Dental office desk with a monitor showing an encrypted-email security dashboard, Medix Dental IT

Every dental practice I talk to sends patient information over email. Appointment reminders, referrals, insurance questions, the occasional X-ray. The question is never whether you email PHI. It is whether your email setup can survive an audit.

HIPAA-compliant email is not a product you buy off a shelf. It is a combination of technical safeguards, a signed agreement with your provider, and a few habits your team follows every day. Get any one of those wrong and the whole thing falls apart, no matter how expensive the software looks. I run a dental IT company, and I have watched practices spend real money on tools they configured incorrectly. So let me tell you what actually counts.

What Makes Email HIPAA-Compliant (The Short Version)

There are three pillars. Miss one and you are exposed.

  • Encryption of the message body and attachments, both in transit and at rest.
  • A signed BAA (business associate agreement) with whoever handles the email on your behalf.
  • Access controls on the mailbox itself: unique logins, audit logging, and automatic logoff, plus the everyday patient safeguards your team applies.

People fixate on the first pillar and forget the other two. A perfectly encrypted email flowing through an account with no BAA and a shared password is still a violation waiting to be found.

The Encryption Rule Is More Nuanced Than You Think

Here is the part that trips up almost everyone, including some consultants who should know better.

Under the HIPAA Security Rule, encryption is an addressable specification, not a required one. You can see this yourself in 45 CFR 164.312, specifically at 164.312(a)(2)(iv) and 164.312(e)(2)(ii).

Now, “addressable” does not mean optional. That is the misread that gets practices in trouble.

What it actually means, under 45 CFR 164.306(d), is that you apply the safeguard if it is reasonable and appropriate for your situation. If you decide not to, you have to document why and put an equivalent safeguard in its place.

For ordinary internet email carrying patient information, encryption is reasonable, it is appropriate, and there is no realistic equivalent. So in practice, treat it as the expectation. I have never seen a defensible reason to send unencrypted PHI over standard email.

One thing to keep straight. HHS proposed a rule change in January 2025 that would remove the addressable/required distinction and make encryption flatly required. As I write this, that is a proposal, not law. Do not let anyone sell you on encryption because “the rules changed.” The rules have not changed yet. You should encrypt anyway, for the reasons above.

The BAA Is Non-Negotiable, And Free Email Cannot Give You One

A business associate agreement is the contract that binds your email provider to HIPAA obligations. No BAA, no compliance. Full stop.

This is where the most common mistake lives. Free, consumer email cannot be made compliant.

A personal Gmail account or a consumer Outlook.com inbox will not qualify, because Google and Microsoft do not sign a BAA for their free tiers. It does not matter how carefully you configure it. The agreement simply does not exist for those products.

Google Workspace is different. The paid product will sign a BAA, which an administrator accepts inside the Admin Console, and coverage applies only to the services on Google’s HIPAA Included Functionality list. Google lays this out on its Workspace HIPAA compliance page.

Microsoft 365 works the same way. Microsoft offers a BAA through its Online Services Data Protection Addendum, with Exchange Online in scope. You can read the details on the Microsoft HIPAA/HITECH page.

Read the fine print on both, or have your IT partner do it. If you want a deeper primer on what one of these agreements should cover, we wrote one on how business associate agreements work.

A BAA Alone Does Not Make You Compliant

This is the myth I have to correct the most, and it is worth its own section.

Signing the BAA is step one, not the finish line. Microsoft says this plainly in its own documentation. The agreement covers the provider’s obligations. It does nothing about how you configure and use the account.

You still have to turn on encryption. You still need access controls, data loss prevention rules, multi-factor authentication on every mailbox, and a retention policy. The BAA is the permission slip. The configuration is the actual work.

If you want to see how these misreads cluster together, we cover the pattern in the most common HIPAA compliance misconceptions.

Where Overlay Tools Like Paubox Fit

Not every practice wants to manage encryption policies inside Workspace or Microsoft 365. That is a fair position, especially for smaller teams.

An overlay service like Paubox sits on top of your existing Google or Microsoft account and encrypts outbound mail automatically. There is no recipient portal, no password the patient has to remember, no extra step that makes your front desk want to give up. The message just arrives.

Two things to keep in mind. Paubox still requires its own BAA, and it does not replace the access controls on your mailbox. It handles the encryption pillar cleanly. You still own the rest.

The DSO Problem: Compliance That Holds Across Every Location

Everything above is manageable for a single office. At a multi-location group, the difficulty is not the concept. It is the consistency.

One office turns on encryption. Another shares a login at the front desk. A third signed up for a free inbox years ago and never told anyone. That variance is exactly what an auditor finds, and it is what turns a small problem into a group-wide finding.

If you operate more than one practice, standardize at the tenant level. Sign one BAA that covers the whole organization rather than a patchwork of per-office agreements. Push encryption, DLP, MFA, and retention policies down to every location from a central console instead of trusting each office to set its own.

Audit logging is the piece that scales worst if you ignore it. You want mailbox access logs centralized and reviewable across all offices, not scattered in a dozen separate admin panels nobody checks. When patient communication volume runs into the thousands of messages a week across a group, manual review is not realistic. The logging has to be built in and aggregated.

The valuation angle matters here too. Full integration and documented, consistent compliance is not just risk reduction. In my experience, full integration can increase your DSO valuation by 2 to 4x EBITDA. Buyers pay for practices that will not blow up in diligence.

Before you standardize anything, get an honest baseline. A security and risk assessment across your locations will tell you which offices are already exposed.

The One Legitimate Exception: When A Patient Asks

There is a scenario where unencrypted email is allowed, and it confuses people, so here is the precise version.

Under the Privacy Rule’s right of access, a patient can ask to receive their own health information by unencrypted email. If they make that request, you can honor it.

The condition is that you warn the patient about the risk of unencrypted email first, and you document that you gave the warning. This exception is narrow. It applies to a patient receiving their own records at their own request. It is not a loophole for routine practice-to-patient communication.

A Practical Comparison

Option BAA available? Encryption Best fit
Free Gmail / Outlook.com No Not compliant for PHI Never for PHI
Google Workspace (paid) Yes, via Admin Console Configure within covered services Practices already on Google
Microsoft 365 Yes, via DPA addendum Configure Exchange Online Practices already on Microsoft
Paubox overlay Yes, its own BAA Automatic, no portal Teams that want zero friction

What I Tell Practices To Do

Pick a paid platform that will sign a BAA. Sign it. Then do the real work: turn on encryption, require MFA, set access controls and automatic logoff, write a retention policy, and keep audit logs you actually review.

If your team resists the friction of a portal, add an overlay like Paubox so encryption is invisible to them. And if you run multiple locations, make all of this uniform from a central console. The goal is a setup where any office you walk into passes the same test.

Getting sloppy here is how practices end up on the wrong list. If you want to know what those failures look like, read about the HIPAA violations we see most often.

Frequently Asked Questions

Is Gmail HIPAA-compliant?

Free, personal Gmail is not, because Google will not sign a business associate agreement for it. Paid Google Workspace can be compliant once an administrator accepts the BAA in the Admin Console and you use only the covered services. The account alone is not enough. You still have to configure encryption, access controls, and audit logging on top of it.

Is encryption legally required for HIPAA email?

Technically encryption is an addressable specification under the Security Rule, not a flatly required one. Addressable does not mean optional. You apply it if it is reasonable and appropriate, and for standard internet email carrying patient information, it is. Treat encryption as the expectation. HHS has proposed making it strictly required, but that proposal is not law yet.

Can I email a patient their records without encryption?

Yes, in one specific case. Under the Privacy Rule’s right of access, a patient may request their own information by unencrypted email, and you can honor that request. First warn them about the security risk and document that you gave the warning. This exception covers a patient receiving their own records. It does not apply to your routine communication with patients.

What is the difference between Paubox and Google Workspace for compliance?

Google Workspace is your email platform, and you configure encryption and controls within it. Paubox is an overlay that sits on top of Google or Microsoft and encrypts outbound mail automatically, with no recipient portal or passwords. Paubox handles encryption with less friction, but it still requires its own BAA and does not replace the access controls on your mailbox.

Posted in Dental Cybersecurity

Filter By: