25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is Hotmail HIPAA Compliant?

Posted By on Nov 15, 2023

Hotmail is not HIPAA compliant and cannot be used to collect, store, or transmit Protected Health Information because the free email service (now known as Outlook) does not support the safeguards necessary for Hotmail users to comply with HIPAA.

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI.

Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-compliant, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same.

HIPAA, Email and Encryption

There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security controls in place – See 45 CFR § 164.312(a), 45 CFR § 164.312(c)(1), and 45 CFR § 164.312(e)(1).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

All email accounts are secured with a password, but not all email accounts securely send messages. If messages are not encrypted in transit, they could easily be intercepted and read by unauthorized individuals.

In order to be HIPAA-compliant, email messages should be encrypted in transit if they are sent outside the protection of an organization’s firewall. Encryption is not required if messages are sent internally and the messages are sent via a secure internal email server that sits behind a firewall.

Is Hotmail HIPAA Compliant?

Since Hotmail is a webmail service, it lies outside the protection of a firewall. In order to be HIPAA compliant, Hotmail would need to incorporate security controls to prevent messages from being intercepted. Hotmail uses HTTPS, so any information transferred between the browser and the Hotmail site is encrypted, and messages are also secured in transit.

However, while Microsoft says it does not scan the content of messages and will not sell that information to third-parties such as advertisers, Microsoft does have access to messages. Further, in order for an email service such as Hotmail to be HIPAA compliant, it would be necessary to first obtain a HIPAA-compliant business associate agreement with the email service provider.

Microsoft does offer business associate agreements for Office 365, but Office 365 does not include Hotmail or Outlook.com email accounts, which are free consumer email services. Microsoft does not offer any business associate agreements for its free consumer services.

Therefore, the answer to the question is Hotmail HIPAA compliant is no. Without a signed business associate agreement, Hotmail email accounts should not be used. The same applies to Gmail accounts and most other free consumer email services.

Can You Send PHI to a Patient’s Hotmail Account?

If your email system is secure and HIPAA-compliant, is it possible to send PHI to patients if they have a Hotmail account?

HIPAA does permit healthcare organizations to send PHI to patients via email, regardless of the email service provider the patient uses. However, it is not permitted to send emails to patients without first obtaining their consent to do so. When obtaining consent, you should communicate to patients that the sending of PHI via email is not secure and that their information could potentially be intercepted and viewed by individuals who are unauthorized to view that information.

If patients are informed of the risks, and confirm that they accept those risks, PHI can be sent via email, even if they have a Hotmail or Outlook.com email account. Covered entities should document that consent has been obtained and patients have opted in to receive information via email, including how you authenticated their identity.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more