...

Ekim IT Solutions

Schedule a Fit Call
Blog / HIPAA-Compliant Email for Dentists: What You Need in 2026
All Dental

HIPAA-Compliant Email for Dentists: What You Need in 2026

HIPAA-compliant email for dentists - standard email to secure encrypted email workflow diagram

Most dental practices are not using HIPAA-compliant email and most dentists do not realize it. Standard Gmail, Yahoo, and basic Outlook accounts used without specific configuration are not HIPAA compliant and cannot be used to transmit patient information.

Here is exactly what your dental practice needs for email compliance in 2026, which platforms qualify, and what your IT provider must configure before any of them satisfy the requirement.

What Most Dentists Don’t Know

Using a standard consumer email account to send or receive patient appointment information, treatment details, or insurance data is a HIPAA violation.

The violation is the use of a non-compliant email service, not the exposure of data. OCR has cited dental practices for non-compliant email services discovered during complaint investigations that had nothing to do with a breach. The BAA requirement alone is sufficient grounds for a compliance finding.

What Makes Email HIPAA Compliant for a Dental Practice

A HIPAA-compliant email service for a dentist must satisfy three requirements simultaneously. All three must be met. No single requirement is sufficient on its own.

1

Business Associate Agreement signed with the email provider

The email provider must sign a BAA with the practice. A standard Microsoft 365 or Google Workspace account without a healthcare BAA does not satisfy this requirement, even if the platform supports BAAs for other customers.

2

Encryption in transit and at rest on all messages containing patient information

Messages containing patient information must be encrypted both while being transmitted and while stored. Default email encryption settings on most platforms do not satisfy this requirement without additional configuration.

3

Strong authentication controls including multi-factor authentication on all accounts

Access to email accounts must be secured with MFA. Every staff email account used for any patient communication must have MFA enabled before the account is used for any patient communication.

All three requirements must be met simultaneously. A BAA alone is not sufficient if email is not encrypted. Encryption alone is not sufficient without a BAA. MFA alone does not satisfy the BAA or encryption requirements. The email service is either fully compliant or it is not.

Need Microsoft 365 configured for HIPAA compliance at your practice? Find out in 15 minutes if we are the right fit.
Schedule a Discovery Call →

HIPAA-Compliant Email Options for Dental Practices in 2026

Three platforms qualify. Select each one to see how it meets the requirements and what your IT provider must do for it to be compliant.

Microsoft 365 Business
Google Workspace
Dedicated Healthcare Email
Most Common in Dental

Microsoft 365 Business

The most widely used HIPAA-compliant email platform in dental practices. Requires IT configuration to be compliant.

BAA
Available for healthcare customers. Must be activated under a healthcare-appropriate plan. A standard M365 Business Basic account does not automatically include a BAA.Requires activation
Encryption
Included via Microsoft Purview. In-transit and at-rest encryption must be configured and verified by your IT provider. Default settings do not satisfy the requirement without configuration.Requires IT setup
MFA
Supported and enforced via Entra ID / Conditional Access. Must be enabled on every staff account before any patient communication is sent.Requires IT setup
IT Setup Required
Yes. A standard M365 Business account without HIPAA configuration by an IT provider does not automatically satisfy all three requirements.
Best For
Practices that want a full productivity suite (email, Teams, SharePoint) managed by a single vendor with healthcare compliance coverage.
Valid Option

Google Workspace for Healthcare

Offers a BAA for healthcare customers with encryption included. Standard accounts without healthcare BAA activation are not compliant.

BAA
Available under Google Workspace for Healthcare. Must be specifically activated. Standard Google Workspace Business accounts used without BAA activation are not HIPAA compliant for dental practices.Requires activation
Encryption
Encryption in transit and at rest is included. HIPAA-appropriate settings still require configuration. Standard accounts without healthcare BAA activation may not have all required settings active.Requires IT setup
MFA
Supported via Google 2-Step Verification and Workspace Admin controls. Must be enforced across all staff accounts before any patient communication.Requires IT setup
IT Setup Required
Yes. Like Microsoft 365, the platform supports compliance but does not deliver it automatically. Your IT provider must configure and verify the healthcare-specific settings.
Best For
Practices already in the Google ecosystem that want to stay on Google tools with proper healthcare compliance activation.
Purpose-Built

Dedicated Healthcare Email Services

Purpose-built for HIPAA compliance. BAAs, encryption, and compliant settings included by default. Minimal IT configuration required.

BAA
Included by default. Services like Hushmail for Healthcare include a BAA as a standard part of the service agreement. No separate activation step required.Included
Encryption
Configured for compliance by default. Encryption settings are pre-configured to meet HIPAA requirements. No additional IT setup required for basic compliance.Included
MFA
Supported and typically included. MFA enrollment should still be confirmed across all accounts before use for patient communication.Confirm on setup
IT Setup Required
Minimal. These platforms are built so that compliance is the default state. Significantly less IT configuration than M365 or Google Workspace.
Best For
Practices that frequently transmit sensitive clinical information by email and want a solution configured for healthcare without requiring IT provider setup.

What Your IT Provider Must Configure

Check each item as your IT provider completes it. Every unchecked item means your email platform is not yet HIPAA compliant regardless of which platform you are using.

Configuration complete
0 / 5

Business email accounts under a healthcare BAA-covered plan, not a consumer or standard business plan

A standard M365 Business Basic or standard Google Workspace account without healthcare BAA activation does not satisfy this requirement.

Encryption settings for both in-transit and at-rest message protection enabled and verified

Default encryption settings on most platforms do not meet the HIPAA requirement without explicit configuration by an IT provider. Verification must be documented.

Multi-factor authentication on every staff email account before the account is used for any patient communication

MFA must be enforced across all accounts, not just admin accounts. Every staff member who sends or receives patient information via email requires MFA.

Email retention policies configured to meet HIPAA's six-year documentation retention requirement

HIPAA requires documentation to be retained for six years. Default email retention policies on most platforms do not match this timeline without configuration.

Email security filtering for phishing and spam to reduce credential theft risk

Credential theft through phishing is the most common way unauthorized access to patient data occurs. Security filtering is a required safeguard, not an optional add-on.

All five configuration items complete.

Your email platform is configured to meet HIPAA requirements. Document this configuration in your Security Risk Assessment and set a calendar reminder to verify settings annually or after any platform change.

What Ekim IT Solutions Does for Dental Email Compliance

BAA Verification

Confirms your Microsoft 365 account is on a healthcare BAA-covered plan and that the BAA is executed correctly for your practice.

Encryption Configuration

Configures Microsoft Purview for in-transit and at-rest encryption and verifies the settings are active and documented.

MFA Enrollment

Enrolls all staff accounts in MFA and configures Conditional Access policies to enforce it before any patient communication is sent.

Retention Policies

Configures email retention to meet HIPAA's six-year requirement so documentation is preserved and retrievable on request.

Security Filtering

Enables phishing and spam filtering to reduce credential theft risk across all staff email accounts.

SRA Documentation

Documents the email configuration as part of the technical component of your HIPAA Security Risk Assessment.

Frequently Asked Questions

Standard Gmail is not HIPAA compliant. Google Workspace for Business or Google Workspace for Healthcare, activated under a healthcare BAA with HIPAA-appropriate settings configured by your IT provider, can be used. The free consumer Gmail account cannot be used for any patient-related communication.
Any email containing protected health information must be encrypted. A patient's name combined with an appointment date, diagnosis, treatment plan, or insurance information is PHI. A name alone may not constitute PHI depending on context. The safest approach is to treat all patient-related email as requiring encryption and configure your email service accordingly.
Every email provider that handles patient information on behalf of your practice must sign a Business Associate Agreement. For Microsoft 365, this is done through the Microsoft admin portal under the healthcare add-on. For Google Workspace, it requires activating the healthcare BAA through the Google admin console. Your IT provider manages this process as part of the email setup.
Ask your IT provider to confirm three things: whether a BAA is signed with your email provider, whether encryption is enabled for both in-transit and at-rest messages, and whether MFA is active on all staff accounts. If they cannot confirm all three, your email setup has compliance gaps that should be addressed immediately.
Still using a standard Gmail or Outlook account for patient communication and not sure if it meets HIPAA requirements in 2026?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We configure and manage HIPAA-compliant email for dental practices with the right encryption, BAA documentation, and Microsoft 365 or Google Workspace setup so your team can email patients without putting your practice at risk.

Most dental practices are using email that is not HIPAA compliant and do not know it. Find out if yours is one of them.
Check your email compliance →

Related Posts

Dental cybersecurity in 2026 - what every practice needs to protect patient data and stay HIPAA compliant
All Dental

Dental Cybersecurity in 2026: What Every Practice Needs

Illustration showing a dental office building connecting to a checklist and IT icon representing common IT mistakes that cost new dental practices time and money
All Dental

Common IT Mistakes New Dental Practices Make

Dentrix Enterprise system requirements for 2026 covering server and workstation specifications for DSOs and multi-location dental groups.
All Dental

Dentrix Enterprise System Requirements in 2026