It’s common for healthcare providers to have questions and concerns about sending emails to patients securely. A common question is, is encrypted email HIPAA compliant?
According to the U.S. Department of Health and Human Services (HHS), the HIPAA Security Rule does not prohibit using email to send protected health information (PHI) as long as certain protections, like encryption, are in place.
Email encryption is an authentication process that blocks messages from being read by unauthorized individuals. But is encrypted email always HIPAA compliant?
Keep reading to learn more about HIPAA email encryption rules. Plus, find out how a HIPAA compliant email provider can help.
What are the HIPAA requirements for email encryption?
Under the Security Rule, implementation specifications for covered entities are classified as either “required” or “addressable.”
Those labeled “required” must be put into place. If they are not, unfortunately, it is considered to be a failure to comply with HIPAA.
On the other hand, “addressable” specifications only need to be implemented if a risk assessment determines that it is a reasonable and appropriate measure in protecting the confidentiality, integrity and availability of electronic protected health information (ePHI).
If the entity finds it not reasonable and appropriate, they would need to document that decision and implement an equivalent alternative.
Email encryption falls under the “addressable” category. Since there is no appropriate alternative for safeguarding PHI other than encryption, it is essentially required.
Not encrypting emails puts both your patients’ privacy and your organization at risk.
Secure your emails at rest
Per HIPAA, ePHI must be secure “at rest.” This refers to any data stored on your server, such as emails in your inbox. If you use a third-party email server like Google Workspace, Microsoft 365 or Microsoft Exchange, you must sign a business associate agreement (BAA) with them.
It is important to keep in mind that many popular email services are not compliant, including Gmail and Yahoo. These platforms do not sign a BAA, which means there is no guarantee that data stored on their servers are protected.
If you only send PHI internally via a commercial email provider, then you are likely adequately protected as long as that server is behind a secure firewall.
However, what about when your emails are sent out?
Secure email data in transit
HIPAA also requires ePHI to be secured in transit. That’s where end-to-end encryption comes in. This type of encryption ensures that only the sender and recipient can read an email. It keeps ePHI completely private as it goes from one inbox to another.
Standard email is not always secure end-to-end. This is because its primary function is to deliver messages, not to provide email security. Your email provider may utilize TLS encryption, but that doesn’t necessarily mean your message will be delivered securely.
If the recipient’s email provider does not support TLS, your message will arrive unencrypted in clear text.
Therefore, the safest way for covered entities to strengthen their email security strategy is to work with a third-party HIPAA compliant email provider that can secure emails every step of the way.
Send secured email with Paubox
Paubox’s HIPAA compliant email service encrypts 100% of emails that go out—even if the recipient’s provider doesn’t support encryption.
Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt, and your patients receive your messages right in their inbox—no additional passwords or portals necessary.
Healthcare email cybersecurity
In addition to enabling healthcare email encryption for compliance with HIPAA email rules, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block malicious cyberattacks from reaching the inbox in the first place.
Start Paubox Email Suite free today
Paubox lets you focus on taking care of your patients instead of your inbox