A guide for auditors, HITRUST assessors, and HIPAA compliance consultants.
TL;DR: The proposed HIPAA Security Rule update — originally expected in May 2026, now overdue with no confirmed timeline — would change what "compliant" looks like for email. Most assessment frameworks still treat disk-level encryption as sufficient for ePHI at rest and login MFA as sufficient for access control. Under the proposed rule, neither holds up. Here are five questions worth adding to your email security evaluations now, regardless of when the final rule lands.
The assessment gap
If you audit healthcare organizations for HIPAA compliance, you've probably checked the email security box hundreds of times. The checklist is familiar: Is there a secure email gateway? Is MFA enabled? Is data encrypted in transit?
Under the current rule, those checks have been enough. The "addressable" designation for encryption gave organizations room to document their approach and move on. Most did.
The updated rule (RIN 0945-AA22) was expected in May 2026. That deadline has passed — OCR hasn't confirmed a new timeline, and whether the current administration will finalize the Biden-era proposal is an open question. But the proposed requirements remain on the regulatory agenda, and the direction is unmistakable: encryption of ePHI at rest becomes required, MFA for all systems containing ePHI becomes required, and the scope explicitly includes email.
For auditors, the writing is on the wall. The standard three-checkbox email assessment won't be sufficient under the new standard. The questions below are worth adding now — they surface real gaps regardless of when the final rule drops.
Five questions worth adding
1. Does the organization's email encryption protect against the way breaches actually happen?
Most assessments get this wrong — or don't ask it at all.
Microsoft 365 and Google Workspace encrypt email at rest at the infrastructure level — disk encryption on their servers. When you ask "is email encrypted at rest?", the technical answer is yes. That's been good enough for years.
The new rule requires ePHI to be "unreadable, undecipherable, and unusable" to unauthorized persons who gain access. The follow-up question auditors should ask: if an attacker authenticates to an email account with stolen credentials or a hijacked session, is the PHI in that mailbox readable?
With disk-level encryption, the answer is yes — fully readable, fully searchable, fully exportable. The encryption protects against physical server theft, which is not how healthcare email breaches happen. OCR breach data shows 85% of email breaches are account takeovers: compromised credentials, stolen sessions, MFA bypass. The encryption in place doesn't touch the actual threat.
Whether OCR will enforce this distinction aggressively is an open question. But the language of the rule — "unreadable to unauthorized persons who gain access" — points in a clear direction. Auditors who don't ask the follow-up question are assessing against the old standard, not the new one.
2. Does MFA cover data access, or only account login?
The rule requires MFA for access to systems containing ePHI. Most organizations have implemented login MFA — a password plus an authenticator app or hardware key to sign into the email account.
The follow-up: what happens after login MFA is bypassed?
Session hijacking, MFA fatigue attacks, and adversary-in-the-middle techniques all allow attackers to establish authenticated sessions without triggering login MFA. Once in, the session has full access to the mailbox — every message, every attachment, every year of accumulated PHI — without encountering any additional authentication challenge.
MFA at login verifies identity at the front door. It doesn't verify identity at the point of data access. If a session is compromised after login, the MFA requirement has been technically satisfied but the ePHI is fully exposed.
Under the new rule, organizations need to be able to articulate how MFA protects ePHI access — not just how it protects account login. If the answer is "they're the same thing," the assessment should flag that as a gap, because the threat data says otherwise.
3. Does the organization have an inventory of ePHI in email?
The updated rule requires a technology asset inventory that accounts for where ePHI lives and how it flows between systems. For EHRs, databases, and structured clinical systems, most organizations can produce this.
For email, the answer is almost always no.
Most healthcare organizations have no way to identify which mailboxes contain PHI, which messages have PHI, or what types of PHI are present. A typical clinician's inbox holds years of referral letters, lab results, insurance authorizations, and patient communications — all accumulated over time, none of it tagged or classified.
The gap shows up in two places. Under the new rule, the inventory requirement means organizations need to know where ePHI in email lives. And during a breach, the lack of an inventory forces worst-case scoping — if you can't determine which messages contained PHI and which were accessed, you notify every patient who ever corresponded with the compromised account. OCR breach data shows the median email breach exposed 2,737 patients, but without an inventory, many organizations can't determine the actual number and default to much larger notification pools.
The question to ask: can the organization identify which email messages contain ePHI — or would a breach force them to assume worst-case scope?
4. Can the organization produce a breach scope report within the notification timeline?
HIPAA's 60-day notification clock starts at discovery. The investigation phase — determining which emails were accessed, which contained PHI, and which patients were affected — is where organizations lose weeks.
The typical process after an email account compromise: the security team manually reviews audit logs, the compliance team initiates eDiscovery queries across the compromised mailbox, and in many cases outside counsel or forensic consultants are brought in to determine what data was actually accessed. A single compromised mailbox can take 3-5 weeks to scope.
The updated rule makes this worse by requiring continuous audit capabilities — not the kind assembled retroactively after a breach.
The things to look for: does the organization have session-level access logs for email (not just login logs)? Can they determine which specific messages a compromised session accessed? Can they generate a patient impact report — with unique patient count and affected email inventory — without a manual forensic investigation? The gap between "we can pull audit logs from Microsoft" and "we can produce a structured breach scope report in 24 hours" is enormous, and most organizations are on the wrong side of it.
5. How does the organization assess email security for its business associates?
The updated rule strengthens BA oversight requirements. Organizations must verify that business associates implement appropriate safeguards — and that now includes the stricter encryption and MFA standards.
For email, the data makes the case clearly. Analysis of the OCR breach portal found that 42% of all patient records exposed through email breaches came from business associates, not from the covered entity itself. BAs account for only 15% of email breaches by count but produce disproportionately large incidents — the two largest email breaches in the dataset, exposing 357,000 and 320,000 patients respectively, were both BAs.
Most vendor risk questionnaires ask about MFA and encryption at a general level. They don't ask the email-specific questions that the new rule makes relevant: does the BA encrypt ePHI at rest in email at the content level, or only at the infrastructure level? Does the BA have MFA at the data access level for email? Can the BA produce a breach scope report if an email account is compromised?
If a BA's email breach exposes a covered entity's patients — and the covered entity's vendor assessment didn't ask these questions — the organization has both a breach to report and an assessment gap to explain.
Why this matters now
Whether the final rule lands in mid-2026 or later, the direction is clear: the bar for email is moving from "does some form of encryption exist?" to "does it protect patient data from how breaches actually happen?" The assessment frameworks most auditors rely on haven't caught up yet.
These questions surface real gaps regardless of the rule's timeline. Organizations that address them now are better prepared — both for the new standard and for the breach that could happen tomorrow. The ones that wait for the final rule to act will be scrambling against a compliance deadline and an enforcement agency that's already signaled where it's headed.
