Last updated: June 20, 2025
In today’s digital healthcare landscape, ensuring ePHI HIPAA compliance is not optional—it’s foundational. Securely sharing electronic protected health information (ePHI) is essential for patient trust, legal protection, and effective care. Standards for ePHI are strict, so popular email and generic messaging tools aren’t up to the task and can expose your organization to significant risk. Instead, healthcare organizations are turning to custom, specialized HIPAA-compliant messaging solutions to fully protect ePHI.
In this article, we explain how to safely share ePHI under the HIPAA Security Rule, the limitations of standard communication platforms, and how custom messaging solutions embedded in patient portals and healthcare apps deliver the compliance, flexibility, and security your organization needs.
Key takeaways
- HIPAA-compliant messaging is essential for safeguarding ePHI and avoiding costly data breaches, but standard tools are not secure or compliant enough.
- New HIPAA Security Rule updates proposed in 2025 call for stricter encryption, stronger authentication, and mandatory incident response protocols.
- Custom messaging solutions built into healthcare apps or patient portals offer end-to-end security, seamless EHR integration, and full regulatory compliance.
Table of Contents
- What is ePHI?
- Why Compliance Matters
- How Does HIPAA View Sharing ePHI with Patients?
- Can You Send PHI via Email in 2025?
- Why Generic Messaging Tools Are Not Enough
- HIPAA-Compliant Messaging Features
- Custom Messaging Solutions: Built for Compliance
- Comparing Generic vs. Custom Messaging Solutions
- Get a Custom Secure Messaging Solution
What is ePHI?
ePHI includes any patient-identifiable health data created, received, stored, or transmitted electronically. HIPAA’s Security Rule governs how ePHI must be handled to protect patient privacy and data integrity (1).
Why ePHI Compliance Matters
Violations of the HIPAA Security Rule can result in massive fines, legal consequences, and reputational damage. This risk exists even when the breach occurs in a third-party entity, such as an email or messaging provider (2).
According to the 2024 HIMSS Cybersecurity Survey, a full quarter of respondents reported that their organizations had suffered a major security incident (resulting in financial damage or operational disruption) involving a vendor, supplier, or service provider (3).
In 2024 alone, 14 reported data breaches affected over 1 million healthcare records, including the largest breach in history at Change Healthcare, which compromised data from approximately 190 million individuals. Altogether, those breaches exposed the records of nearly 238 million US residents—nearly 70% of the population—with all but two involving hacking incidents (4).
For healthcare organizations building custom apps or patient portals, ePHI compliance must be baked into the design from day one.
How Does HIPAA View Sharing ePHI with Patients?
The HIPAA Security Rule permits sharing ePHI with patients only through secure, compliant channels. Patients have the right to access their health information, but covered entities must safeguard that data from unauthorized disclosure.
HIPAA allows patient communications via digital tools if safeguards are in place, including:
- Identity verification
- Encrypted transmissions
- Access controls (e.g., passwords or biometrics)
- Audit logging
Can You Send PHI via Email in 2025?
Technically, yes—but it’s risky.
Email is not inherently secure. You risk a HIPAA violation unless you use end-to-end encryption, a Business Associate Agreement (BAA), and layered security controls. Patients may request unencrypted email, but providers must warn them of the risks and obtain documented consent. Not only does this slow down communication, but it introduces extra risk of human error that could lead to a Security Rule violation. That’s why HIPAA-compliant data transfer tools built into custom apps or portals are preferred.
In addition to the inherent risks associated with email communications, HIPAA is already on track to tighten its security rules in 2025. In January, the Office for Civil Rights (OCR) proposed a significant update to the HIPAA Security Rule—the first in over 20 years—designed to address the healthcare industry’s evolving digital infrastructure, increased cybersecurity threats, and demand for more robust privacy controls (5). While it’s uncertain whether the proposed rule will be finalized, the updates aim to modernize how ePHI is protected in today’s cloud- and mobile-first environment.
The proposed changes focus on stronger encryption standards, more rigorous risk assessment protocols, enhanced cloud and vendor accountability, advanced user authentication measures, and mandatory incident response plans. These updates are designed to help healthcare organizations proactively prevent breaches and manage threats in real time, ultimately supporting safer and more compliant digital healthcare systems.
Key Proposed Changes to the HIPAA Security Rule (2025)
- Stricter Encryption Standards: End-to-end encryption required for ePHI at rest and in transit.
- Advanced Risk Assessment Requirements: More detailed, frequent, and proactive security evaluations.
- Vendor and Cloud Oversight: Stronger obligations to vet and monitor third-party service providers.
- Improved Authentication Controls: Adoption of multi-factor or biometric authentication for high-risk access.
- Incident Response Plans: Mandatory response protocols, staff training, and regular testing for breach scenarios.
Why Generic Messaging Tools Are Not Enough
Common messaging platforms like SMS and regular email are not designed for HIPAA compliance. These tools often lack the ability to:
- Restrict access based on user roles
- Encrypt stored messages
- Log and audit communications
- Sign a HIPAA-compliant BAA
For companies developing patient portals, mobile health apps, or companion software for medical devices, relying on generic tools can expose them to unnecessary compliance risk. Although HIPAA cybersecurity regulations surrounding the use of communication apps were temporarily relaxed during the COVID-19 emergency, this no longer applies. Popular platforms such as WhatsApp® or FaceTime® are not HIPAA compliant, and any healthcare organization still using them risks severe penalties (6,7).
What Features Are Needed For HIPAA-compliant data transfer?
A secure, HIPAA-aligned messaging tool should include:
- End-to-end encryption
- Role-based access control (RBAC)
- Secure user authentication (MFA, biometrics)
- Audit trails for message activity
- Session timeouts and inactivity locks
- Patient message consent tracking
HIPAA-Compliant Messaging Solutions
Generic off-the-shelf messaging tools fall short because they aren’t purpose-built for healthcare. All kinds of healthcare organizations, from hospitals to small clinics to laboratories and others, need purpose-built messaging solutions to ensure compliance. These can be obtained in two ways:
- Custom Software Development
A bespoke solution, developed either in-house or via a proven, healthcare-specialized vendor, is the best way to get a digital platform that is built to your exact needs and security requirements without. Custom secure messaging features built into your healthcare application or patient portal offer:
- Tailored user experiences
- Seamless integration with EHRs and internal workflows
- Complete control over data handling and storage
- Scalable architecture to grow with your organization
At Medical Web Experts, we specialize in developing HIPAA-compliant communication tools as part of our custom healthcare software services. With over a decade of experience crafting bespoke solutions for a range of healthcare organizations, our expert developers can ensure HIPAA compliance as a rock-solid foundation for your digital healthcare products.
- Configurable Pre-Built Solutions
Off-the-shelf solutions for healthcare messaging are also available on the market. However, healthcare organizations should take special care to ensure that such solutions are flexible enough to fit their needs (without bloat or unnecessary features that could leave vulnerabilities) and well-integrated with their other digital tools (e.g., portal, EHR).
BridgeInteract, our sister company, offers secure messaging functionality as part of its modular patient engagement platform. Integrated within a highly configurable patient portal, BridgeInteract provides:
- Encrypted provider-patient messaging
- Automated patient notifications
- Role-based access and permission controls
- Seamless mobile and desktop access
Organizations can also white-label BridgeInteract or integrate its components into a custom-built solution.
Comparing Generic vs. Custom Messaging Solutions
| Feature | Generic Tools | Custom Healthcare Messaging |
|---|---|---|
| HIPAA-Compliant | ❌ Not guaranteed | ✅ Built for compliance |
| Data Encryption | ❌ Varies | ✅ End-to-end encryption |
| Access Control & RBAC | ❌ Limited | ✅ Fully configurable |
| Audit Logging | ❌ Often missing | ✅ Comprehensive logs |
| Integration with EHR/Portals | ❌ Difficult | ✅ Seamless integration |
| Consent Management | ❌ Manual/none | ✅ Built-in workflows |
Get a Custom Secure Messaging Solution
Ready to stop relying on tools that weren’t built for healthcare? Whether you’re developing a new patient portal, mobile app, website, or companion app for a medical device, Medical Web Experts can build a secure, HIPAA-compliant messaging solution tailored to your needs.
Contact us today to schedule a free consultation and see how we can help you protect your data, empower your users, and stay compliant in 2025 and beyond.
Read more:
- How To Design a HIPAA Compliant Website
- HIPAA-Compliant Web Hosting: What You Need To Know
- How to Make a HIPAA-Compliant Healthcare App
Resources:
- U.S. Department of Health and Human Services, Office for Civil Rights (2024) ‘Security Rule’, HIPAA for Professionals, HHS.gov. Available at: Link. (Accessed: 20 June 2025).
- American Medical Association. (2025) HIPAA Violations and Enforcement. Available at: Link. (Accessed: 26 June 2025).
- Healthcare Information and Management Systems Society. (2025) 2024 HIMSS Healthcare Cybersecurity Survey. Available at: Link. (Accessed: 20 June 2025).
- Alder, S. (2025) The Biggest Healthcare Data Breaches of 2024. The HIPAA Journal. Available at: Link. (Accessed: 20 June 2025).
- U.S. Department of Health and Human Services, Office for Civil Rights. (2025) HIPAA Security Rule to strengthen the cybersecurity of electronic protected health information, Federal Register, 6 January. Available at: Link. (Accessed: 20 June 2025).
- BridgeInteract. (2024) Is WhatsApp a HIPAA‑compliant telemedicine software? Available at: Link. (Accessed: 20 June 2025).
- BridgeInteract. (2024) Is Apple FaceTime a HIPAA‑Compliant Telehealth Software Platform? Available at: Link. (Accessed: 20 June 2025).
