Paubox blog: HIPAA compliant email made easy

Paubox vs. Hushmail: HIPAA compliant email software review

Written by Abby Grifno | August 27, 2024

Communication is a top priority for healthcare organizations, and patients need a straightforward and reliable way to receive information regarding their care. Nearly all healthcare organizations use email, but maintaining HIPAA compliance can add a layer of complexity, especially with increasing attacks and crackdowns on regulatory compliance. 

When choosing the right service, you'll want to work with an organization known for its reputation, reliability, and technology. 

That's why we're breaking down the specific benefits and drawbacks of using Paubox or Hushmail for email security–from unique features to reviews and pricing; we're here to help you make an informed decision.

 

Overview: Paubox & Hushmail

Paubox and Hushmail each offer services designed to ensure secure, easy, and efficient communication between providers and patients. 

Paubox, founded in 2015 and based in San Francisco, provides exceptional email protection and HIPAA compliance. The company is trusted by covered entities of all sizes that handle sensitive information. Paubox has a particular focus on healthcare organizations and has patented solutions to protect against cyber threats in the medical industry by automating encryption and providing antispam, phishing, and spoofing software. 

Hushmail, founded in 1999, is a communications and email service headquartered in Vancouver. Despite being based in Canada, the company provides email security for healthcare and legal businesses around the globe. Hushmail also offers email software for small businesses and personal accounts.

 

How it works 

Paubox and Hushmail offer similar products and services, but the user and recipient experience can vary slightly. In this article, we'll focus primarily on email services.

 

Paubox

The service: Paubox offers three services related to email: Paubox Email Suite, Paubox Marketing, and Email API. Every service from Paubox is built for healthcare providers to maintain HIPAA compliance with ease, affordability, and reliability. While every service is designed to support healthcare communication, this article will focus on Paubox's flagship product, Paubox Email Suite.   

Paubox offers a seamless system with robust security. Companies can integrate Paubox's email suite with existing email tools, including Google Workspace and Microsoft 365. Once integrated, every email is automatically encrypted, preventing any room for user error. Paubox runs in the background, allowing users to focus on patients rather than complex security systems. Simplicity and reliability make Paubox highly appreciated by users and recipients. 

Recipient experience: The process reduces friction and makes contact simple for email recipients like patients or clients. Unlike systems requiring additional portals or authentication like Hushmail, recipients can simply open the email as usual: no browser plugins, multi-factor authentication, passwords, or other additional steps. Click and read. At the bottom of every email is a footer assuring recipients that the email is securely encrypted. 

Users of Paubox Email Suite can also add protection against ransomware, phishing, and spoofing attacks. Paubox can also be used to filter out spam and can aid in data loss prevention.

 

Hushmail

The products: Email encryption from Hushmail allows providers to send protected health information (PHI) to individual patients. For healthcare organizations, users can either retain their current domain address or use a "hush" subdomain. 

Hushmail keeps a separate record of all emails sent and received under the domain, allowing providers to refer to previously sent information. Lastly, Hushmail does not automatically encrypt emails; instead, the sender must toggle encryption on, which can lead to human error and HIPAA violations.

Recipient experience: For recipients, the experience can differ depending on if they have Hushmail. For the few recipients with Hushmail, like other providers within a practice, the email is automatically encrypted and will open as soon as the recipient clicks on it. 

Most recipients, who likely do not use Hushmail, will be prompted to open the email externally, a necessary component of Hushmail's encryption technology. Senders also have the option to add a security question for first-time recipients, which can ensure that sensitive information is only viewable by the intended recipient. 

Third-party email apps, like Apple Mail and Outlook, will be automatically encrypted if the recipient is a Hushmail user but automatically unencrypted if the user is not. Additional configurations can be used and may require a consultation.

 

The consensus

Both Hushmail and Paubox offer quality solutions for HIPAA compliant emails. For those looking for a reliable, secure, and straightforward system, we recommend Paubox. Hushmail can be complex for senders and recipients. Human error is a leading cause of data breaches or HIPAA non-compliance. By allowing senders to opt into encryption and choose to set up a security question, busy providers may be more prone to mistakes. 

For recipients, Hushmail could be challenging to learn. Healthcare organizations serve patients from all walks of life, including those who may be less tech-savvy or don't have access to a computer for additional browsers. When choosing a service, consider what will benefit patients most. 

 

HIPAA compliance

For all healthcare companies, HIPAA compliance, which goes hand-in-hand with data security, should be the highest priority. When organizations fail to be HIPAA compliant, whether through ignorance or pure accident, they could become vulnerable to cyber attacks, accidental disclosures, or penalties from the Office of Civil Rights. 

Unfortunately, healthcare organizations are more targeted than ever, with malicious actors stealing and selling or holding data for ransom. Attacks can lead to downed operations that directly impact patients, alongside legal and financial implications that can harm an organization's operating status for years following an attack. In some cases, attacks have even resulted in hospitals shutting down

Even the most straightforward, user-friendly, and well-known service provider is unusable if it fails to be HIPAA compliant. 

Both Paubox and Hushmail offer HIPAA compliant email, but additional factors may influence an organization's decision to choose either platform.  

 

Paubox

Paubox's top priority is keeping emails secure and HIPAA compliant. Paubox has never experienced a data breach or compliance violation in its decade of serving patients and providers. 

Paubox is HITRUST Certified and consistent with HITECH requirements, a certification given to only the most secure software services. Of course, Paubox will sign a business associate agreement to outline its responsibilities for maintaining HIPAA compliance. 

Paubox focuses specifically on healthcare data security and has a support team that is highly knowledgeable on HIPAA requirements and best practices. Paubox also stays up-to-date on HIPAA-related news, paying close attention to cybersecurity trends and challenges. Paubox carefully follows phishing, ransomware, and hacking trends prominent in healthcare to best safeguard customers.

Perhaps most critically, Paubox encrypts all information, regardless of whether it includes PHI. A system that treats all communication as needing protection can prevent accidental disclosure or errors.  

Full security information is available online

 

Hushmail

Hushmail also focuses on ensuring services are HIPAA compliant. Hushmail has limited information regarding its compliance policies and is not HITRUST certified. 

The organization will sign a business associate agreement for US-based customers. Hushmail also offers built-in email archiving, which could allow organizations to continue operating in the unlikely event of a data breach. 

For non-US-based customers, Hushmail will sign an Information Manager Agreement. 

Notably, Hushmail is headquartered in Vancouver, Canada, where healthcare organizations are not mandated to be HIPAA compliant. There is no direct equivalent to HIPAA in Canada, but other privacy laws exist that promote healthcare data security and privacy. 

While Hushmail is generally viewed as secure, InsecureWeb, a dark web monitoring service, determined that data may have been leaked from Hushmail in 2023. The breach allegedly exposed 236 bytes of data in the chat app Telegram. 

 

Unique features

Paubox's additional services can be used separately or in tandem to create a secure email presence. Additional services include: 

  • Paubox Marketing offers HIPAA compliant email marketing, allowing healthcare marketers to personalize emails with PHI.
  • Email API that provides options for RESTful API and SMTP. Easily integrated with Javascript, Ruby, and other major code languages. 
  • Paubox Forms are included in the email suite, allowing companies to seamlessly collect data, receive files, and more while maintaining HIPAA compliance. Users may include forms in emails for quick data collection.  
  • With Paubox Texting, covered entities can send personalized HIPAA compliant text messages, one-to-one or one-to-many. Paubox Texting can be used with Paubox Marketing for HIPAA compliant omnichannel marketing campaigns.

Hushmail email offers several unique features, including: 

  • Flexible encryption configuration allows senders to decide the level of security their email requires. Emails are encrypted between Hushmail accounts, but encryption is optional when a user emails a non-Hushmail user. Since recipients of encrypted emails must open a new, secure browser, the optionality can simplify opening emails when they do not contain PHI. 
  • Email forwarding allows emails to be automatically redirected, maintaining employee privacy and simplifying email addresses. 

Outside of email, Hushmail also offers other services like forms and electronic signatures. 

While both companies offer a variety of additional features, every feature from Paubox is built to improve provider-patient interactions that directly impact the success of every healthcare organization. 

 

Reviews

Paubox has a rating of 4.9 out of 5, with hundreds of posted reviews. Many users share that Paubox is straightforward to learn and integrates easily into a company's operating procedures. As one of the highest and most frequently rated HIPAA compliant email services, hundreds of users have expressed satisfaction with customer support and security. 

In particular, users have shared positive experiences with the customer support team, which focuses not just on troubleshooting but also on ensuring that Paubox is used to its full potential.

Users have shared that Paubox is highly effective while maintaining affordability.

Hushmail has limited reviews available online. On technology review service G2, the company has earned a rating of 3.7 out of 5 stars but has only four reviews to date. Some reviewers include healthcare organizations, who cited some technical difficulties. Users shared that data may be lost if an individual needs a passphrase reset (a requirement to access the secure browser). Others have commented that it lacks additional features, like antivirus and antispam, that can be found in other products. Still, users are happy with the product overall, especially those claiming it has improved their email security. 

 

Pricing

While security is always a top priority, companies can't ignore their bottom line. Compared to other HIPAA compliant email services, both companies are relatively affordable, but users may have access to different features depending on the cost. 

Paubox focuses on payment transparency and allowing companies to only pay for what they need. Organizations no longer have to compromise between price and efficacy. You'll find you can have a highly effective and secure solution without making huge financial sacrifices. 

Paubox provides all pricing information online

Paubox offers three plans:

  • Standard: Starting at $29/month and including encryption, integration, secure calendar invite, forms, and more. 
  • Plus: Starting at $59/month, including everything in Standard plus additional inbound security, like malware and ransomware protection. 
  • Premium: Starting at $69/month, including everything in Plus, data loss prevention, and voicemail transcription. 

Every paid Paubox plan includes unlimited HIPAA compliant forms.

Hushmail offers pricing plans online. Plans range from basic to customizable. Hushmail also allows customers to pay for what they need and has several add-on features available. Notably, Hushmail plans only allow for up to 10 encrypted email accounts. While the organization has likely worked with larger businesses before, it's clear they primarily work with smaller healthcare providers. 

Their plans include: 

  • At $11.99/month, this plan allows for one encrypted email account. Users can add on additional emails at $5/month and some forms at $3/month. The service is HIPAA compliant but does not include electronic signatures or unlimited forms. 
  • At $24.99/month, this plan allows up to five encrypted email accounts, up to five secure forms, electronic signatures, and HIPAA compliance. Additional emails and forms can be added for $5/month. 
  • Custom: At $47.99/month, this plan allows up to ten emails and ten forms. The email is HIPAA compliant. This plan does not mention additional add-ons of emails or forms. 

 

In the news

Paubox has garnered news coverage for its positive impact on the community, like providing scholarships, and has never faced a data breach.

To date, Paubox encrypts 70 million emails each month. The result is saved time and money, allowing healthcare companies to focus on what they do best – helping others. 

Hushmail has faced some data security concerns. Notably, the organization came under fire in 2007 for providing hundreds of emails to the Canadian government. The court order revealed that Hushmail is required to turn over emails if requested, showing that Hushmail can access and retrieve such records. 

In 2023, Hushmail emails popped up on the dark web, although limited information was released regarding the incident. 

 

The big picture

Both Paubox and Hushmail offer email security to protect healthcare companies against breaches and attacks.  

While both companies provide HIPAA compliance, unique features, and earn generally positive reviews, Paubox takes the edge. 

Paubox believes security and usability take precedence, and that's precisely what Paubox Email Suite solution provides. With a streamlined email process, sending and receiving emails has never been easier, safer, or more affordable. You'll never experience a tradeoff with integration, usability, or price. 

While Hushmail offers several great features, their system is more challenging to use and could lead to more human error. In the past, Hushmail has also faced public backlash and some security concerns. For the most tried and trusted email experience, we recommend Paubox. 

Try Paubox Email Suite.