HIPAA-Compliant Messaging: How to Safely Share ePHI in 2025

Pablo Bullian

Pablo Bullian

Posted on April 12, 2023

Illustration of a doctor sitting at a computer reading messages.

Last updated: June 20, 2025

In today’s digital healthcare landscape, ensuring ePHI HIPAA compliance is not optional—it’s foundational. Securely sharing electronic protected health information (ePHI) is essential for patient trust, legal protection, and effective care. Standards for ePHI are strict, so popular email and generic messaging tools aren’t up to the task and can expose your organization to significant risk. Instead, healthcare organizations are turning to custom, specialized HIPAA-compliant messaging solutions to fully protect ePHI.

In this article, we explain how to safely share ePHI under the HIPAA Security Rule, the limitations of standard communication platforms, and how custom messaging solutions embedded in patient portals and healthcare apps deliver the compliance, flexibility, and security your organization needs.


Key takeaways

  • HIPAA-compliant messaging is essential for safeguarding ePHI and avoiding costly data breaches, but standard tools are not secure or compliant enough.
  • New HIPAA Security Rule updates proposed in 2025 call for stricter encryption, stronger authentication, and mandatory incident response protocols.
  • Custom messaging solutions built into healthcare apps or patient portals offer end-to-end security, seamless EHR integration, and full regulatory compliance.

Table of Contents

  1. What is ePHI?
  2. Why Compliance Matters
  3. How Does HIPAA View Sharing ePHI with Patients?
  4. Can You Send PHI via Email in 2025?
  5. Why Generic Messaging Tools Are Not Enough
  6. HIPAA-Compliant Messaging Features
  7. Custom Messaging Solutions: Built for Compliance
  8. Comparing Generic vs. Custom Messaging Solutions
  9. Get a Custom Secure Messaging Solution

What is ePHI?

ePHI includes any patient-identifiable health data created, received, stored, or transmitted electronically. HIPAA’s Security Rule governs how ePHI must be handled to protect patient privacy and data integrity (1).

Why ePHI Compliance Matters

Violations of the HIPAA Security Rule can result in massive fines, legal consequences, and reputational damage. This risk exists even when the breach occurs in a third-party entity, such as an email or messaging provider (2).

According to the 2024 HIMSS Cybersecurity Survey, a full quarter of respondents reported that their organizations had suffered a major security incident (resulting in financial damage or operational disruption) involving a vendor, supplier, or service provider (3). 

In 2024 alone, 14 reported data breaches affected over 1 million healthcare records, including the largest breach in history at Change Healthcare, which compromised data from approximately 190 million individuals. Altogether, those breaches exposed the records of nearly 238 million US residents—nearly 70% of the population—with all but two involving hacking incidents (4).

For healthcare organizations building custom apps or patient portals, ePHI compliance must be baked into the design from day one.

How Does HIPAA View Sharing ePHI with Patients?

The HIPAA Security Rule permits sharing ePHI with patients only through secure, compliant channels. Patients have the right to access their health information, but covered entities must safeguard that data from unauthorized disclosure.

HIPAA allows patient communications via digital tools if safeguards are in place, including:

  • Identity verification
  • Encrypted transmissions
  • Access controls (e.g., passwords or biometrics)
  • Audit logging

Can You Send PHI via Email in 2025?

Technically, yes—but it’s risky.

Email is not inherently secure. You risk a HIPAA violation unless you use end-to-end encryption, a Business Associate Agreement (BAA), and layered security controls. Patients may request unencrypted email, but providers must warn them of the risks and obtain documented consent. Not only does this slow down communication, but it introduces extra risk of human error that could lead to a Security Rule violation. That’s why HIPAA-compliant data transfer tools built into custom apps or portals are preferred.

In addition to the inherent risks associated with email communications, HIPAA is already on track to tighten its security rules in 2025. In January, the Office for Civil Rights (OCR) proposed a significant update to the HIPAA Security Rule—the first in over 20 years—designed to address the healthcare industry’s evolving digital infrastructure, increased cybersecurity threats, and demand for more robust privacy controls (5). While it’s uncertain whether the proposed rule will be finalized, the updates aim to modernize how ePHI is protected in today’s cloud- and mobile-first environment.

The proposed changes focus on stronger encryption standards, more rigorous risk assessment protocols, enhanced cloud and vendor accountability, advanced user authentication measures, and mandatory incident response plans. These updates are designed to help healthcare organizations proactively prevent breaches and manage threats in real time, ultimately supporting safer and more compliant digital healthcare systems.


Key Proposed Changes to the HIPAA Security Rule (2025)

  • Stricter Encryption Standards: End-to-end encryption required for ePHI at rest and in transit.
  • Advanced Risk Assessment Requirements: More detailed, frequent, and proactive security evaluations.
  • Vendor and Cloud Oversight: Stronger obligations to vet and monitor third-party service providers.
  • Improved Authentication Controls: Adoption of multi-factor or biometric authentication for high-risk access.
  • Incident Response Plans: Mandatory response protocols, staff training, and regular testing for breach scenarios.

Why Generic Messaging Tools Are Not Enough

Common messaging platforms like SMS and regular email are not designed for HIPAA compliance. These tools often lack the ability to:

  • Restrict access based on user roles
  • Encrypt stored messages
  • Log and audit communications
  • Sign a HIPAA-compliant BAA

For companies developing patient portals, mobile health apps, or companion software for medical devices, relying on generic tools can expose them to unnecessary compliance risk. Although HIPAA cybersecurity regulations surrounding the use of communication apps were temporarily relaxed during the COVID-19 emergency, this no longer applies. Popular platforms such as WhatsApp® or FaceTime® are not HIPAA compliant, and any healthcare organization still using them risks severe penalties (6,7). 

What Features Are Needed For HIPAA-compliant data transfer?

A secure, HIPAA-aligned messaging tool should include:

  • End-to-end encryption
  • Role-based access control (RBAC)
  • Secure user authentication (MFA, biometrics)
  • Audit trails for message activity
  • Session timeouts and inactivity locks
  • Patient message consent tracking

HIPAA-Compliant Messaging Solutions

Generic off-the-shelf messaging tools fall short because they aren’t purpose-built for healthcare. All kinds of healthcare organizations, from hospitals to small clinics to laboratories and others, need purpose-built messaging solutions to ensure compliance. These can be obtained in two ways:

  1. Custom Software Development

A bespoke solution, developed either in-house or via a proven, healthcare-specialized vendor, is the best way to get a digital platform that is built to your exact needs and security requirements without. Custom secure messaging features built into your healthcare application or patient portal offer:

  • Tailored user experiences
  • Seamless integration with EHRs and internal workflows
  • Complete control over data handling and storage
  • Scalable architecture to grow with your organization

At Medical Web Experts, we specialize in developing HIPAA-compliant communication tools as part of our custom healthcare software services. With over a decade of experience crafting bespoke solutions for a range of healthcare organizations, our expert developers can ensure HIPAA compliance as a rock-solid foundation for your digital healthcare products.

  1. Configurable Pre-Built Solutions

Off-the-shelf solutions for healthcare messaging are also available on the market. However, healthcare organizations should take special care to ensure that such solutions are flexible enough to fit their needs (without bloat or unnecessary features that could leave vulnerabilities) and well-integrated with their other digital tools (e.g., portal, EHR).

BridgeInteract, our sister company, offers secure messaging functionality as part of its modular patient engagement platform. Integrated within a highly configurable patient portal, BridgeInteract provides:

  • Encrypted provider-patient messaging
  • Automated patient notifications
  • Role-based access and permission controls
  • Seamless mobile and desktop access

Organizations can also white-label BridgeInteract or integrate its components into a custom-built solution.

Comparing Generic vs. Custom Messaging Solutions

Generic Tools vs. Custom Healthcare Messaging
FeatureGeneric ToolsCustom Healthcare Messaging
HIPAA-Compliant Not guaranteed Built for compliance
Data Encryption Varies End-to-end encryption
Access Control & RBAC Limited Fully configurable
Audit Logging Often missing Comprehensive logs
Integration with EHR/Portals Difficult Seamless integration
Consent Management Manual/none Built-in workflows

Get a Custom Secure Messaging Solution

Ready to stop relying on tools that weren’t built for healthcare? Whether you’re developing a new patient portal, mobile app, website, or companion app for a medical device, Medical Web Experts can build a secure, HIPAA-compliant messaging solution tailored to your needs.

Contact us today to schedule a free consultation and see how we can help you protect your data, empower your users, and stay compliant in 2025 and beyond.


Read more:


Resources:

  1. U.S. Department of Health and Human Services, Office for Civil Rights (2024) ‘Security Rule’, HIPAA for Professionals, HHS.gov. Available at: Link. (Accessed: 20 June 2025).
  2. American Medical Association. (2025) HIPAA Violations and Enforcement. Available at: Link. (Accessed: 26 June 2025).
  3. Healthcare Information and Management Systems Society. (2025) 2024 HIMSS Healthcare Cybersecurity Survey. Available at: Link. (Accessed: 20 June 2025).
  4. Alder, S. (2025) The Biggest Healthcare Data Breaches of 2024. The HIPAA Journal. Available at: Link. (Accessed: 20 June 2025).
  5. U.S. Department of Health and Human Services, Office for Civil Rights. (2025) HIPAA Security Rule to strengthen the cybersecurity of electronic protected health information, Federal Register, 6 January. Available at: Link. (Accessed: 20 June 2025).
  6. BridgeInteract. (2024) Is WhatsApp a HIPAA‑compliant telemedicine software? Available at: Link. (Accessed: 20 June 2025).
  7. BridgeInteract. (2024) Is Apple FaceTime a HIPAA‑Compliant Telehealth Software Platform? Available at: Link. (Accessed: 20 June 2025).

Pablo Bullian

Pablo Bullian

Pablo, our Chief Information Security Officer, architected and manages Medical Web Expert’s HIPAA-compliant hosting infrastructure. He is a Certified Information Systems Security Professional (CISSP), Amazon Web Services (AWS) Certified Solutions Architect, and Cisco Certified Network Associate (CCNA). Pablo has an M.S. in Cybersecurity from the University of Buenos Aires and he’s passionate about all things related to cybersecurity and cloud hosting.

Related Posts

Illustration of a cell phone with considertaions to make when choosing between a custom software product or a pre-built solution: cost, feature set, scalability, functionality, and deployment time.

Posted on February 07, 2022 by Paul Galbraith

Today, one of the most essential needs of every healthcare organization is a HIPAA-compliant software solution that helps improve patients’ access to quality care, while simultaneously alleviating the organization’s administrative…Read more


Illustration of three laboratory professionals: one is interacting with a petri dish, the second is interacting with a mobiel device screen, the third is interacting with a screen of results.

Posted on January 27, 2022 by Jared Mauskopf

COVID-19 testing laboratories are under enormous pressure and are straining to keep up with demand. The surge fueled by the highly contagious Omicron variant broke records[1]–to date, there have been…Read more