Is Emailing Medical Records HIPAA Compliant?


The short answer is not really. Here’s the long answer.


For medical providers, one of the biggest headaches in HIPAA compliance is sending private medical documents to external parties who are entitled to receive them. Personal injury law firms often request bills and records for a patient in order to pursue their legal case, leaving providers to find a HIPAA-compliant way to transmit these documents.  A common question is whether emailing documents through a standard email service like Gmail or AOL is in keeping with the data encryption standards outlined in HIPAA’s Security Rule. 


When transmitting medical documents, medical providers are required to “implement a mechanism to encrypt electronic protected health information” or install an equivalent measure of data security. This is sometimes misinterpreted as simply requiring password protection on email accounts; in reality, the encryption standard is a much higher level of security, one that Gmail, AOL. Yahoo, and other common standard email services do not meet.

Prominent HIPAA healthcare attorney Vinay Bhupathy of Sheppard Mullin:

“I advise my medical provider clients not to use the standard GMAIL, AOL, or other non-encrypted email services to send patients health records. This is due to two main reasons: (i) increased risks of data breaches due to hacking, phishing, and related digital attacks; and (ii) the 2019 enforcement discretion ruling from Use Department of Health and Human Services which has increasing caps on penalties for providers for violation of HIPAA based on the level of culpability. Due to the substantial development and maintenance costs which can be associated with custom encryption solutions, I frequently recommend clients look for plug and play solutions with reputable providers that can provide security at a reasonable cost. ”


What is End-to-End Encryption?

Encryption is the process of converting a message into code so that hackers cannot steal it while it travels from your email provider’s domain through the intraweb to the recipient.

When you send a document via email, there are four locations for a hacker to intercept it: your computer, the recipient’s computer, your email server, and the recipient’s email server. Making sure that the contents of the email are encrypted at each stage is called end-to-end encryption.

While Gmail encrypts your emails while they are on your computer or server, that encryption does not extend to the recipient’s computer or server unless they are also using a Gmail account. That means you may be exposing your documents to a security vulnerability if you send documents through Gmail.

In short, simply attaching your patient’s medical documents to an email and sending it to a law firm very well may be a HIPAA violation. As a result, there are several options to avoid this:



You may have heard of patient portals, which allow the secure transmission of documents between providers and patients through a secure cloud-based browser application. Law firm portals (LFPs) perform a similar function, allowing providers to store documents in a secure location that is also accessible to the personal injury law firm representing their patient - as long as that firm is authorized by the patient to receive it. LFPs ensure HIPAA compliance through end-to-end encryption and a number of additional security measures. Law firms often prefer portals to the options below since portals can be organized and tailored to meet the firm’s needs. Shameless plug: offers the only law firm portal software to medical providers that want their own portal don’t have the time or resources to build it themselves.

End-to-End Email Encryption Services

If you want to share documents via email exclusively, you need to use a service that provides end-to-end encryption for every email you send, such as Zixmail. If the recipient does not use the same encryption service,  they will be required to connect to a secure server before they can retrieve the message. Services like these require little setup, but also are cumbersome and require a lot of work for each email that’s sent.  


Cloud-Based Email Servers

One other alternative is to use a cloud-based HIPAA-compliant email server such as the one offered by Office365.  By connecting to the server via an encrypted connection, you can send documents to a law firm without exposing your documents to a potential cyberattack. While this is an option for HIPAA compliance, it is not recommended as it requires the recipient to have an account on the same cloud-based email service. If you have multiple law firms that you work with, that may be an unrealistic expectation.

Written by Kevin Palermo of 

Mighty offers medical providers a law firm portal for them to send HIPAA compliant medical records to their patients personal injury law firms, get updates on cases they have liens or LOPs, and streamline communication to make it easy for providers and law firms to work together. 

Get 1 email per week with industry news and tips for growing your business

Oops! Something went wrong while submitting the form. Please reload the page and try again or email us at