23 years from Stockholm
Solutions · Healthcare

Email infrastructure for healthcare organizations under HIPAA and the EU EHDS regime

Healthcare email is the workload where mistakes cost the most. The HHS Office for Civil Rights Breach Report records hundreds of email-related PHI incidents per year — California Correctional Health (1,348 PHI March 2024), Orlando VA Medical Center (9,850 March 2024), Eastern Connecticut Health Network (912 BCC failure July 2023), Lafourche Medical Group ($480K settlement December 2023 for a phishing breach). Each one started with a routine email. The infrastructure that handles patient communications has to assume mistakes will happen and encrypt-by-default rather than rely on staff judgment, has to maintain the audit trail 45 CFR 164.312 requires, and has to fit inside both the US HIPAA regime and the European Health Data Space (Regulation EU 2025/327) that entered into force March 26, 2025. We ship that infrastructure for healthcare organizations operating in either jurisdiction.

The 2026 regulatory landscape for healthcare email

HIPAA is thirty years old and still binding. EHDS just entered into force. Email between a provider and a patient is regulated under both.

The Health Insurance Portability and Accountability Act has governed protected health information in the United States since 1996, with the HIPAA Privacy Rule and the HIPAA Security Rule layered on top through the 2000s and 2010s. Email is permitted as a communication channel — the HHS guidance is clear that an individual has the right to receive appointment reminders by email under 45 CFR 164.522(b), and a provider can use email to communicate with patients who haven't explicitly objected — but the infrastructure has to provide reasonable safeguards. The five technical safeguards under the HIPAA Security Rule's 45 CFR 164.312 are access control, audit controls, integrity, person-or-entity authentication, and transmission security. Email systems that handle PHI must implement all five, with the proposed 2025 Security Rule update making multi-factor authentication mandatory rather than addressable.

PHI under HIPAA is broader than most clinicians initially expect. It includes any identifiable health information linked to a patient's care, payment, or treatment. The eighteen HIPAA identifiers cover names, email addresses, phone numbers, account numbers, and Social Security numbers — combined with any clinical context (lab results, treatment plans, prescriptions, referrals) or administrative data (appointment reminders, billing details, EOB forms), they become PHI. Even subject lines and message headers can contain PHI. A subject line that reads "John Smith's diabetes test results" is an impermissible disclosure under HIPAA before the email is ever opened, because headers are not encrypted end-to-end and TLS-only encryption protects them only during transit between servers, not in the recipient's mailbox.

On March 26, 2025, the European Health Data Space (EHDS) Regulation (EU) 2025/327 entered into force. The EHDS doesn't replace GDPR's Article 9 protections for special-category health data; it complements them with a sector-specific framework for the primary use (healthcare delivery) and secondary use (research, innovation, policymaking) of electronic health data across the EU. The EHDS regulation applies from March 26, 2027, with the major primary-use provisions becoming operational on March 26, 2029, and the second wave on March 26, 2031. By June 2025, every EU member state had to appoint a National Digital Health Authority; by January 2026, EHR vendors had to certify their systems for interoperability and security compliance.

For healthcare organizations operating in the EU, that means email systems carrying patient-identifiable data are now subject to both GDPR Article 9 (special category) and the sector-specific EHDS rules. The penalties echo GDPR: up to €10M or 2% of global turnover for minor infringements, €20M or 4% for severe violations. For US healthcare organizations with EU patients (rare in retail healthcare, common in medical tourism, telemedicine, and academic medical centers), the EHDS extraterritorial scope is limited — only EU-established health data holders are directly in scope — but the GDPR Art. 9 transfer rules still apply when patient data crosses the Atlantic.

The intersection of these regimes makes healthcare email the most-regulated email category in the economy. The customer impact of a breach is direct — patient identities, diagnoses, treatment information ending up in the wrong inbox — and the regulatory consequence is severe: $100 to $50,000 per HIPAA violation, $1.5M annual maximum per category, plus reputational damage that compounds for years afterward. The HHS Breach Report, which only lists incidents affecting 500 or more individuals, recorded California Correctional Health Care Services notifying HHS in March 2024 about a misdirected email exposing the PHI of 1,348 patients; Orlando VA Medical Center reporting an employee sending 9,850 patients' PHI to a personal email account in the same month; and the Lafourche Medical Group settling the first HHS investigation into a phishing-attributable breach for $480,000 in December 2023. These weren't sophisticated attacks. They were routine email mistakes amplified by infrastructure that didn't assume staff would make them.

PHI exposure modeling

What a healthcare organization loses each year to email-attributable PHI breaches

Move the sliders to model your situation. The math approximates the documented per-record breach cost in US healthcare ($429 to ~$2,000 depending on the source) combined with the per-staff-account exposure rate that the HHS Office for Civil Rights breach archive suggests. Posture multiplier reflects whether encryption is plaintext-default, TLS-opportunistic, or auto-encrypt-on-PHI-detection.

1K (small practice)2M (hospital network)
5 (small clinic)5K (multi-hospital)
$100 (notification only)$2,500 (litigation-included)
PlaintextTLS-oppEncrypted portalAuto-encrypt + DLP

Math: per-staff-account expected breach events/yr × records exposed per event × cost per record × posture multiplier. Posture multipliers: Plaintext + portal (BAA-less) = 1.0×; TLS opportunistic (Office 365 + BAA) = 0.55× (falls back to plaintext if recipient server doesn't support TLS); Encrypted portal with BAA = 0.20× (subject lines/headers still vulnerable); Auto-encrypt + DLP + audit + MFA = 0.05× (every email assumed PHI, encrypted regardless). Per-record cost ranges align with IBM 2024 Cost of a Data Breach Report healthcare segment.

Annual expected exposure
$640K
Plaintext + portal exposure
Staff handling PHI 75
Expected breach events/yr ~2.3
Avg records per event ~650
Records exposed/yr ~1,495

Move to auto-encrypt + DLP + audit + MFA and exposure drops by ~95%. The HIPAA Security Rule's expectation is that the system, not the staff, prevents impermissible disclosures. Every email assumed PHI, encrypted regardless, is the only architecture that the HHS Office for Civil Rights consistently treats as having implemented reasonable safeguards under 45 CFR 164.312.

Three healthcare email patterns

How healthcare organizations are actually handling PHI email — honest comparison

Most healthcare organizations end up in one of three configurations. Each works for a certain size of organization and a certain risk tolerance. Below: where each fits, where it breaks, and what the HHS Office for Civil Rights tends to find when it investigates.

Pattern 1 — Plaintext + portal

Consumer email + "log into the portal" notifications

The most common pattern at small practices. Staff use consumer Gmail/Yahoo (no BAA), patient comms go through a "log into the portal" workflow with a generic notification email. The portal itself is BAA-covered, but every email outside it is a HIPAA risk.

Practical use
~1-5 clinicians, low PHI volume
Breaks at
Any clinical email outside the portal
OCR view
Inadequate safeguards under 164.312
Honest assessment

Acceptable only if the discipline is perfect: no PHI in any subject line, no PHI in any body, no PHI in any attachment, every clinical conversation moves to the portal. In practice the discipline breaks within months. Most documented breaches in the HHS archive started here.

Pattern 2 — Business Microsoft 365 / Google Workspace + BAA

TLS-opportunistic encryption with a signed BAA

Business Microsoft 365 or Google Workspace plans, both of which sign BAAs with healthcare customers as standard. TLS encryption between mail servers when both support it; falls back to plaintext if the recipient server doesn't. This is the default for most medical groups and outpatient clinics.

Practical use
5-500 clinicians, mid-volume PHI
Weakness
TLS fallback to plaintext + subject-line exposure
OCR view
Acceptable with documented risk assessment
Honest assessment

The HIPAA-compliant default for most practices. The remaining exposure: subject-line PHI, the TLS fallback gap when patients use small/older mail providers, and the inability to enforce DLP automatically. Still relies heavily on staff judgment about what goes in a subject line.

Pattern 3 — Auto-encrypt + DLP + audit

Every email assumed PHI, encrypted regardless, audited per 164.312

The architecture for organizations where the discipline can't be assumed. Every outbound email is encrypted by default; DLP scans for PHI patterns (SSN, MRN, diagnosis codes) and blocks/redirects when detected; MFA enforced on every account; audit logs satisfy 45 CFR 164.312(b); breach detection runs within the 60-day HIPAA clock.

Practical use
500+ clinicians, high PHI volume
Cost-breakeven
Practices with 50+ clinical staff
OCR view
Affirmative safeguards documented
Honest assessment

Where the math starts working for organizations above ~50 clinical staff. HITRUST-certified vendors are the working selection criterion — less than 1% of HITRUST-certified organizations reported breaches over a two-year span in the most recent industry data.

PHI handling by message component

Where PHI ends up in an email, and how each encryption method handles it

Message component TLS (transit only) PGP / S/MIME Portal-delivered AH auto-encrypt
Subject line Encrypted in transit only; visible in recipient's mailbox at rest Not encrypted at all (PGP/S/MIME don't cover headers) Generic notification only; no PHI Auto-scrubbed if PHI detected; replaced with neutral subject
Message body Encrypted in transit; plaintext at recipient's mailbox End-to-end encrypted Not in email; behind portal auth End-to-end encrypted, recipient decrypts in browser
Attachments (lab results, x-rays) Encrypted in transit; recipient stores plaintext Encrypted Behind portal auth Encrypted + audit logged
Sender / recipient fields Always visible (RFC 5321 requires) Always visible Not exposed; portal-internal Visible (cannot be encrypted at SMTP layer)
BCC discipline Relies on staff (most common breach) Relies on staff Portal handles list segregation BCC enforced on multi-recipient detection
Audit trail (45 CFR 164.312(b)) Mail server logs only Mail server logs only Portal access logs Per-recipient delivery and read receipts
TLS fallback Silent fallback to plaintext if recipient doesn't support TLS Independent of TLS Not applicable Routes through secure portal if recipient TLS unavailable

Encryption method comparison verified against HIPAA Security Rule technical safeguards documentation (45 CFR 164.312), HHS guidance on email PHI (FAQ 570), Paubox 2026 HIPAA email definitive guide, Yale University HIPAA email policy 5123, and the HHS Office for Civil Rights breach report archive 2023-2025.

What we ship for a healthcare engagement

The platform pieces that satisfy HIPAA's technical safeguards and the EHDS regime together

What we provide is the regulated sending layer underneath your EHR, patient portal, and clinical communication systems. We don't replace Epic, Cerner, Allscripts, or any equivalent European EHR; what we replace is the SMTP relay underneath them, plus the encryption, audit, and breach-detection workflows that HIPAA's 45 CFR 164.312 and the EHDS security requirements require.

  • Business Associate Agreement (BAA) framework, ready to sign Pre-drafted BAA aligned with 45 CFR 164.504(e), HIPAA-permitted exceptions documented, breach notification within 60 days as required, sub-processor list with each sub-processor's BAA on file. The BAA is included with every healthcare plan; no enterprise upsell required. For EU customers, the equivalent GDPR Article 28 DPA covers the same processor-controller relationship under the EHDS regime.
  • Auto-encrypt on PHI detection Outbound DLP scans for the eighteen HIPAA identifiers and clinical-vocabulary patterns (ICD-10 codes, common diagnosis terms, lab result formats). Detection triggers automatic encryption — the email leaves through the secure-portal route rather than plaintext SMTP — without requiring staff to remember to mark it. The default assumption is every email may contain PHI, every email is encrypted, the staff don't have to make the judgment.
  • Subject-line PHI scrubbing Subject lines are the most-exposed component of an email (headers are not end-to-end encrypted, they're visible in the recipient's mailbox at rest). Our DLP scans the subject line independently from the body; when PHI is detected, the subject is replaced with a neutral placeholder ("Secure message from Dr. Smith's office — log in to view") and the original PHI-laden subject lives only inside the encrypted body or portal.
  • Audit controls under 45 CFR 164.312(b) Per-message audit trail: sender, recipients (including those who would have received BCC), timestamp, message ID, encryption method applied, delivery status, read receipts where supported, retention for the period your organization specifies (typical default 6 years matching HIPAA Privacy Rule documentation retention). The audit logs are queryable by your compliance team and are export-ready for any OCR investigation or EHDS Health Data Access Body request.
  • Multi-factor authentication enforcement The proposed 2025 HIPAA Security Rule update makes MFA mandatory rather than addressable. Our infrastructure enforces MFA on every staff account that touches PHI, with TOTP, security keys (FIDO2/WebAuthn), or SMS as fallback. Authentication failures are logged; repeated failures trigger account lockout and security team notification.
  • BCC discipline at the relay layer The single most common breach pattern in the HHS Office for Civil Rights archive is multi-recipient emails sent without BCC — Eastern Connecticut Health Network in July 2023 exposed 912 patients this way, and there are 34 substantially similar incidents recorded in OCR's breach archive. When our system detects multiple recipients on the To: or CC: line on a message that's flagged as patient communication, the send is intercepted, the recipients are silently moved to BCC, and a notification goes to the sender so they learn the discipline.
  • Breach detection within the 60-day clock HIPAA Breach Notification Rule (45 CFR 164.408) requires notification to affected individuals and HHS within 60 days of discovery. Our detection workflow flags suspicious access patterns, misdirected messages, and authentication anomalies in near-real-time, with the named compliance contact at your organization receiving notification within an hour. The technical breach data we provide is structured for direct inclusion in the OCR breach notification submission.
  • EU-only routing in Stockholm and Frankfurt (for EHDS-scope organizations) For healthcare organizations established in the EU, routing patient communications stays in the EU by default — primary infrastructure in Stockholm, secondary in Frankfurt. The Schrems II questions that complicate any US-routed mail involving Article 9 special-category data simply don't apply to our chain. For German hospitals, this satisfies the BfArM expectations and the §22 BDSG-neu requirements for special-category processing.
Pricing scenarios

How healthcare engagements typically size

Small clinic / single-specialty practice

SMTP Relay Pro + BAA · €749/mo

20 dedicated IPs, BAA included, auto-encrypt + subject-line scrub, MFA enforcement, audit controls. The configuration for clinics with ~5-50 clinicians handling routine PHI workloads (appointment reminders, lab results, billing comms).

See SMTP Relay
Medical group / multi-specialty · Most common

PowerMTA Pro + Managed Deliverability · €2,699/mo

PowerMTA Pro (€1,499) + Managed Deliverability (€1,200). 20 dedicated IPs, 150K msg/hr, named compliance engineer, full audit and DLP stack, breach detection within 60-day clock, BAA framework with sub-processor register. Typical settling tier for medical groups with 50-500 clinicians.

See Managed Deliverability
Hospital network / academic medical center

Custom · from €5,999/mo

Multi-server architecture across Stockholm + Frankfurt, dedicated IP space, named SLA with sub-30-minute response on PHI-related incidents, HITRUST-aligned audit support, integration with Epic/Cerner/Allscripts SMTP gateways, EHDS Health Data Access Body liaison for European organizations.

Open the conversation
Common questions from healthcare compliance teams

What healthcare organizations ask before signing

What does your BAA actually cover, and what's the sub-processor situation?

+

Our BAA is aligned with the required terms under 45 CFR 164.504(e): we agree to use and disclose PHI only as permitted by the BAA, implement appropriate safeguards under 45 CFR 164.312, report breaches to your organization within the timeframe your BAA specifies (default 24 hours of discovery), make PHI available for the individual's right of access under 164.524, document and report any subcontractor that creates, receives, maintains, or transmits PHI, and return or destroy PHI at termination unless retention is required by law.

Sub-processors: our infrastructure runs on bare-metal servers in our Stockholm and Frankfurt facilities, both of which we operate directly (not on AWS, not on Azure, not on Google Cloud). The sub-processor list is short: DNS, the network providers in each data center, and the trademark-registered VMC issuer (DigiCert) when the bank also runs BIMI. Every sub-processor has a BAA with us. The full register is part of the procurement document we share before signing.

Are you HITRUST-certified?

+

Not currently. HITRUST CSF is a US-centric framework, and while the certification has real value for US healthcare organizations evaluating vendors, our customer base is predominantly European healthcare organizations where HITRUST is not a procurement requirement. We do operate under ISO 27001 and our internal controls are documented at the level a HITRUST audit would require; for US healthcare organizations where HITRUST is a hard requirement, we can either pursue certification or refer to one of the larger HITRUST-certified providers as a complementary option.

The published data on HITRUST is genuinely impressive: less than 1% of HITRUST-certified organizations reported breaches over a two-year span in the most recent industry research. The underlying reason is that the controls HITRUST requires are the controls that actually prevent breaches — encryption, access control, audit logs, incident response. We implement all of them. The certification is the procurement signal; the controls are the actual protection.

How does the appointment reminder flow work when a patient consents to unencrypted email?

+

HIPAA explicitly allows it under 45 CFR 164.522(b) — the patient has the right to request and receive appointment reminders by email, and the provider must accommodate the request if email is a reasonable alternative. The HHS guidance is clear that the provider can assume email is acceptable when the patient initiates the communication.

What we ship: a per-patient consent flag in the database. When the consent flag is set, our DLP treats that patient's reminders differently — appointment reminders, billing notifications, and similar low-sensitivity communications can flow as plaintext (with a generic subject line that doesn't contain PHI), while clinical communications (lab results, prescription details, diagnosis information) still trigger auto-encryption regardless. The consent flag is auditable: who set it, when, with what evidence (signed authorization form scanned into the EHR, or verbal consent with the staff member's documentation). Revoke is one click and propagates within minutes.

What happens if a misdirected PHI email goes out — what's the recovery path?

+

The 24-48 hour window matters most. Detection: our DLP flags multi-recipient messages, unusual recipient domains (consumer Gmail, Hotmail when the patient profile shows an Office 365 account), and recipient email addresses that match staff or vendor accounts on a clinical message. When the flag fires, the message is held in the outbound queue and the sender plus their immediate supervisor are notified within 60 seconds. If the staff member confirms the recipient is correct, the message releases. If not, the message is purged before it leaves our infrastructure.

If a message does leak (because the staff member confirmed before realizing the recipient was wrong, or because the address was typo'd to a real but unintended account), the recovery workflow: immediate notification to your compliance officer, breach assessment template pre-filled with the technical facts, recipient-side request to delete (legally weak but worth doing), and HIPAA Breach Notification Rule clock starts. If the breach affects fewer than 500 individuals it's reported in the annual HHS submission; 500+ requires notification to HHS within 60 days and media notification for incidents affecting more than 500 in a single state. We provide the technical breach data structured for direct inclusion in the OCR submission.

How does this integrate with Epic, Cerner, Allscripts, or our European EHR?

+

Two integration patterns. SMTP relay pattern: Epic/Cerner/Allscripts (or your European EHR — Compugroup, Doctolib for appointment workflows, Dedalus, Cerner's European deployments) authenticates to our SMTP relay, the EHR continues to be the source of patient communications, our infrastructure handles encryption, DLP, audit, and delivery. The EHR's clinical context isn't exposed to us; we see envelope-level metadata and message structure, not the patient record.

HTTP API pattern: for organizations building newer workflows (telemedicine platforms, patient engagement layers on top of an existing EHR), the EHR or middleware calls our API directly with structured message templates. Patient consent flags travel as API parameters; the DLP runs against the rendered message before SMTP handoff. This pattern is more common in European deployments where the EHDS interoperability standards encourage API-based integration rather than SMTP gateway integration.

For European customers: how does EHDS interact with what you're shipping?

+

EHDS (Regulation EU 2025/327) is principally an interoperability and cross-border-access framework, not an encryption mandate. Most provisions don't apply until 26 March 2027, with the major primary-use functionality (Patient Summaries, ePrescriptions/eDispensations exchanged across borders) operational by 26 March 2029. What's already live: every EU member state had to appoint a National Digital Health Authority by June 2025, and EHR vendors had to certify their systems for interoperability and security compliance by January 2026.

What this means for our infrastructure: we don't replace your EHR (the EHDS certification applies there), but we are part of the security perimeter that the National Digital Health Authority in your member state may inquire about during oversight. The audit trail we maintain is structured to satisfy both HIPAA 45 CFR 164.312(b) and the EHDS Article requirements for security, confidentiality, and integrity controls. For German hospitals specifically, this also aligns with the §22 BDSG-neu special-category processing requirements and the BfArM expectations for ICT in healthcare.

What about the proposed 2025 HIPAA Security Rule update making MFA mandatory?

+

The proposed update reclassifies MFA from an addressable specification (the covered entity decides whether to implement based on risk assessment) to a required specification (the covered entity must implement). As of early 2026 the rule is still proposed — finalized adoption is expected through the regulatory comment process — but the direction is clear, and the prudent operating posture is to treat MFA as required already.

Our infrastructure enforces MFA on every staff account that touches PHI as the default — TOTP (Google Authenticator, Authy, 1Password, etc.), FIDO2/WebAuthn security keys (YubiKey, Apple/Google passkeys), or SMS as fallback for staff who don't have access to other methods. The enforcement is at the authentication layer; staff can't bypass it by accident. The audit log records every authentication event, every MFA challenge, every failure. For an OCR investigation, the question "does the covered entity enforce MFA?" gets a structured "yes" with the audit data to demonstrate it.

Tell us about your organization

Practice size, EHR, regulatory perimeter (HIPAA, EHDS, both), current email setup, and what specifically prompted you to look at the email infrastructure. We'll come back with a sized proposal, a BAA, and the security questionnaire pre-filled.