Paubox blog: HIPAA compliant email made easy

Weighing the pros and cons of blanket encryption

Written by Caitlin Anthoney | September 17, 2024

Blanket encryption helps covered entities comply with HIPAA regulations, automatically protecting all emails, including those with protected health information (PHI). It minimizes human error and offers legal protection if there is a breach. 

However, interoperability issues and high implementation costs can affect workflow. The decision will eventually depend on how IT managers balance communications security with operational efficiencies within the organization and outside partners.

 

What is blanket encryption? 

Blanket encryption is the process of encrypting all communications automatically, regardless of their content. For example, when organizations use Paubox Email Suite, which encrypts every email so that no user has to apply it manually. 

Ultimately, it makes things easier for compliance and minimizes human error, but this too, has its own issues, if not optimally implemented.

 

Advantages of blanket encryption

Simplifies compliance

One of the biggest advantages of blanket encryption is that it doesn’t require users to selectively encrypt certain communications. Every email would automatically be in conformance with data privacy laws, like HIPAA or even general GDPR policies, without any human intervention regarding which messages are deemed sensitive and which ones are not. The most apparent advantage of this automation keeps communications secure, especially in heavily regulated industries like healthcare.

 

Mitigation of data breach

Blanket encryption reduces data breach risks, so if a breach occurs encrypted emails remain encoded and unreadable. It is particularly useful for tending sensitive data like protected health information (PHI) in healthcare where data breaches lead to legal and financial damages. 

As Cybersecurity and Infrastructure Security Agency (CISA) Project 25 (P25) explains, "Encryption can apply to so many parts of a communications ecosystem that an agency's first impulse might be 'let's encrypt everything'.” 

 

Saves time and reduces human error

Training employees on when and how to apply encryption is time-consuming and error-prone. Blanket encryption removes this burden from staff and frees the IT department from repeated support requests. It sets up a "set it and forget it" environment that reduces the possibility of human error, especially when using a solution like Paubox.

 

Reduced legal liability

Blanket encryption is a robust legal defense for companies in case of data breaches. Organizations can encrypt all their email communications, proving that they took due care in protecting PHI, mitigating the risk of potential HIPAA violations. 

Go deeper: What are the penalties for HIPAA violations?

 

Disadvantages of blanket encryption

Added complexity for routine emails

Not all communications contain sensitive data, and applying encryption universally can complicate the flow of routine emails. Less sensitive correspondence can be delayed or involve added steps to decryption. Solutions like Paubox minimize friction there, but other platforms could introduce inefficiencies that impede everyday operations.

 

Interoperability issues

Uncoordinated encryption keys among agencies or across partners can hinder interoperability when using blanket encryption. CISA identifies that "if an agency chooses to generate its own encryption keys and fails to coordinate with neighbors and partners, interoperability can be compromised.” 

Consequently, reducing the amount of communication between organizations during an incident where rapid response might be needed. It would extend beyond just emails to any form of encrypted communication system, making key management a concern for IT teams.

 

Public transparency and trust issues

CISA explains that blanket encryption can "raise public complaints about 'lack of transparency',which could be detrimental in sectors like government where accountability and openness are cardinal in maintaining public trust.

 

Increased resource and cost requirements

Implementing blanket encryption can be resource-intensive for any organization, but especially for smaller businesses. Encrypting all communications increases the server workload and sometimes requires a more robust infrastructure to bear the processes of encryption and decryption.

Moreover, there are also "concerns surrounding the implementation of blanket encryption, including lack of transparency to the public and overall cost", which can be prohibitive for smaller agencies or businesses.  

Managing emails coupled with encryption keys could multiply the costs multi-fold, especially for organizations with low IT budgets. So, "small agencies with limited resources have to be efficient and strategic when implementing, managing, and maintaining an encryption system".

 

Possible compatibility issues

Not all recipients have encryption-compatible systems. It creates friction for those external clients or partners who don't use additional software or further security steps to access the encrypted emails. 

For businesses that rely on regular outside communication, blanket encryption can drag down business speed and potentially frustrate recipients. 

 Paubox's first patent directly addresses this issue, securing email content between a sender and a recipient. Still, other platforms might not allow this seamless interaction.

 

Searching and archiving challenges

Blanket encryption can cripple search functionality since metadata and content in encrypted emails are hidden. This could raise several potential issues with legal discovery, audits, or compliance tracking. 

Furthermore, decrypting emails to allow searching requires more time and resources, which could add up when accessing a large volume of archived communication. 

The Western North Carolina AIDS Project (WNCAP), Director of Human Resources, Amanda Wood, noted that while using Virtru, the emails can be difficult to back up and search. Looking for a more intuitive solution, the organization made the switch to Paubox Email Suite. 

Paubox email allows users to integrate their encryption services directly onto their existing Gmail business account, so users can find all their emails right there in the search bar without having to navigate additional platforms.

Go deeper: Why Paubox is better than Virtru: Case study analysis and user reviews

 

FAQs

How can providers ensure HIPAA compliance when using email?

Providers and other covered entities must use a HIPAA compliant platform, like Paubox, which offers encryption, authentication measures, and access controls to protect patient’s protected health information (PHI) and prevent potential data breaches.

Learn more: HIPAA Compliant Email: The Definitive Guide

 

Can Google Workspace email be HIPAA compliant?

Yes, but only when users sign up for a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.

Go deeper: How to set up HIPAA compliant emails on Google

 

How does signing a BAA improve email encryption under HIPAA?

A signed business associate agreement (BAA) offers assurance that third-party email service providers will be contractually required to implement and maintain encryption and other security measures to protect PHI and uphold HIPAA compliance.