I agree with you there. I deal with HIPAA every day, not with email, but with electronic data transfers, primarily the mechanism, not file layouts (thats for someone else with more patience for such things than myself :). One of the tools we use is a product called SilverKey (its not perfect but its pretty decent). It creates a 448-bit encrypted exe that can be extracted with a password (like a self-extracting Zip file). We encrypt just about everything, regardless of whether it is PHI or not, and try to get our customers/vendors to do the same for incoming data. Our security folks just implemented secure email using Zixmail (don't know anything about it) that checks the content of the message and will encrypt if necessary. HIPAA can be a nightmare somedays, but I personally think some of it is a good thing, and about time too :-)