HIPAA Email Authentication Readiness
HHS published the first substantive Security Rule update since 2013 in December 2024. Check your domain against §164.312 Technical Safeguards — the email-auth controls covered entities and business associates need before the 2026 audit cohort lands.
Why this matters now
In December 2024, HHS issued a Notice of Proposed Rulemaking (RIN 0945-AA22) modernising the HIPAA Security Rule — the first substantive update since 2013. The final rule, expected in 2026, tightens several previously "addressable" controls into "required" and explicitly names email-borne phishing as a recognised security risk.
The numbers behind the rulemaking are sobering. Paubox's 2025 analysis of HHS breach reports found that 74% of breached healthcare domains had ineffective DMARC policies — either p=none or no policy at all. Email-auth is the cheapest control a covered entity or business associate can ship before the OCR audit cohort lands.
§164.312 Technical Safeguards cross-walk
HIPAA Security Rule §164.312 lists five Technical Safeguards. Four of them map directly to DNS-borne email-auth controls — MTA-STS for in-transit encryption, TLS-RPT for transport telemetry, DANE for cryptographic chain integrity, and DMARC for sender authentication.
| Safeguard | Wording | Email-auth control |
|---|---|---|
§164.312(d) | Person or Entity Authentication | DMARC + SPF (sender authentication) |
§164.312(e)(1) | Transmission Security | MTA-STS enforce (TLS in transit) |
§164.312(b) | Audit Controls | TLS-RPT (transport telemetry for audit log) |
§164.312(c)(1) | Integrity | DNSSEC (identity-record integrity) |
§164.312(a)(1) | Access Control | Out of scope for DNS — covered by access management |
Scope — covered entities and business associates
The Security Rule applies to covered entities (health plans, health-care clearinghouses, most health-care providers) and to business associates that handle PHI on a covered entity's behalf. The email-auth controls above apply to every domain on which the entity or associate sends or receives PHI — typically wider than the production EHR domain alone.
What this tool covers
DNS-borne controls only. DKIM cannot be verified from DNS without the selector — use the DKIM Checker with the selector your EHR or transactional ESP uses. Encryption at rest (§164.312(a)(2)(iv)) is out of scope for any DNS-based check and lives in your storage and backup configuration.
Business-associate due diligence
The covered entity is on the hook for the email-auth posture of every business associate that sends mail on its behalf. If your EHR vendor or your billing-statement ESP cannot demonstrate DMARC at enforcement, that is a §164.308(b) gap on your audit. Use the DMARC Report Analyzer on your aggregate (rua) reports to confirm every business associate aligns the messages they send on your behalf.
Outside this tool's scope
The Security Rule covers far more than email-auth. §164.308 (Administrative Safeguards), §164.310 (Physical Safeguards), and the access-control and emergency-access sub-requirements of §164.312 all need their own evidence. Use this scorecard as the email-auth portion of a HIPAA assessment, not as the assessment itself.
Read the complete HIPAA guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free