Health Insurance Portability and Accountability Act
HIPAA requires covered entities and business associates to implement technical safeguards that protect electronic Protected Health Information (ePHI) during transmission. The Security Rule (45 CFR 164.312(e)(1)) mandates encryption when ePHI is sent over open networks, making TLS a baseline requirement. While HIPAA does not name specific email authentication protocols, DMARC enforcement is critical for preventing phishing attacks that could lead to unauthorized ePHI disclosure. Email authentication controls map to the Security Rule's requirements for access controls, audit controls, and transmission security.
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Recommended | SPF records are an addressable implementation specification under HIPAA's access control requirements (164.312(a)(1)). They help ensure only authorized servers send email from your healthcare domain, reducing phishing risk to ePHI. |
| DMARC | Required | DMARC enforcement (p=quarantine or p=reject) is effectively required for organizations sending ePHI via email. It directly addresses the Security Rule's mandate to protect against reasonably anticipated threats (164.306(a)(2)) by preventing domain spoofing that could trick recipients into disclosing PHI. |
| DKIM | Recommended | DKIM provides message integrity verification, supporting HIPAA's integrity controls (164.312(e)(2)(i)). It ensures that email content, including any ePHI, has not been altered in transit. |
| SSL/TLS | Required | TLS encryption is required under the Transmission Security standard (164.312(e)(1)) when ePHI is transmitted over electronic networks. HHS guidance and OCR enforcement actions confirm that unencrypted transmission of ePHI over open networks violates the Security Rule. |
| Security Headers | Recommended | Security headers on patient portals and healthcare web applications help satisfy the access control standard (164.312(a)(1)) and protect against attacks that could expose ePHI through web application vulnerabilities. |
| DNSSEC | Optional | DNSSEC is not specifically addressed by HIPAA but can strengthen the integrity of DNS lookups for email and web services that handle ePHI, adding defense against DNS-based attacks. |
Configure your mail servers to require TLS 1.2 or higher for all connections. Implement opportunistic TLS at minimum, and consider mandatory TLS (MTA-STS) for domains that exchange ePHI. Verify TLS configuration with a domain scan.
Publish a DMARC record with p=quarantine or p=reject to prevent attackers from spoofing your healthcare domain. This is critical because phishing emails impersonating healthcare organizations are a leading cause of ePHI breaches reported to OCR.
Publish an SPF record that authorizes only your legitimate email-sending infrastructure. Enable DKIM signing to provide cryptographic proof of message integrity. Both support DMARC alignment.
Deploy HSTS, Content-Security-Policy, and other security headers on patient portals, appointment systems, and any web application that handles ePHI. This helps prevent cross-site scripting and clickjacking attacks.
Create written policies governing the use of email for ePHI, including which types of information may be emailed, required encryption standards, and acceptable use. Include email security controls in your HIPAA risk analysis (164.308(a)(1)).
Enable domain monitoring to detect changes to email authentication records. Maintain audit logs of email security configurations and any changes. HIPAA requires audit controls (164.312(b)) and organizations must be able to demonstrate ongoing compliance.
Use Domain Security Scanner reports as evidence for your HIPAA audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against HIPAA requirements.
HIPAA does not explicitly name DMARC, but the Security Rule requires covered entities to implement safeguards against reasonably anticipated threats. Given that email spoofing and phishing are leading causes of healthcare data breaches, DMARC enforcement has become a de facto requirement. OCR has cited inadequate email protections in enforcement actions, and HHS cybersecurity guidance recommends DMARC as a key control.
The Transmission Security standard (164.312(e)(1)) requires encryption of ePHI when transmitted over open networks. While technically classified as an "addressable" specification, HHS guidance makes clear that organizations must either implement encryption or document an equivalent alternative. In practice, TLS encryption for email is considered mandatory for any organization transmitting ePHI electronically.
Regular domain security scan reports provide documented evidence for your HIPAA risk analysis and ongoing risk management process. They demonstrate that email authentication controls are properly configured and maintained. PDF exports with timestamps can be included in your compliance documentation for auditors and can help demonstrate the "reasonable and appropriate" safeguards required by the Security Rule.