Yes, unencrypted email is a security risk and its use is governed by the transmission security standard of the HIPAA Security rule. Although this safeguard is addressable, requiring the use of encrypted email is almost always reasonable and appropriate. The transmission of ePHI via email should not be allowed unless the email or any attachments to an email containing ePHI are encrypted (noting the exception above).