FREE GRC Workshop

LEARN MORE

Recommended Event: Convene: Boston | Cybersecurity & Human Risk Conference Aug 13 - 14, 2026

HIPAA’s Security Rule is changing. What does it mean for your email?

Solution Category Email Security
Type Webinar
Organization Paubox

Webinar Description

Key Takeaways

  • The proposed HIPAA Security Rule update shifts compliance requirements from policy documentation to demonstrable proof of encryption
  • Healthcare organisations must now show that encryption was applied to every email containing protected health information
  • Small practices and organisations without dedicated compliance staff face particular challenges under the new requirements
  • The webinar features HIPAA educators and a healthcare attorney discussing practical implementation strategies
  • Eligible for one self-reported continuing professional education credit

Proposed HIPAA Security Rule Changes and Email Compliance

Healthcare organisations relying on written encryption policies to satisfy HIPAA requirements may soon find themselves out of compliance. A proposed update to the HIPAA Security Rule fundamentally changes how regulators assess whether covered entities and business associates adequately protect electronic protected health information transmitted via email. This webinar, scheduled for July 2026, brings together HIPAA educators and legal experts to explain the regulatory shift and outline practical steps for organisations of all sizes.

The session is designed specifically for healthcare professionals working in small practices or lean operational environments where dedicated compliance personnel are unavailable. With enforcement expectations evolving, understanding the distinction between having a policy and proving its implementation has become essential for anyone handling patient data.

About This Event

Paubox is hosting this educational webinar featuring moderator Dawn Halpin alongside Alex Bargar of TeachMeHIPAA and healthcare attorney Ash Roozbehani. Both guest speakers work professionally in HIPAA education and legal compliance, bringing practical experience to what the organisers describe as a jargon-free discussion of the proposed regulatory changes.

The session includes dedicated time for live questions, allowing attendees to address specific concerns about their compliance posture. Participants who complete the full webinar receive a certificate of attendance that may be submitted as supporting documentation for one self-reported continuing professional education credit with applicable certifying bodies.

From Policy Documentation to Demonstrable Proof

The core regulatory shift addressed in this webinar concerns how compliance is measured and verified. Under longstanding interpretations of the HIPAA Security Rule, covered entities could satisfy encryption requirements by maintaining documented policies stating that encryption would be applied to electronic protected health information. The proposed rule changes this standard significantly.

Rather than accepting policy documentation as sufficient evidence of compliance, the updated framework requires organisations to demonstrate that encryption was actually applied to every email containing protected health information. This moves the compliance burden from administrative documentation to technical verification, requiring organisations to maintain evidence that security controls functioned as intended for each transmission.

For organisations with mature compliance programmes and dedicated information security staff, this shift may require process adjustments but remains manageable. However, the change presents substantial challenges for smaller healthcare providers who have historically relied on policy-based compliance approaches without robust technical monitoring capabilities.

Implications for Small Practices and Resource-Constrained Teams

Small medical practices, independent healthcare providers, and organisations operating without dedicated compliance officers face a particularly difficult transition under the proposed requirements. These entities often lack the technical infrastructure to automatically verify and log encryption status for every outbound email, and they may not have staff with the expertise to implement such systems.

The webinar specifically addresses this audience, acknowledging that decoding regulatory changes without compliance expertise is challenging. The speakers intend to provide actionable guidance that can be implemented even without dedicated IT staff or significant budget allocation, recognising the operational realities facing many healthcare organisations.

This practical focus reflects a broader challenge in healthcare compliance: regulatory requirements developed with large health systems in mind must ultimately be implemented across a sector that includes numerous small and medium-sized organisations with limited resources.

Discussion Topics

The webinar agenda covers four primary areas relevant to organisations assessing their compliance posture under the proposed rule. Speakers will explain the specific changes to the Security Rule, clarifying what the updated requirements mean in practical terms. The discussion will address why policy-based compliance approaches no longer meet the regulatory standard, helping attendees understand the evidentiary requirements they must now satisfy.

Particular attention will be given to the challenges facing organisations without compliance teams, acknowledging that many healthcare providers must navigate these requirements without specialised support. The session concludes with guidance on initial practical steps that organisations can take regardless of their current resource constraints.

Who Should Attend

This webinar is relevant for healthcare professionals responsible for HIPAA compliance, particularly those working in environments without dedicated compliance or information technology staff. Practice managers, office administrators, and healthcare providers who handle protected health information via email will benefit from understanding how the proposed changes affect their operations.

Compliance officers and healthcare attorneys seeking a clear explanation of the proposed rule changes may also find value in the discussion, particularly given the legal and educational expertise of the speakers. The continuing professional education eligibility makes the session suitable for professionals maintaining certifications that require documented learning activities.

Preparing for Evolving Compliance Standards

The proposed HIPAA Security Rule update reflects a broader trend in regulatory enforcement toward requiring demonstrable evidence of security control implementation rather than accepting policy documentation alone. Healthcare organisations that begin assessing their email encryption verification capabilities now will be better positioned to adapt when final rules take effect. This webinar offers an accessible starting point for understanding the changes and identifying practical next steps.