Email is how ePHI leaks, and authentication is the safeguard most covered entities overlook.
HIPAA and email authentication. For covered entities and business associates that handle electronic protected health information.
the transmission-security standard that has governed ePHI in transit since 2005.
01
What the Security Rule requires
The HIPAA Security Rule requires covered entities and their business associates to protect electronic protected health information. Its Transmission Security standard, 45 CFR 164.312(e), requires technical measures to guard against unauthorized access to ePHI moving across a network, including integrity controls that ensure messages are not improperly altered in transit.
The Rule is deliberately technology-neutral: it names no products and no protocols. It states the outcome, protect the authenticity and integrity of ePHI in transit, and expects you to choose reasonable, appropriate safeguards. Email, the channel most ePHI actually moves through, is squarely within its scope.
02
Where email authentication fits
Phishing and email spoofing are among the most common routes to a healthcare breach, both to steal credentials and to deceive staff and patients. Impersonating a provider's own domain is a direct path to fraud and to unauthorized disclosure of ePHI. DMARC, SPF and DKIM are the recognized controls that stop a domain being spoofed and let recipients verify a message genuinely came from you.
They serve the Transmission Security standard's intent, protecting the authenticity and integrity of what is sent, and the Rule's broader expectation of a reasonable safeguard against known threats. After a breach, an Office for Civil Rights investigation asks what safeguards were in place. Demonstrable email authentication is a straightforward one to be able to show.
03
Where monitoring stops short
A DMARC policy at p=none documents intent but does not protect ePHI: a spoofed message in the entity's name still reaches its target. As a safeguard against the impersonation that drives healthcare breaches, monitoring alone does not meet the Rule's expectation that a measure actually guards against the threat. Advancing to p=quarantine and then p=reject makes the safeguard operative, and Authex runs a covered entity's domain to enforcement and holds it there.
New to the distinction? Monitoring vs enforcement, the full breakdown.
04
Common questions
Does HIPAA require DMARC?
Not by name. The HIPAA Security Rule is technology-neutral and does not name DMARC or any specific protocol. It requires covered entities to guard ePHI in transit, at 45 CFR 164.312(e), and to apply reasonable safeguards against known threats. DMARC, SPF and DKIM are recognized controls for authenticating email and preventing domain spoofing, so they are a sensible and defensible way to meet those obligations for the email channel.
How does email authentication protect ePHI?
By stopping your domain being impersonated. Phishing and spoofed email are leading routes to healthcare breaches, both to harvest credentials and to trick staff or patients. DMARC at enforcement means a message that claims to come from your domain but fails authentication is quarantined or rejected before it lands, protecting the authenticity of what reaches inboxes and closing a common path to unauthorized ePHI access.
Is the HIPAA Security Rule changing?
A change is proposed, not yet final. In January 2025 the HHS Office for Civil Rights published a Notice of Proposed Rulemaking that would strengthen the Security Rule, including making many currently addressable implementation specifications mandatory. It is a proposal under review rather than law, but the direction is clear: technical safeguards that are optional in practice today are likely to become expected. Email authentication is a low-cost one to have in place ahead of it.
Meet the requirement, and actually be protected.
Scan your domain to see where it stands today, then let Authex take it to enforcement and keep it there.