What is HIPAA Compliant Email Encryption?

An email encryption service is a crucial tool in safeguarding the confidentiality of email content, preventing unauthorized access to sensitive information. For entities covered by HIPAA regulations and their business associates who transmit electronic protected health information (ePHI) beyond their organization, it is imperative to adopt robust HIPAA email encryption procedures. By doing so, organizations can guarantee adherence to HIPAA email compliance standards and maintain the privacy of confidential data.

Implementing HIPAA Compliant Email Encryption

Healthcare providers frequently transmit electronic mail containing sensitive patient information, such as Social Security numbers and biometric identifiers. Unencrypted email messages can be accidentally viewed by healthcare staff or someone not authorized to view them.

Before a covered entity or business associate transmits ePHI through email, the covered entity or business associate should develop a HIPAA email encryption policy. HIPAA email encryption is necessary for organizations seeking to implement complete HIPAA email compliance. Once the email service is HIPAA compliant, a healthcare provider can send ePHI to patients, other healthcare organizations, and health insurance plans.

How Should Email Be Encrypted Under HIPAA?

The most secure type of HIPAA compliant email encryption is end-to-end encryption. If an organization cannot implement this encryption on its own, the organization should hire a third-party HIPAA compliant email service provider to provide the encryption.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG

What is End-to-End Encryption?

End-to-end encryption is a means of transferring data such that only the sender and intended recipient can read email messages. With end-to-end encryption, the data is encrypted on the sender’s system. This allows only the intended recipient to decrypt and read the message. No one “in between” is able to read the message, destroy it, or otherwise tamper with it. 

To understand how end-to-end email encryption works, it is helpful to understand what does not constitute end-to-end encryption.  

Since the early days of internet usage, a protocol known as SSL (Secure Sockets Layer) has been used to encrypt data transferred between a computer and an email server. The presence of SSL is determined by looking at the wording in front of a URL: If the wording is “https” rather than “http,” the SSL protocol is being used. This protocol offers enhanced security; if the address is “http,” the level of protection is lower.

Over time, SSL protocol has been updated. The latest iteration of the protocol is known as TLS, or Transport Layer Security. Together, SSL and TLS form a continuously updated protocol series. The protocols are typically referred to as a combined acronym, “SSL/TLS.”

With the SSL/TLS protocol, data is only encrypted between a user’s device and an email server. The email server (i.e., Gmail) has the decryption keys, which are the keys that decrypt the data. SSL/TLS encryption terminates at the server. This means that whoever controls the server can view messages before the message is passed on to the intended recipient.

There is no “intermediary” (i.e., service controller) with end-to-end encryption that can read the message. End-to-end encryption requires both the sender and the intended recipient to have a pair of cryptographic keys, consisting of a private and a public key. 

The process of end-to-end encryption works as follows:

  • The sender begins the process by encrypting the message locally on their device, using the public key of the recipient
  • The recipient receives the message on their device
  • The recipient then decrypts the message using their private key
  • The recipient then reads the message

Through this process, all encryption and decryption take place on the users’ devices. Therefore, there is no opportunity for an intermediary to read user data. 

End-to-end encryption, therefore, protects the privacy of email messages. In addition, this type of encryption can be combined with “digital signing.” Digital signing is a method of verifying the sender is who they claim to be. Digital signing also protects from tampering during transit. 

Training Staff on HIPAA Compliant Email Usage

The HIPAA Security Rule administrative safeguard contains a training requirement. Organizations should provide all staff, including management, with training on basic encryption principles and the proper use and transmission of emails containing ePHI. This might sound like an obvious thing to do, but not all healthcare providers do it. There have been several data breaches caused by healthcare staff errors in the past several years, including the accidental transmission of ePHI without encryption. 

To further enhance staff awareness on proper email usage, organizations should also provide phishing training. Phishing training is designed to move the needle on improving employee response to phishing attacks. Using tutorials and tests, phishing training aims to help employees better spot phishing emails and know how to respond to these dangerous threats.

During any kind of training, staff members should be encouraged to ask questions and voice any concerns they may have. Refresher training should also occur to inform employees about new threats and reinforce the training previously provided.

Third-Party HIPAA Compliant Email Service Providers

Many HIPAA covered entities, especially smaller healthcare providers, do not have in-house IT staff to implement end-to-end encryption or to otherwise ensure their email is HIPAA compliant. These entities should hire a HIPAA compliant email service provider that offers end-to-end encryption. 

Such providers should:

  • Be willing to sign a business associate agreement. A business associate agreement outlines the responsibilities of the email service provider and establishes that the business associate will implement required administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI
  • Provide attentive and responsive customer service
  • Encrypt every email, even emails not containing PHI or ePHI
  • Offer an encryption service that seamlessly integrates with any device, browser, and email provider.

Recommendations for HIPAA Compliant Email Service Providers

Paubox offers an integrated HIPAA compliant email encryption service that encrypts all outbound emails and delivers them directly to patients’ inboxes without requiring them to enter a password or use a portal or third-party app to open them. Healthcare providers do not have to change their email service provider, as Paubox integrates with Microsoft 365, Google Workspace, and Microsoft Exchange. 

In addition to offering a HIPAA compliant email solution, Paubox also offers HIPAA compliant voicemail transcription services for practices and business associates. This HIPAA compliant voicemail service delivers voicemails in transcribed and audio formats to designated email addresses. Compliancy Group lists Paubox as one of our Endorsed Service Providers because of its commitment to supporting and maintaining complete HIPAA compliance. 

Our software helps you manage compliance.

See how it works!