Why ePHI Compliance Matters
Violations of the HIPAA Security Rule can result in massive fines, legal consequences, and reputational damage. This risk exists even when the breach occurs in a third-party entity, such as an email or messaging provider (2).
According to the 2024 HIMSS Cybersecurity Survey, a full quarter of respondents reported that their organizations had suffered a major security incident (resulting in financial damage or operational disruption) involving a vendor, supplier, or service provider (3).
In 2024 alone, 14 reported data breaches affected over 1 million healthcare records, including the largest breach in history at Change Healthcare, which compromised data from approximately 190 million individuals. Altogether, those breaches exposed the records of nearly 238 million US residents—nearly 70% of the population—with all but two involving hacking incidents (4).
For healthcare organizations building custom apps or patient portals, ePHI compliance must be baked into the design from day one.
How Does HIPAA View Sharing ePHI with Patients?
The HIPAA Security Rule permits sharing ePHI with patients only through secure, compliant channels. Patients have the right to access their health information, but covered entities must safeguard that data from unauthorized disclosure.
HIPAA allows patient communications via digital tools if safeguards are in place, including:
- Identity verification
- Encrypted transmissions
- Access controls (e.g., passwords or biometrics)
- Audit logging
Can You Send PHI via Email in 2025?
Technically, yes—but it’s risky.
Email is not inherently secure. You risk a HIPAA violation unless you use end-to-end encryption, a Business Associate Agreement (BAA), and layered security controls. Patients may request unencrypted email, but providers must warn them of the risks and obtain documented consent. Not only does this slow down communication, but it introduces extra risk of human error that could lead to a Security Rule violation. That’s why HIPAA-compliant data transfer tools built into custom apps or portals are preferred.
In addition to the inherent risks associated with email communications, HIPAA is already on track to tighten its security rules in 2025. In January, the Office for Civil Rights (OCR) proposed a significant update to the HIPAA Security Rule—the first in over 20 years—designed to address the healthcare industry’s evolving digital infrastructure, increased cybersecurity threats, and demand for more robust privacy controls (5). While it’s uncertain whether the proposed rule will be finalized, the updates aim to modernize how ePHI is protected in today’s cloud- and mobile-first environment.
The proposed changes focus on stronger encryption standards, more rigorous risk assessment protocols, enhanced cloud and vendor accountability, advanced user authentication measures, and mandatory incident response plans. These updates are designed to help healthcare organizations proactively prevent breaches and manage threats in real time, ultimately supporting safer and more compliant digital healthcare systems.
Key Proposed Changes to the HIPAA Security Rule (2025)
- Stricter Encryption Standards: End-to-end encryption required for ePHI at rest and in transit.
- Advanced Risk Assessment Requirements: More detailed, frequent, and proactive security evaluations.
- Vendor and Cloud Oversight: Stronger obligations to vet and monitor third-party service providers.
- Improved Authentication Controls: Adoption of multi-factor or biometric authentication for high-risk access.
- Incident Response Plans: Mandatory response protocols, staff training, and regular testing for breach scenarios.
Why Generic Messaging Tools Are Not Enough
Common messaging platforms like SMS and regular email are not designed for HIPAA compliance. These tools often lack the ability to:
- Restrict access based on user roles
- Encrypt stored messages
- Log and audit communications
- Sign a HIPAA-compliant BAA
For companies developing patient portals, mobile health apps, or companion software for medical devices, relying on generic tools can expose them to unnecessary compliance risk. Although HIPAA cybersecurity regulations surrounding the use of communication apps were temporarily relaxed during the COVID-19 emergency, this no longer applies. Popular platforms such as WhatsApp® or FaceTime® are not HIPAA compliant, and any healthcare organization still using them risks severe penalties (6,7).
What Features Are Needed For HIPAA-compliant data transfer?
A secure, HIPAA-aligned messaging tool should include:
- End-to-end encryption
- Role-based access control (RBAC)
- Secure user authentication (MFA, biometrics)
- Audit trails for message activity
- Session timeouts and inactivity locks
- Patient message consent tracking
HIPAA-Compliant Messaging Solutions
Generic off-the-shelf messaging tools fall short because they aren’t purpose-built for healthcare. All kinds of healthcare organizations, from hospitals to small clinics to laboratories and others, need purpose-built messaging solutions to ensure compliance. These can be obtained in two ways:
- Custom Software Development
A bespoke solution, developed either in-house or via a proven, healthcare-specialized vendor, is the best way to get a digital platform that is built to your exact needs and security requirements without. Custom secure messaging features built into your healthcare application or patient portal offer:
- Tailored user experiences
- Seamless integration with EHRs and internal workflows
- Complete control over data handling and storage
- Scalable architecture to grow with your organization
At Medical Web Experts, we specialize in developing HIPAA-compliant communication tools as part of our custom healthcare software services. With over a decade of experience crafting bespoke solutions for a range of healthcare organizations, our expert developers can ensure HIPAA compliance as a rock-solid foundation for your digital healthcare products.
- Configurable Pre-Built Solutions
Off-the-shelf solutions for healthcare messaging are also available on the market. However, healthcare organizations should take special care to ensure that such solutions are flexible enough to fit their needs (without bloat or unnecessary features that could leave vulnerabilities) and well-integrated with their other digital tools (e.g., portal, EHR).
BridgeInteract, our sister company, offers secure messaging functionality as part of its modular patient engagement platform. Integrated within a highly configurable patient portal, BridgeInteract provides:
- Encrypted provider-patient messaging
- Automated patient notifications
- Role-based access and permission controls
- Seamless mobile and desktop access
Organizations can also white-label BridgeInteract or integrate its components into a custom-built solution.