Why Even Smart Health Professionals Still Don’t Encrypt Their Email — and Why That’s a Problem

TL;DR:

• Email is not secure by default — even Gmail, Outlook, and Apple Mail can expose sensitive patient data.

• HIPAA requires encryption for protected health information (PHI) during transmission, especially over the internet.

• Lack of encryption = risk of data breaches, lawsuits, and fines.

• Many professionals mistakenly think they’re compliant when they’re not — especially if they rely on standard email providers.

• Solutions are affordable and easy to implement. There's no excuse for skipping this anymore.

Let’s Be Honest: Email Feels Easy—But It’s Often a HIPAA Trap

Many intelligent, highly trained healthcare professionals are unknowingly putting themselves—and their patients—at risk every day. How?

They’re sending emails that include patient information using platforms like Gmail, Outlook, or Apple Mail… without proper encryption.

It’s not because they don’t care about privacy. It’s usually because they think those platforms are “secure enough.”

But here’s the truth:

If your email system doesn’t encrypt PHI in transit and at rest—and provide a Business Associate Agreement (BAA)—you’re not HIPAA compliant.

Why Doesn’t Everyone Know This?

Because email encryption isn’t intuitive, and most major email providers don’t explain it well. For example:

• Gmail is encrypted between Google servers, but that doesn't guarantee encryption between you and the recipient.

• Outlook might offer security features, but they’re not turned on by default.

• Apple Mail? Same story — unless configured with additional tools, you’re flying blind.

So many professionals wrongly assume “I’m using a reputable service, so I must be secure.” But HIPAA isn’t about assumptions. It’s about verified safeguards.

The Consequences Are Real

Failing to encrypt emails can lead to:

• Data breaches

• Loss of patient trust

• Regulatory investigations

• Civil penalties or fines that can reach into the hundreds of thousands

Even if a breach never happens, the absence of proper encryption is still a compliance failure under HIPAA.

The Good News? This Is Totally Fixable.

There are simple, low-cost tools that allow you to:

• Encrypt email automatically

• Verify recipient access

• Maintain audit trails

• Sign a BAA with your provider

Being confused about certificates, encryption, and other technical requirements of HIPAA law is a common occurrence, and negligence of this law can have serious security implications. At Patient Protect, we’ve created a bullet-proof cloud-based solution to simplify the complexity of secure collaboration. We use a conventional web page interface (using SSL) for the handling of ePHI. Thereby, all ePHI is encrypted in transit. We store ePHI in an encrypted database, and thus all ePHI is encrypted at rest. We also help offices become more compliant by advising and educating you on proper practices.

Bottom Line

Smart people still make risky choices when they don’t have the right information.

Encryption isn’t optional under HIPAA — and it’s not hard anymore.

If you're emailing PHI and you haven't explicitly enabled HIPAA-compliant encryption with a BAA in place — you're exposed.

Let’s fix that. Visit Patient-Protect.com to get started with true encrypted messaging. This military-grade software solution takes the worry out of HIPAA compliance. Want to learn more about HIPAA compliance? Read our blog here.

• Start Your Trial Today

• HIPAA Breach Dashboard

• Take the HIPAA Readiness Quiz

• Schedule a Free Compliance Review

• Free HIPAA Resources

• HIPAA Compliance Checklist

• Learn more about Patient Protect