HIPAA requires encrypted email. How can we send encrypted email from ECLIPSE?

You are here:
HIPAA absolutely does NOT require that you use email encryption to communicate with or about your patients. Please review this DHHS FAQ link regarding encryption, this one regarding patient communication, this DHHS FAQ link regarding emailing providers, this DHHS FAQ link regarding email safety, this fax related link, and finally, this DHHS FAQ link regarding whether standard email is expressly allowed/disallowed.

Next, let’s examine the opinion of the American Bar Association (Formal Ethics Opinion 99-413):

  • Plaintext email provides a ‘reasonable expectation of privacy’ and is no less secure than telephone, fax, US & ‘commercial’ mail… thus the same expectation should be afforded email as other modes.
  • Plaintext email is acceptable for use in attorney communications which contain confidential client information.


Regardless, ECLIPSE does offer encrypted DIRECT email services as part of its government certified versions — also available with all ECLIPSE Client/Server versions as of January 2020. Please realize that you can’t simply send such email to anyone. Encrypted email requires that both the sender & receiver have DIRECT email addresses. You must also be using a Client/Server version of ECLIPSE for these services to be available.

ECLIPSE is required to offer DIRECT as part of its ONC certification. There is no such requirement for you as a healthcare provider.

HIPAA is about taking reasonable precautions. Thus, phrases such as “reasonable safeguards” are often used in DHHS FAQ’s regarding HIPAA CFR’s. One of our favorite examples is Sign-In Sheets, where providers have shown a general tendency to overreact by eliminating or drastically changing how they handle an essential legal tool. Please realize that HIPAA related provisions in ECLIPSE reflect real life issues. Thus, as was noted in the August 2015 article Security for Mobile and Cloud Frontiers in Healthcare (Communications of the ACM, Vol. 58 No. 8, Pages 21-23), HIPAA is a balancing act:

“I fear the day when your security requirement kills one of my patients,’ said a medical practitioner to the security professionals proposing improved security for the clinical information system. Every security professional is familiar with the challenge of deploying strong security practices around enterprise information systems, and the skepticism of well-intentioned yet uncooperative stakeholders. At the same time, security solutions can be cumbersome and may actually affect patient outcomes.”