Every day, dental practices exchange emails with patients about appointments, treatment plans, X-ray results, and insurance questions. Most of those emails travel over standard, unencrypted email — and under HIPAA, that's a problem. Here's what you need to know and what you can do about it.
Why Standard Email Is a HIPAA Risk
When you send an email through Gmail, Outlook, or most standard mail servers, the message may be encrypted in transit — but it is not encrypted at rest, and neither you nor the patient controls where it gets stored, forwarded, or retained. HIPAA's Security Rule requires that Protected Health Information (PHI) be safeguarded against unauthorized access, and standard email routinely falls short of that standard.
PHI in email includes anything that could identify a patient and relates to their health, care, or payment. That covers:
- Appointment confirmations that include a procedure type ("your root canal on June 12")
- Responses to patient questions about treatment or medications
- Sending or receiving X-rays, clinical notes, or lab results
- Insurance pre-authorization and billing correspondence that names the patient and their diagnosis
If your front desk or providers are emailing any of this content through a standard inbox, you have a compliance gap — regardless of how routine the communication feels.
What HIPAA Actually Requires
HIPAA does not ban email outright, but it does set conditions. Under the Security Rule, covered entities must implement technical safeguards that protect PHI. The Office for Civil Rights (OCR) guidance is clear: if you transmit PHI electronically, you must use encryption or equivalent protection — unless the patient has been informed of the risk and explicitly opts to communicate without it.
That patient-consent exception is narrower than it sounds. The patient must be advised in writing that unencrypted email carries risk, must acknowledge that risk, and you must document it. Even then, many practices prefer to avoid the liability and simply implement encryption across the board.
The Two Approaches That Actually Work
1. Encrypted Email with a HIPAA-Compliant Provider
Providers like Paubox, Zix (ZixMail), LuxSci, and Microsoft 365 with Purview Message Encryption (with a proper Business Associate Agreement in place) deliver true end-to-end encryption without requiring patients to log into a portal. The message arrives in the patient's regular inbox, encrypted during delivery and storage.
This is the closest experience to normal email for both staff and patients, which drives adoption.
2. A Secure Patient Messaging Portal
Many practice management platforms — Dentrix, Eaglesoft, Curve Dental — include or integrate with secure messaging modules. Messages stay inside an encrypted portal. The patient receives an email notification that a message is waiting, then logs in to read it.
The downside is friction. Many patients don't log into portals consistently, and practices often end up following up by phone anyway. That said, if your EHR already includes this capability, it may be your fastest path to compliance at no additional cost.
What About Google Workspace and Microsoft 365?
This is where practices get tripped up most often. Google Workspace and Microsoft 365 are not automatically HIPAA-compliant. To use either platform for PHI:
- You must sign a Business Associate Agreement (BAA) with Google or Microsoft — this is a separate step, not a default
- You must configure the platform correctly: encryption at rest enabled, audit logging active, proper access controls in place
- For Microsoft 365, you typically need a Business Premium or higher plan to access the encryption features required for PHI transmission
- Consumer Gmail (
@gmail.com) is never appropriate for PHI — Google does not offer a BAA for consumer accounts
Having a BAA is necessary but not sufficient. OCR has found practices liable for breaches even when a BAA was in place, because the technical configuration didn't match what the agreement required.
Common Scenarios and the Right Answer
| Scenario | Compliant? |
|---|---|
| Front desk emails patient a reminder with procedure type included | No — unless encrypted or patient opted in with documented risk disclosure |
| Provider replies to patient question about a prescription via Gmail | No — consumer Gmail is never appropriate for PHI |
| Practice uses Paubox with a signed BAA to send treatment summaries | Yes |
| Patient requests unencrypted email after receiving written risk disclosure | Yes — if consent is documented per OCR guidance |
| Microsoft 365 Business Premium with BAA signed and encryption configured | Yes — if properly set up |
The Breach Notification Reality
If PHI sent via unencrypted email is accessed by an unauthorized party — including if a patient's inbox is compromised — that is a reportable breach under HIPAA. Your practice may be required to notify the affected patients, report to HHS, and depending on the number of individuals affected, issue a public notice. OCR breach penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category.
Encryption is one of the few controls that creates a safe harbor under the Breach Notification Rule. If the data was encrypted and the keys were not compromised, it does not meet the definition of a breach requiring notification.
Steps to Take Now
- Audit what email platform you're using. If it's consumer Gmail or a standard shared hosting email account, that needs to change.
- Check for a signed BAA. If you use Google Workspace or Microsoft 365, verify that a BAA is in place — this is not automatic.
- Evaluate your options. Paubox is purpose-built for healthcare and simple to deploy. If you already use Microsoft 365 Business Premium, you may already have the tools you need with proper configuration.
- Create a patient consent process. For practices that want to allow unencrypted email at patient request, draft a risk disclosure and consent form — and document every consent received.
- Train your team. Staff need to know which types of patient communication require the secure channel and which do not.
Not sure how your practice handles PHI in email? We help Colorado Front Range dental practices evaluate their HIPAA technical safeguards — including email encryption, BAA status, and staff workflows. No sales pressure, just an honest assessment.
Schedule a Free ConsultationThe Bottom Line
Email is unavoidable in a modern dental practice. But the same convenience that makes it useful also makes it a liability if PHI isn't properly protected. Encrypting patient email isn't a heavy lift — but it does require intentional choices about your platform, your BAAs, and your staff training. Getting this right protects your patients and removes one of the most common sources of HIPAA breach exposure.