POP is not HIPAA compliant because it does not encrypt email data during transmission and lacks security features relied on to protect Protected Health Information in email workflows. POP, or Post Office Protocol, is used to retrieve email from a mail server to a local device, and it generally downloads messages to a single device rather than synchronizing content across multiple devices in the manner associated with IMAP.
POP is used for offline access and local storage because messages can be downloaded to a computer or phone and read without an Internet connection. In a typical POP workflow, a user authenticates to an email provider, requests messages from the server, downloads messages to a local device, and then disconnects. POP3 is the latest version and can be configured to leave messages on the server rather than delete them, but syncing issues can still occur across multiple devices and users may need to manually check for new messages.
HIPAA concerns arise when email contains Protected Health Information and the email handling method does not protect confidentiality during transit and does not support controls that reduce unauthorized access and loss. POP does not encrypt data retrieved during transmission, which means email content can be sent in clear text and can be viewed or stolen. Downloaded emails are stored locally and often erased from the server, which creates data loss exposure if a device is lost, stolen, or compromised. POP also does not support two factor authentication, leaving password-only access as the primary protection. POP does not include controls to scan and stop infected attachments during transmission, which increases exposure to malware when email is downloaded to an endpoint.
HIPAA Covered Entities and Business Associates that use email for communications containing Protected Health Information need email protections for data in transit and data at rest. Those protections include confirming that the email provider will sign a Business Associate Agreement and implementing safeguards aligned with the HIPAA Security Rule. Email encryption reduces exposure by rendering intercepted data unreadable, undecipherable, and unusable, and theft of properly encrypted data may not result in a HIPAA violation with the Office for Civil Rights. Organizations also need access controls, workforce training, backups, audits, risk assessments, and written email policies and procedures aligned with how email is sent, stored, and accessed.
POP lacks encryption and other security controls used to support HIPAA compliant email, so healthcare organizations using email that contains Protected Health Information need to avoid POP and confirm with their email providers which protocol is in use and what security measures protect email communications.