The setup that defeats itself
The logic behind encrypted email portals is straightforward: send a protected message, the recipient gets a notification, they log into a secure portal to read it. PHI never travels unencrypted. HIPAA satisfied.
The problem is what actually happens in a working clinic. A physician sends a referral to a specialist. The specialist's front desk gets a portal notification, ignores it, and calls back asking for the information directly. The physician's staff resend via regular email to get the workflow moving. The original message sat encrypted and unread in the portal. The PHI ended up in a standard inbox anyway.
This is not a hypothetical. It is the dominant failure pattern in healthcare email security right now.
What the data shows
Paubox's Healthcare Email Security Maturity Index 2026 surveyed 170 U.S. healthcare IT leaders and scored organizations across eight dimensions of email security. Encryption and recipient experience scored 2.39 out of 4 -- the lowest of any category in the benchmark.
The specific numbers:
- 48% of healthcare organizations always require encrypted email recipients to log into a portal to read the message
- Among those organizations, more than 1 in 3 clinical staff bypass the encrypted workflow entirely
- 40% of those organizations report that when the portal creates friction, senders revert to unsecured channels
- 43% report that recipients frequently never log in at all -- which triggers the reversion to regular email
The sequence: recipient doesn't open the portal notification, sender resends through regular email to get a response, the PHI travels unencrypted. The encryption system produced the exact exposure it was designed to prevent.
Why clinical staff bypass it
Clinicians are not being careless. They are moving through a day that involves constant communication with patients, primary care physicians, specialists, labs, and insurers. When any step in that workflow adds friction, they find a path around it. That is what competent professionals in high-volume environments do.
The portal model asks the recipient -- who has no stake in your compliance posture -- to create an account, remember a password, and log in to read a single message. It asks this of every external contact who receives protected communications from your practice. Most of them will not do it consistently.
Healthcare organizations describe the same pattern in their own words. A behavioral health council: "We use a SECURE tag in the subject line to encrypt, but we're unsure if that method is actually sufficient." A county healthcare unit: "Staff move too quickly and forget to encrypt emails to outside parties." A municipal health operation: "Encrypting emails requires the receiver to log on and get a one-time password. People find it cumbersome."
These are not policy failures. They are friction failures. The tool is too hard to use consistently, so it doesn't get used consistently.
Why this is a HIPAA problem, not just an IT problem
HIPAA's Security Rule requires covered entities to implement technical safeguards that protect the confidentiality and integrity of electronic PHI in transit. A portal-based encrypted email system satisfies that requirement -- when it is actually used. When staff route around it, the safeguard no longer exists in practice, regardless of what the policy document says.
OCR breach investigations do not stop at "we had an encryption policy." They look at whether the policy was followed and whether the technical controls actually protected the data. A practice that deployed a portal, documented the policy, and then watched 34% of clinical staff ignore the workflow is not in a meaningfully better position than a practice that never encrypted at all -- at least not for the communications that got bypassed.
There is also a subtler liability: the 40% reversion to unsecured channels is not a single event. It is a recurring pattern. Every time a recipient fails to open a portal message and a staff member resends via regular email, that is a separate potential breach. Multiply that across a busy practice and the exposure is not occasional -- it is structural.
The alternative: encryption that doesn't require the recipient to do anything
The portal friction problem exists because the encryption model puts a burden on the recipient. The recipient has to create an account, log in, and retrieve the message. Remove that burden and the bypass behavior largely disappears -- because there is nothing to bypass.
Encrypted email solutions that deliver directly to the recipient's inbox -- without a portal, without a login, without a one-time password -- eliminate the friction that drives workarounds. The message arrives like any other email. The sender's workflow is unchanged. The recipient's workflow is unchanged. The PHI traveled encrypted. No one had to remember to do anything differently.
For practices currently running a portal-based system, the question is not whether your staff know the policy. It is whether the tool is frictionless enough that following the policy is the path of least resistance. If it isn't, the data suggests about a third of your staff have already found another path.
What to assess in your current setup
If your practice uses encrypted email in any form, these are the questions worth answering honestly:
- When a protected message goes unread in the portal, what do your staff do next? If the answer is "resend it another way," the bypass is happening.
- Do external recipients -- referring physicians, specialists, labs -- actually use the portal consistently, or do you hear friction complaints?
- Has anyone audited whether PHI is traveling through regular email channels after failed portal deliveries?
- Does your BAA with your email provider cover the actual data path, including what happens when messages are resent outside the encrypted channel?
The last question matters more than most practices realize. A BAA covers the tool. It does not cover the workaround.
The most dangerous compliance gap is the one that looks covered on paper but fails in daily practice. Portal bypass is that gap for a third of healthcare organizations currently using encrypted email.
Bottom line
Encrypted email is a HIPAA requirement, not a feature. But the method of encryption determines whether the requirement is actually being met in practice or just on paper. If your system requires recipients to take extra steps, assume a meaningful percentage of your clinical communications are not traveling through the protected channel -- regardless of what your policy says.
The benchmark data from 170 healthcare IT leaders puts that percentage at more than one in three. That is not an edge case. That is a structural problem with the portal model itself.
Source: Paubox Healthcare Email Security Maturity Index 2026, surveying 170 U.S. healthcare IT leaders.