulatory compliance arrive together as a unified outcome of doing email right in the most demanding regulatory environment commercial email encounters.
Start with the foundation: a HIPAA risk assessment for all email sending systems, a BAA audit to confirm coverage with all vendors processing PHI, and a DMARC advancement project to reach p=reject across all healthcare domain email. These three investments represent the most impactful combination of regulatory compliance and deliverability improvement available to any healthcare email programme. Execute them in sequence; verify each before proceeding to the next; and the healthcare email programme will achieve the dual objectives of clinical reliability and regulatory compliance that patient-facing email demands.