What is HIPAA Compliant Email Encryption?

HIPAA Compliant Email Encryption

Email encryption is the process of disguising email content to prevent that content from being read by someone other than an individual authorized to access that content. HIPAA covered entities, and business associates that send electronic protected health information (ePHI) outside of their organization, should implement HIPAA email encryption procedures to ensure HIPAA email compliance.

Implementing HIPAA Compliant Email Encryption

Healthcare providers frequently transmit electronic mail containing sensitive patient information, such as Social Security numbers and biometric identifiers. Unencrypted email messages can be accidentally viewed by healthcare staff or someone not authorized to view them.

Before a covered entity or business associate transmits ePHI through email, the covered entity or business associate should develop a HIPAA email encryption policy. HIPAA email encryption is necessary for organizations seeking to implement complete HIPAA email compliance. Once the email service is HIPAA compliant, a healthcare provider can send ePHI to patients, other healthcare organizations, and health insurance plans.

How Should Email Be Encrypted Under HIPAA?

The most secure type of HIPAA compliant email encryption is end-to-end encryption. If an organization cannot implement this encryption on its own, the organization should hire a third-party HIPAA compliant email service provider to provide the encryption.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

What is End-to-End Encryption?

End-to-end encryption is a means of transferring data such that only the sender and intended recipient can read email messages. With end-to-end encryption, the data is encrypted on the sender’s system. This allows only the intended recipient to decrypt and read the message. No one “in between” is able to read the message, destroy it, or otherwise tamper with it. 

To understand how end-to-end email encryption works, it is helpful to understand what does not constitute end-to-end encryption.  

Since the early days of internet usage, a protocol known as SSL (Secure Sockets Layer) has been used to encrypt data transferred between a computer and an email server. The presence of SSL is determined by looking at the wording in front of a URL: If the wording is “https” rather than “http,” the SSL protocol is being used. This protocol offers enhanced security; if the address is “http,” the level of protection is lower.

Over time, SSL protocol has been updated. The latest iteration of the protocol is known as TLS, or Transport Layer Security. Together, SSL and TLS form a continuously updated protocol series. The protocols are typically referred to as a combined acronym, “SSL/TLS.”

With the SSL/TLS protocol, data is only encrypted between a user’s device and an email server. The email server (i.e., Gmail) has the decryption keys, which are the keys that decrypt the data. SSL/TLS encryption terminates at the server. This means that whoever controls the server can view messages before the message is passed on to the intended recipient.

There is no “intermediary” (i.e., service controller) with end-to-end encryption that can read the message. End-to-end encryption requires both the sender and the intended recipient to have a pair of cryptographic keys, consisting of a private and a public key. 

The process of end-to-end encryption works as follows:

  • The sender begins the process by encrypting the message locally on their device, using the public key of the recipient
  • The recipient receives the message on their device
  • The recipient then decrypts the message using their private key
  • The recipient then reads the message

Through this process, all encryption and decryption take place on the users’ devices. Therefore, there is no opportunity for an intermediary to read user data.