Do I need an email portal to be HIPAA compliant?

A common misconception about HIPAA compliance is around the concept of email portals. Some people believe the only way to have HIPAA compliant email is to utilize email portals.

This post will explain what email portals are, how they came about, and why they are not required for HIPAA compliant email.

Email Portals

The method of forcing users to view secure email via a browser is known as an email portal.

As a practical matter, the user experience for recipients of email portals is at best cumbersome, at worst awful.

For example, here's the actual workflow being used by Microsoft 365 for its encrypted email solution, Microsoft Purview Message Encryption.

Email Portals - Step 1

In this step, the recipient gets an email asking them to click on the link, Read the message.

Email Portals - Step 2

The link then opens in a browser, which is encrypted via a secure HTTPS connection. Now the user needs to click another link, Sign in with a One-time passcode.

Email Portals - Step 3

After requesting a one-time passcode, the user is then sent to another webpage, which asks them to check their email, copy a code that was sent to them, and enter it here.

Email Portals - Step 4

This is the email that gets sent with the one-time passcode. Can you imagine doing all of this on a smartphone?

Email Portals - Step 5

Now that the user has pasted the passcode into the text box, the next step is clicking Continue.

Email Portals - Step 6

After six steps and in this case 77 seconds, the recipient can finally read the secure email.

Ouch. A painful experience.

How Email Portals came about

Email portals came about because the protocol governing email, Simple Mail Transfer Protocol, was not built with security and encryption as a top priority.

Instead, the top priority of SMTP is message delivery. In other words, if an email is sent with TLS encryption by the sender, yet the recipient's mail system is not setup to accept an encrypted connection, the message automatically downgrades to no encryption. In other words, it gets sent in cleartext across the internet, even though the sender has intended for it to be encrypted in transit.

In slightly technical terms, this process is known as opportunistic encryption.

As a workaround, companies like Microsoft decided long ago to design a secure email system that instead redirected users to an encrypted browser connection using HTTPS encryption.

In a browser like Chrome or Firefox, any URL starting with http:// is not encrypted and those starting with https:// are encrypted.

It's easy to configure an email portal to always use HTTPS. This ensures encryption is always used to view the contents of an email, regardless of what the recipient's mail system is. In this regard, it's an effective method to maintain encryption and HIPAA compliance. 

The question is however, are email portals the only way to achieve HIPAA compliance for email?

Do you need an email portal to be HIPAA compliant?

In a nutshell, the answer is no.

Here's why you don't need email portals to be HIPAA compliant:

1. HIPAA regulations do not specifically state email portals are the only acceptable means of achieving HIPAA compliant email. Specifically, the U.S. Department of Health and Human Services states, "The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected."
2. There are other ways to send HIPAA compliant email. Our patented method for sending HIPAA compliant email for example, precludes the need for email portals yet maintains compliance.