HIPAA-Compliant Email: What Your Ormond Beach Practice Actually Needs

Why Most Ormond Beach Practices Think Their Email Is Compliant (It Isn't)

The misconception is understandable. Microsoft markets 365 as enterprise-grade, secure, trusted by millions. It is all of those things. But "secure" and "HIPAA compliant" are not the same thing. Microsoft 365 is HIPAA-eligible — meaning it can be configured for compliance — but it is not HIPAA-compliant out of the box.

Here's what's missing from a default Microsoft 365 installation:

No BAA in effect. Microsoft offers a Business Associate Agreement for qualifying subscriptions, but you have to explicitly accept it through the Microsoft 365 admin portal. Until you do, Microsoft has no contractual obligation to handle your data according to HIPAA requirements. The BAA is sitting there, waiting to be signed. Most practices don't even know it exists.

No message encryption for external recipients. When you send an email from your Outlook to a patient's Gmail account, that message is protected by TLS in transit — but only if the recipient's server supports TLS. If it doesn't, the email sends in clear text. For messages containing lab results, appointment details with diagnoses, prescription information, or billing data, that's a compliance failure. Office 365 Message Encryption (OME) solves this by encrypting the message itself, regardless of the recipient's email provider. It's included in your subscription. It just needs to be turned on.

No Data Loss Prevention policies. What happens when a medical assistant accidentally sends a patient's full medical record to the wrong email address? Without DLP policies, nothing stops that message from going out. With DLP, Microsoft 365 scans outbound messages for PHI patterns — Social Security numbers, medical record numbers, diagnosis codes — and either blocks, encrypts, or flags them for review before they leave your organization.

No MFA enforcement. Microsoft's BAA requires multi-factor authentication. Without MFA, if someone guesses your receptionist's email password (or phishes it), they have full access to every email in that mailbox — including every patient communication. MFA is the single most effective control against unauthorized access, and it's the one control most small practices skip because it adds a step to the login process.

No audit logging enabled. HIPAA requires that you can demonstrate who accessed what, when. Microsoft 365 has comprehensive audit logging built in, but unified audit logging must be explicitly enabled in the compliance center. Without it, you have no trail to show an auditor — or an OCR investigator.

For Ormond Beach practices, this isn't a theoretical risk. The HHS Office for Civil Rights completed 22 enforcement actions in 2024 alone, with penalties ranging from $137 per violation to settlements exceeding $6 million. Email breaches — sending unencrypted PHI, unauthorized access to email accounts, failing to have a BAA in place — are among the most common violation categories.

What HIPAA Actually Requires for Email in 2026

The 2026 HIPAA Security Rule update changes the game. Previously, encryption was classified as "addressable" — meaning you could document why you chose not to implement it instead of actually doing it. That loophole is gone. Under the updated rule, encryption is a required specification with no exceptions.

Here's the complete list of email requirements under the current HIPAA framework:

Encryption in transit. All email containing ePHI must be encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are no longer considered secure and should be disabled. Standard TLS protects messages between servers that both support it, but for guaranteed protection, Office Message Encryption wraps the message content so that only the intended recipient can read it.

Encryption at rest. Email stored on servers — your mailbox, your archives, your sent items — must be encrypted with AES-256. Microsoft 365 handles this by default through BitLocker at the disk level and service encryption at the data level. This is one area where Microsoft's defaults actually meet the requirement without additional configuration.

Access controls. Every email account must be protected with strong authentication. Microsoft's BAA specifically requires MFA. Beyond MFA, implement role-based access — not every staff member needs access to every mailbox. Use Microsoft 365's security groups to limit shared mailbox access to only those who need it.

Audit logging. Enable unified audit logging in the Microsoft 365 compliance center. Configure log retention for at least six years (HIPAA minimum varies by state, but six years covers most requirements). Regularly review logs for unusual access patterns — logins from unexpected locations, after-hours access, bulk email downloads.

Business Associate Agreement. Sign Microsoft's BAA through the admin portal. This is not optional. Without a BAA, your use of Microsoft 365 for PHI is a HIPAA violation regardless of how well you've configured everything else.

Data Loss Prevention. Implement policies that scan outbound email for PHI and either encrypt, block, or flag messages that match PHI patterns. This is your safety net against accidental disclosures — the medical assistant who attaches the wrong file, the provider who replies-all to a thread that includes patient information.

For the complete list of 2026 HIPAA requirements beyond email, including mandatory vulnerability scanning and penetration testing, see our HIPAA compliance checklist for Volusia County healthcare.

Microsoft 365: The Right Plan for Healthcare

Not every Microsoft 365 plan is HIPAA-eligible. Here's what you need:

Microsoft 365 Business Premium ($22/user/month) — the recommended plan for small practices. Includes Exchange Online, Office apps, advanced security features, Intune device management, Azure Information Protection, and Microsoft Defender for Office 365. All features needed for HIPAA compliance are included.

Microsoft 365 E3 ($36/user/month) — for larger practices or those needing advanced compliance features. Adds eDiscovery, advanced DLP, information governance, and more granular audit controls.

Microsoft 365 E5 ($57/user/month) — adds advanced threat protection, Cloud App Security, and advanced compliance analytics. Typically overkill for small practices.

Plans that are NOT sufficient: Microsoft 365 Business Basic ($6/user/month) and Business Standard ($12.50/user/month) lack the advanced security and compliance features needed for HIPAA. If your practice is on one of these plans, upgrading to Business Premium is the first step.

For a five-person Ormond Beach practice on Business Premium, the cost is $110/month — roughly $1,320 per year. Compare that to the $100,000+ penalty for a HIPAA email violation, and the ROI calculation is not complicated.

Step-by-Step: Making M365 HIPAA Compliant

Here's the exact sequence of steps to configure Microsoft 365 for HIPAA compliance:

Step 1: Accept the BAA. Go to the Microsoft 365 admin center (admin.microsoft.com) → Settings → Org settings → Security & privacy → HIPAA. Accept the Business Associate Agreement. This takes two minutes and is the most critical step.

Step 2: Enable MFA for all users. Go to the Microsoft Entra admin center (entra.microsoft.com) → Protection → Conditional Access → Create a new policy requiring MFA for all users, all cloud apps. Alternatively, enable Security Defaults if you want a simpler approach — Security Defaults require MFA for all users by default.

Step 3: Disable legacy authentication. Legacy authentication protocols (POP3, IMAP, SMTP Basic Auth) don't support MFA, which means they're a bypass around your MFA policy. Create a Conditional Access policy that blocks legacy authentication, or disable these protocols at the Exchange Online level.

Step 4: Configure Office Message Encryption. This is handled via PowerShell — see the script in the next section.

Step 5: Set up DLP policies. Configure Data Loss Prevention to scan outbound email for PHI patterns and automatically encrypt or block matching messages. See the DLP section below for the exact policy configuration.

Step 6: Enable unified audit logging. Go to the Microsoft Purview compliance portal (compliance.microsoft.com) → Audit → enable audit logging if it's not already active. Set retention to your HIPAA retention period.

Step 7: Configure email retention. Set up retention policies that keep email for your required retention period and prevent users from permanently deleting messages that may contain PHI.

The M365 Encryption Configuration Script

Here's the PowerShell script that configures Office 365 Message Encryption for your organization:

# Run in Exchange Online PowerShell (Connect-ExchangeOnline first)
# Requires: Exchange Online Management module
# Install: Install-Module -Name ExchangeOnlineManagement
 
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourpractice.com
 
# --- Step 1: Verify current OME configuration ---
Get-OMEConfiguration | Format-List
 
# --- Step 2: Configure Office Message Encryption branding ---
Set-OMEConfiguration -Identity "OME Configuration" `
  -OTPEnabled $true `
  -SocialIdSignIn $false `
  -ExternalMailExpiryInDays 30
 
# --- Step 3: Create transport rule for automatic encryption ---
# Encrypts all outbound email containing PHI keywords
New-TransportRule -Name "HIPAA - Encrypt PHI Outbound" `
  -FromScope InOrganization `
  -SentToScope NotInOrganization `
  -SubjectOrBodyContainsWords @(
    "patient",
    "diagnosis",
    "prescription",
    "treatment plan",
    "lab results",
    "medical record",
    "health information",
    "date of birth",
    "insurance",
    "SSN",
    "social security"
  ) `
  -ApplyOME $true `
  -ApplyRightsProtectionTemplate "Encrypt" `
  -Priority 0
 
# --- Step 4: Create rule for manual encryption trigger ---
# Staff can type [ENCRYPT] in subject line to force encryption
New-TransportRule -Name "HIPAA - Manual Encrypt Trigger" `
  -FromScope InOrganization `
  -SubjectContainsWords "[ENCRYPT]" `
  -ApplyOME $true `
  -ApplyRightsProtectionTemplate "Encrypt" `
  -RemoveHeader "Subject" `
  -Priority 1
 
# --- Step 5: Block unencrypted outbound to non-TLS servers ---
New-TransportRule -Name "HIPAA - Require TLS Outbound" `
  -FromScope InOrganization `
  -SentToScope NotInOrganization `
  -SubjectOrBodyContainsWords @(
    "patient",
    "diagnosis",
    "prescription",
    "PHI",
    "medical record"
  ) `
  -RouteMessageOutboundRequireTls $true `
  -Priority 2
 
# --- Step 6: Disable legacy authentication protocols ---
# Block POP3, IMAP, SMTP Basic Auth (bypass MFA)
Set-CASMailboxPlan -Identity "ExchangeOnlineEnterprise" `
  -PopEnabled $false `
  -ImapEnabled $false
 
# Verify changes
Get-TransportRule | Where-Object { $_.Name -like "HIPAA*" } |
  Format-Table Name, State, Priority
 
Write-Host "HIPAA email encryption configuration complete." -ForegroundColor Green
Write-Host "Next: Configure DLP policies in the Purview compliance center."
 
# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

That script does four things: configures Office Message Encryption with one-time passcode access for external recipients, creates automatic encryption rules for emails containing PHI keywords, adds a manual encryption trigger so staff can force encryption on any message, and requires TLS for outbound messages containing sensitive terms. Run it once, and your email encryption is configured.

A note about the keyword list: the words in the transport rule — "patient," "diagnosis," "prescription," and so on — are starting points. You should customize this list for your practice. A dermatology office might add "biopsy," "melanoma," and "lesion." A pediatric practice might add "vaccination," "growth chart," and "developmental." The more specific your keyword list, the better the automatic encryption catches relevant messages without over-encrypting routine business email.

Data Loss Prevention: Catching PHI Before It Leaks

DLP policies are your last line of defense against accidental PHI disclosure. Here's how to set them up in Microsoft 365:

In the Microsoft Purview compliance portal (compliance.microsoft.com):

1. Navigate to Data Loss Prevention → Policies → Create Policy
2. Select "U.S. Health Insurance Act (HIPAA)" as the template — Microsoft provides a pre-built template that detects common PHI patterns
3. Apply the policy to Exchange email (and optionally SharePoint and OneDrive)
4. Configure actions:
   • Low confidence match (1 instance of PHI detected): Add encryption, notify the user with a policy tip
   • High confidence match (5+ instances or SSN detected): Block the message, notify the user and their manager, generate an incident report
5. Enable the policy in test mode first — run for two weeks, review the incidents, adjust the sensitivity before switching to enforcement mode

The HIPAA DLP template detects patterns including Social Security numbers, medical terms (ICD-10 codes, drug names), and combinations of name + date of birth + medical information. It's not perfect — no DLP system catches everything — but it catches the most common accidental disclosures that lead to breach notifications.

One thing to understand about DLP: it works best as a safety net, not a primary control. Your primary control is staff training. DLP catches the accidents that slip through despite good training. If your staff is routinely triggering DLP policies, that's a training problem, not a technology problem.

The Email Policy Template Your Practice Needs

Every HIPAA-covered entity needs a written email policy. Here's a template you can adapt for your practice:

HIPAA Email Policy — [Practice Name]

1. Approved Email Platform. All practice email must use Microsoft 365 accounts provided by the practice. Personal email accounts (Gmail, Yahoo, Hotmail) must never be used for any communication containing patient information, insurance data, or practice business related to patients.

2. Encryption Requirements. All emails containing patient health information must be encrypted. The system automatically encrypts messages containing PHI keywords. For messages not automatically caught, staff must type [ENCRYPT] in the subject line before sending. When in doubt, encrypt.

3. Minimum Necessary Standard. Include only the minimum amount of patient information necessary for the purpose of the communication. Do not include full medical histories, Social Security numbers, or detailed clinical notes in email unless absolutely necessary for the communication's purpose.

4. Patient Communication. Patients who provide their email address or initiate email communication have implied consent to receive email at that address. However, warn patients that standard email may not be fully secure and offer the patient portal as a more secure alternative for sensitive communications.

5. Prohibited Actions. The following are prohibited: forwarding practice email to personal accounts, using auto-forward rules to external addresses, sharing email passwords, leaving email open on unattended workstations, sending PHI via text message without using an approved encrypted messaging platform.

6. Incident Reporting. Any suspected email breach — wrong recipient, lost device with email access, phishing attempt, unauthorized access — must be reported to the practice's HIPAA Security Officer within 24 hours. Do not attempt to recall or delete the message without first reporting the incident.

7. Device Security. All devices accessing practice email must have screen lock enabled (maximum 5-minute timeout), device encryption enabled, remote wipe capability, and up-to-date operating system and security patches.

Print this policy. Have every staff member sign it. File the signed copies. Update it annually. This is the documentation an OCR auditor will ask for first.

A policy only works if your staff understands it. Schedule a thirty-minute training session when you roll out the policy. Walk through real scenarios: "You need to email a patient's lab results to a specialist. What do you do?" The answer should be automatic — verify the recipient address, check that the subject line doesn't contain the patient's name and diagnosis in plain text, and confirm that the message will be encrypted either automatically by the DLP rule or manually with the [ENCRYPT] tag. Run this scenario training quarterly with new examples. The practices that have the fewest email incidents aren't the ones with the strictest policies — they're the ones where every staff member can recite the correct procedure without thinking about it.

Also consider appointing one person as your email compliance champion — typically your HIPAA Security Officer or your most tech-comfortable front desk lead. This person reviews DLP incident reports weekly, answers staff questions about what can and cannot be emailed, and escalates genuine incidents to your HIPAA Security Officer. Distributing this responsibility prevents it from becoming nobody's job.

Common HIPAA Email Mistakes (and Their Real Costs)

These are the mistakes I see most often when auditing Ormond Beach medical practices:

Mistake 1: Using the "Cc" field for patient group communications. A practice sends a reminder about a diabetes support group to all participants using Cc instead of Bcc. Every recipient can now see every other recipient's email address — and by association, their participation in a diabetes program. That's a PHI disclosure. Use Bcc for any patient group communication, or better yet, use your email platform's mail merge functionality to send individual messages.

Mistake 2: Sending PHI to the wrong recipient. Autocomplete is the enemy. Your front desk types "Sm" to email Dr. Smith and Outlook autocompletes to Jane Smith, the patient. Now the patient has received another patient's referral letter. This is preventable with DLP policies and with staff training to verify recipient addresses before hitting send — especially for messages containing attachments.

Mistake 3: No BAA with email provider. This one surprises people: you can have perfect encryption, perfect DLP, perfect MFA — and still be in violation if you haven't signed a BAA with Microsoft. The BAA is the contractual foundation. Everything else builds on top of it.

Mistake 4: Staff using personal email for practice business. The provider who forwards a patient chart to their Gmail so they can review it at home. The billing coordinator who emails a claims spreadsheet to their personal Yahoo account. These are HIPAA violations regardless of intent. Your email policy must explicitly prohibit this, and your DLP policies should flag it.

The penalty structure for email violations is tiered. An unknowing violation — genuinely not knowing the email wasn't encrypted — starts at $137 per violation, up to $68,928 per violation. Willful neglect with timely correction ranges from $13,785 to $68,928 per violation. Willful neglect without timely correction is $68,928 per violation, up to an annual maximum of $2,067,813 per violation category. And those are just the civil penalties — criminal penalties for knowingly mishandling PHI can include jail time.

Alternatives to Microsoft 365 for HIPAA Email

Microsoft 365 isn't the only option. Here are alternatives worth considering:

Google Workspace (Business Plus or Enterprise) — Google offers a BAA for eligible Workspace plans. Configuration requirements are similar to Microsoft 365: accept BAA, enable MFA, configure DLP, enable audit logging. Google's approach to message encryption differs — they use TLS by default and offer S/MIME for end-to-end encryption, but lack an equivalent to Microsoft's OME for encrypting messages to non-Google recipients without certificates.

Paubox — A HIPAA-compliant email service built specifically for healthcare. Emails are encrypted by default with no portal, passwords, or extra steps for recipients. Integrates with Microsoft 365 and Google Workspace as an encryption layer. Pricing starts around $29/user/month. For practices that want compliance without the configuration burden, Paubox is the path of least resistance.

Hushmail for Healthcare — Purpose-built for healthcare providers. Includes encrypted email, secure web forms, and e-signatures. Pricing starts at $11.99/user/month. Simpler than Microsoft 365 but with fewer features.

LuxSci — Enterprise-grade HIPAA email with advanced DLP, encryption options (TLS, portal pickup, PDF encryption), and detailed compliance reporting. More expensive but more configurable than consumer-focused options.

For most Ormond Beach practices, Microsoft 365 Business Premium is the right choice because you're probably already using it. The incremental cost and effort to make it compliant is far less than switching to a new platform. But if you're starting from scratch or want a simpler compliance path, Paubox layered on top of your existing email is hard to beat.

Not sure if your email setup is compliant? We audit email configurations for Ormond Beach medical practices and provide a detailed remediation plan — including running the PowerShell scripts, configuring DLP, and training your staff. Schedule a HIPAA email audit and know where you stand before an OCR auditor tells you.

FAQ: HIPAA-Compliant Email

Is Microsoft 365 HIPAA compliant?

Microsoft 365 is HIPAA-eligible but not HIPAA-compliant out of the box. You must accept Microsoft's Business Associate Agreement, enable multi-factor authentication, configure Office Message Encryption, set up Data Loss Prevention policies, and enable audit logging. Only Business Premium, E3, E5, and Government plans qualify for HIPAA compliance.

Can I use Gmail for patient communication?

Google Workspace (Business Plus or Enterprise) can be configured for HIPAA compliance with a BAA, MFA, and encryption settings. Free Gmail accounts are NOT HIPAA compliant and must never be used for patient communication. Any email containing PHI requires a signed BAA with the email provider.

What happens if I send unencrypted PHI via email?

Sending unencrypted PHI is a HIPAA violation. Penalties range from $137 to $68,928 per violation depending on the level of negligence, with annual maximums up to $2,067,813 per violation category. Beyond fines, a breach involving 500 or more individuals triggers public notification requirements and investigation by the HHS Office for Civil Rights.

Do patients need to do anything special to receive encrypted email?

With Office 365 Message Encryption (OME), recipients receive an email with a link to view the encrypted message. They authenticate via a one-time passcode sent to their email address — no special software or accounts needed. The process adds one step for the recipient but ensures the message is protected regardless of their email provider.

How often should I review my email compliance configuration?

Review your configuration quarterly: check that MFA is enforced for all active users, review DLP policy incidents, verify audit logging is active, and ensure no legacy authentication protocols have been re-enabled. Conduct a full compliance audit annually, including reviewing and updating your email policy, testing encryption end-to-end, and verifying BAA status with all email-related vendors.

JSON-LD Schema

{
  "@context": "https://schema.org",
  "@type": "Article",
  "headline": "HIPAA-Compliant Email: What Your Ormond Beach Practice Actually Needs",
  "description": "Complete guide to configuring Microsoft 365 for HIPAA-compliant email with PowerShell scripts, DLP policies, and email policy template.",
  "author": {
    "@type": "Person",
    "name": "Alan Newingham",
    "url": "https://automateandeploy.com/about"
  },
  "publisher": {
    "@type": "Organization",
    "name": "Automate & Deploy",
    "url": "https://automateandeploy.com"
  },
  "datePublished": "2026-03-19",
  "dateModified": "2026-03-19",
  "mainEntityOfPage": "https://automateandeploy.com/hipaa-compliant-email-ormond-beach-practice"
}

{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "Is Microsoft 365 HIPAA compliant?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Microsoft 365 is HIPAA-eligible but not compliant out of the box. You must accept the BAA, enable MFA, configure encryption, set up DLP policies, and enable audit logging. Only Business Premium, E3, E5, and Government plans qualify."
      }
    },
    {
      "@type": "Question",
      "name": "What happens if I send unencrypted PHI via email?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Sending unencrypted PHI is a HIPAA violation with penalties from $137 to $68,928 per violation, with annual maximums up to $2,067,813 per category. Breaches involving 500+ individuals trigger public notification."
      }
    },
    {
      "@type": "Question",
      "name": "Can I use Gmail for patient communication?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Google Workspace Business Plus or Enterprise can be configured for HIPAA compliance with a BAA. Free Gmail accounts are NOT HIPAA compliant and must never be used for any patient communication."
      }
    }
  ]
}

Email is the tool your practice uses more than almost anything else. It's how your providers communicate with each other, how your billing team handles claims, how your front desk confirms appointments, and increasingly how patients reach you. Every one of those messages is a potential compliance event.

The configuration isn't difficult. The scripts in this post take thirty minutes to run. The policy template takes an hour to customize. The DLP setup takes an afternoon. That's less than a day of work to close what is, for most Ormond Beach practices, their single largest compliance gap.

Do it this week. Don't wait for an auditor to tell you what's wrong.