Healthcare email must balance deliverability with HIPAA compliance. Patient communications containing Protected Health Information (PHI) require encryption in transit (TLS) and access controls. Use a HIPAA-compliant ESP with BAA, authenticate your sending domain, separate patient communications from marketing, and never include PHI in marketing emails. Non-compliant email puts your deliverability and your license at risk.
Healthcare Email Deliverability and HIPAA Compliance Guide
Healthcare Email: Two Separate Problems
Healthcare organizations send two types of email that require completely different approaches:
Patient communications — appointment reminders, test results, care instructions, portal notifications. These may contain PHI and fall under HIPAA.
Marketing email — newsletters, wellness tips, service promotions, community health events. These follow standard email marketing rules (CAN-SPAM, GDPR if applicable).
Never combine these streams. Use separate infrastructure, separate sending domains, and separate compliance frameworks.
HIPAA Email Requirements
HIPAA doesn't ban email — it requires safeguards when PHI is involved:
Technical Safeguards
- Encryption in transit: TLS 1.2+ between sending and receiving servers
- Encryption at rest: PHI stored in email systems must be encrypted
- Access controls: Only authorized personnel access patient email
- Audit logging: Log who accessed what and when
Administrative Safeguards
- Business Associate Agreement (BAA): Required with any ESP handling PHI
- Workforce training: Staff must understand email PHI rules
- Incident response: Plan for unauthorized PHI disclosure via email
HIPAA-Compliant Email Services
| Service | BAA Available | Encryption | Notes |
|---|---|---|---|
| Paubox | Yes | Automatic TLS + fallback encryption | Purpose-built for healthcare |
| Virtru | Yes | End-to-end encryption plugin | Works with Gmail/Outlook |
| Microsoft 365 | Yes | TLS + Message Encryption | Requires proper configuration |
| Google Workspace | Yes | TLS (standard), S/MIME (advanced) | BAA covers core services |
Practitioner note: The most common HIPAA email violation I see isn't a breach — it's a healthcare practice using Mailchimp to send appointment reminders with patient names and visit details. Mailchimp doesn't sign BAAs. Use a HIPAA-compliant service for anything involving PHI.
Marketing Email for Healthcare
Healthcare marketing email follows standard deliverability best practices with additional considerations:
Authentication: SPF, DKIM, DMARC on your sending domain. Same as any sender.
Content restrictions: Don't include specific health conditions, treatment details, or anything that constitutes PHI in marketing blasts. "Upcoming flu clinic dates" is fine. "Based on your recent diabetes diagnosis" is a HIPAA violation.
Consent management: Healthcare marketing often intersects with HIPAA's marketing authorization requirements. If you're promoting a service not directly related to treatment, you may need explicit marketing authorization beyond standard email consent.
Sensitive content: Emails about mental health services, substance abuse treatment, or reproductive health require extra care. Even the subject line can be sensitive if it reveals a health condition to someone with access to the recipient's inbox.
Appointment Reminder Deliverability
Appointment reminders are the highest-priority email for healthcare organizations. If they go to spam, patients miss appointments.
Best practices:
- Send from a recognizable domain (e.g.,
reminders.yourclinic.com) - Authenticate fully (SPF, DKIM, DMARC)
- Keep subject lines clear: "Appointment Reminder — [Date]"
- Minimize PHI in the email body
- Link to the patient portal for details instead of including them inline
- Send at consistent times (reduces spam filter flags)
Practitioner note: Healthcare appointment reminders have some of the best engagement metrics in any industry — 60-80% open rates are normal because patients actually want these emails. Protect this by keeping the sending stream separate from marketing. If marketing ruins your domain reputation, patients start missing appointments.
Separating Email Streams
| Stream | Subdomain | ESP | Contains PHI |
|---|---|---|---|
| Appointment reminders | reminders.clinic.com | Paubox or HIPAA-compliant ESP | Minimal |
| Patient portal notifications | portal.clinic.com | HIPAA-compliant ESP | Yes |
| Marketing newsletters | news.clinic.com | Standard ESP (Mailchimp, etc.) | Never |
| Staff communication | clinic.com (root) | Microsoft 365 / Google Workspace | Varies |
If your healthcare organization needs help setting up compliant email infrastructure, schedule a consultation.
Sources
- HHS: HIPAA Security Rule
- HHS: HIPAA and Email Communications
- Paubox: HIPAA Email Compliance
- Google: Workspace HIPAA Compliance
v1.0 · April 2026
Frequently Asked Questions
Can healthcare organizations send marketing email?
Yes, but marketing email and patient communications must be strictly separated. Marketing email follows standard CAN-SPAM rules. Patient communications with PHI follow HIPAA. Never mix PHI into marketing campaigns, and use separate sending infrastructure for each.
Is regular email HIPAA compliant?
Standard email is not HIPAA compliant for PHI. You need TLS encryption in transit, a Business Associate Agreement (BAA) with your ESP, access controls, and audit logging. Services like Paubox, Virtru, or Microsoft 365 with encryption enabled can meet these requirements.
Do appointment reminder emails need encryption?
If the reminder includes specific health information (reason for visit, doctor name in a specialty context), yes. Generic reminders ('You have an appointment on Tuesday at 2pm') without health details are lower risk, but many compliance officers require encryption for all patient communications.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.