HIPAA compliance resource
The HIPAA compliant
email checklist
Everything your organization needs for HIPAA compliant email, updated for the 2026 regulatory landscape.
HIPAA compliance resource
Everything your organization needs for HIPAA compliant email, updated for the 2026 regulatory landscape.
| HIPAA email requirement | DIY approach | RecommendedWith Paubox |
|---|---|---|
| Outbound email encryption | ||
| Default encryption for all outbound email | ||
| ePHI encrypted at rest and in transit Proposed HIPAA Security Rule | ||
| No portals, passwords, or plugins for recipients | ||
| 128/256-bit AES encryption with TLS 1.2+ | ||
| DKIM and SPF email authentication | ||
| Inbound email security | ||
| AI-powered phishing and BEC detection | ||
| Display name spoofing prevention (ExecProtect) | ||
| Sender behavior and intent analysis | ||
| Compliance and documentation | ||
| Signed business associate agreement (BAA) | ||
| HITRUST certification | ||
| Encryption logs and delivery records | ||
| Annual BA verification documentation Proposed HIPAA Security Rule | ||
| Data protection | ||
| Data loss prevention (DLP) Proposed HIPAA Security Rule | ||
| Email archiving (6-year retention) | ||
| Setup and training | ||
| Works with Google Workspace and Microsoft 365 | ||
| Zero training needed for end users | ||
| No change to existing email workflow | ||
| Your organization's responsibility | ||
| Determine covered entity / business associate status | ||
| Access control policies and password standards | ||
| MFA across all ePHI systems Proposed HIPAA Security Rule | ||
| Staff HIPAA training and email usage policies | ||
| Annual risk assessments and vulnerability scans | ||
| Incident response and breach protocols | ||
| Technology asset inventory and ePHI mapping Proposed HIPAA Security Rule | ||
| Items handled for you | 0of 25 requirements | 17of 25 requirements |