Understanding Paubox versus other email add-ins

Email is central to communication in modern healthcare, facilitating everything from appointment reminders and prescription refills to vital exchanges between providers and patients. However, this tool becomes a potential liability when transmitting sensitive patient health information. 

The consequences of HIPAA non-compliance related to email breaches can be severe, ranging from hefty financial penalties and damaging reputational harm to a loss of patient trust, which, according to a study published by AMIA (American Medical Informatics Association), can lead to patients withholding important health information from providers. The statistics paint a concerning picture; according to an academic paper titled A Review on Data Breaches in Healthcare Security Systems, nearly 3,705 data breaches involving more than 500 records occurred in the healthcare sector between 2009 and 2020, indicating the persistent and increasing threat to electronic protected health information (ePHI).

While standard email platforms like Outlook and Gmail are not inherently HIPAA compliant, many healthcare organizations turn to encryption add-ins as a seemingly straightforward solution. 

Decoding HIPAA's email requirements

The HIPAA Security Rule states the technical safeguards covered entities must implement to protect the confidentiality, integrity, and availability of ePHI. When it comes to email communication, several key aspects of these safeguards are particularly relevant:

• Access control (45 CFR § 164.312(a)): Ensuring that only authorized individuals have access to ePHI. This means having mechanisms in place to verify user identity and limit access based on roles and responsibilities.
• Audit controls (45 CFR § 164.312(b)): Maintaining records of system activity to permit the examination of which users have accessed ePHI and what actions they performed.
• Integrity (45 CFR § 164.312(c)): Implementing policies and procedures to protect ePHI from improper alteration or destruction.
• Transmission security (45 CFR § 164.312(e)): HIPAA requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. Encryption is specifically addressed as a method to achieve this.   

Standard email services, on their own, typically fall short of meeting these stringent requirements. While they may offer basic security features, they often lack the guaranteed encryption necessary to protect ePHI during transmission over open networks. Furthermore, the complexities surrounding Business Associate Agreements (BAAs) with standard email providers can create compliance challenges.

The BAA is an indispensable element when using a third-party service, like an email provider, that will handle ePHI. A BAA is a contract between a covered entity and a business associate that outlines the business associate's responsibilities regarding the protection of ePHI, ensuring they comply with HIPAA's requirements. The U.S. Department of Health and Human Services (HHS) emphasizes that covered entities must have a BAA with email providers when ePHI is transmitted through their services. In cases of willful neglect or deliberate misuse of PHI, including sending it unencrypted via email without a BAA, penalties can be millions of dollars. Given that a staggering 95% of cybersecurity issues involve some form of human error as stated in a Cofense report, the reliance on individuals to take extra steps to secure email with standard platforms introduces significant risk.

Read more: Exploring the HHS Grants Rule and proposed modifications to the Security Rule

The latest HIPAA updates and what's coming in 2025

The add-in approach as a patchwork solution

Many healthcare organizations, seeking to address the HIPAA compliance gaps in standard email, opt for encryption add-ins or plugins that integrate with their existing email clients like Outlook or Gmail. These add-ins typically offer a few different mechanisms to secure email communication:

• Manual encryption buttons: This is perhaps the most common method, where the sender must consciously choose to encrypt an email by clicking a specific button or selecting an option like "Send Securely" before sending the message. This action usually encrypts the email's content and attachments.
• Secure portals: Some add-ins send the email content to a secure server, and the recipient receives a notification with a link. To read the message, the recipient must click the link, often create an account, and log in to a secure portal to view the content.
• Policy-based encryption: A more sophisticated (but often less reliable) approach involves configuring the add-in to automatically encrypt emails based on predefined rules, such as the presence of specific keywords or sending to certain domains.

The appeal of these add-ins often lies in their perceived benefits. They seem like a cost-effective way to add a layer of security to familiar email platforms without requiring a complete overhaul of existing systems. Organizations might also feel that because they are using some form of encryption, they are meeting their HIPAA obligations.

However, real-world breaches demonstrate that these solutions are far from foolproof. For example, Atrium Health disclosed a privacy breach affecting nearly 586,000 individuals due to online tracking technologies embedded in its patient portal. These tracking tools, active between 2015 and 2019, potentially transmitted sensitive personal information—including names, email addresses, phone numbers, and treatment details—to third-party vendors like Meta and Google without users' knowledge or consent.

The reality of relying on add-ins for HIPAA compliant email often reveals significant compliance gaps and practical challenges. One of the most significant weaknesses of the add-in approach is the heavy reliance on humans always making the correct decision. With manual encryption, the responsibility falls entirely on the sender to remember to encrypt each email containing ePHI. Since 95% of cybersecurity issues have a human element, the risk of accidentally sending unencrypted ePHI is substantial, potentially leading to a reportable HIPAA breach. Secure portals, while providing encryption, introduce friction for the recipient. A study in JMR Publications states, “The processes for patients to grant shared access to a portal delegate can be so limited or onerous that interested patients and delegates circumvent the process entirely”.  This hinders the natural flow of communication vital in healthcare settings. Furthermore, the encryption may not be consistently applied. Replies to securely sent emails might not be automatically encrypted, and portal links can expire, requiring the sender to resend information. From an administrative perspective, deploying, configuring, and training users on different add-ins across an organization can be burdensome. IT departments also face the ongoing task of managing portal access and troubleshooting user issues. Ultimately, the add-in approach can create a false sense of security, where users believe they are communicating compliantly, while significant vulnerabilities remain due to the inherent complexities and reliance on manual processes.

Learn more: Why patient portals are inconvenient: An evidence-based perspective

How Paubox works as an integrated solution

Paubox presents a different approach to achieving HIPAA-compliant email, positioning itself as a solution specifically designed for the healthcare industry. Unlike the add-in model, Paubox focuses on providing seamless, automatic encryption that operates behind the scenes.

At its core, Paubox leverages Transport Layer Security (TLS) 1.2 and 1.3 encryption for all outbound emails. This is the same level of encryption that secures websites with HTTPS. The critical difference is that Paubox works server-to-server. If the recipient's email provider also supports TLS encryption (which is the case for the vast majority of modern email services), the email is automatically encrypted end-to-end without any action required from the sender or the recipient. Automatic encryption eliminates the human error factor associated with manual encryption buttons.

For recipients whose email providers do not support TLS, Paubox offers a secure fallback mechanism. In such instances, the recipient receives a notification to securely retrieve the email from a Paubox-hosted portal. This ensures comprehensive encryption while prioritizing a seamless experience for the majority of recipients who can receive encrypted emails directly in their inboxes.

Beyond its core encryption technology, Paubox offers several features that contribute to HIPAA compliance.

• HITRUST CSF certification: Paubox has achieved HITRUST CSF certification, which signifies a high level of security and compliance assurance. HITRUST CSF is a widely recognized framework incorporating comprehensive security controls to help organizations effectively manage risk and meet regulatory requirements like HIPAA. The certification demonstrates Paubox's commitment to adhering to stringent security standards.
• BAAs: Paubox readily provides a BAA to its healthcare clients, clearly outlining its responsibilities for safeguarding ePHI in accordance with HIPAA regulations.
• Seamless integration: Paubox is designed to integrate seamlessly with popular email platforms like Google Workspace and Microsoft 365, meaning that healthcare organizations can adopt Paubox without disrupting their existing email workflows or requiring significant changes to their infrastructure. It operates behind the scenes, ensuring compliance without adding extra steps for users.
• Inbound security: Paubox also offers features to enhance inbound email security, such as spam and phishing filters, which can help protect organizations from malicious emails that could potentially lead to breaches.

Paubox emphasizes a security philosophy centered around ease of use and automatic protection. By prioritizing seamless, server-to-server encryption and backing it with certifications like HITRUST CSF, Paubox aims to provide a stronger and user-friendly solution for HIPAA compliant email communication.

FAQs

What is TLS encryption?

TLS encryption (Transport Layer Security) is a standard way to make sure that information sent over the internet is private and secure. It scrambles the data so that if anyone intercepts it, they won't be able to read it. 

What does server-to-server encryption mean for my emails?

Server-to-server encryption, like Paubox uses with TLS, means that the email is encrypted from the moment it leaves your email server to the moment it reaches the recipient's email server, assuming their server also supports TLS. 

Does Paubox encrypt emails sent from mobile devices as well?

Yes, Paubox encrypts emails sent from mobile devices as well. Since it integrates with your existing email platform (like Gmail or Outlook), any email sent through that platform, whether from a desktop or a mobile device, will be automatically encrypted by Paubox.