HIPAA Compliant Email: The Definitive Guide

HIPAA Compliant Email: A Definitive Guide

Last updated: 25 January 2023

Welcome to the definitive guide on HIPAA compliant email.

This guide will provide you with a thorough understanding of the requirements for HIPAA compliant email and the steps you can take to ensure your organization is in compliance.

We will cover topics such as what to look for in a HIPAA compliant email solution, email encryption methods, HIPAA violations and fines, and an FAQ section you won’t find anywhere else.

This guide is intended for healthcare professionals, IT staff, and anyone else responsible for maintaining or acquiring a HIPAA compliant email solution.

By the end of this guide, you will have the knowledge necessary to confidently use email for healthcare communication while ensuring the protection of PHI.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. It sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI). The law applies to health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial and administrative transactions electronically, such as billing and claims submissions.

HIPAA includes two main rules: the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for protecting the privacy of PHI. It specifies how PHI can be used and disclosed, and gives individuals certain rights with respect to their PHI. The Security Rule establishes national standards for protecting the security of electronic PHI. It specifies administrative, physical, and technical safeguards that covered entities must implement to secure ePHI.

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Protected health information (PHI)

Protected health information needs to be protected in all mediums: electronic, paper, and oral. PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.

A related term is ePHI, which stands for electronic protected health information. The terms can be used interchangeably when referring to HIPAA compliant email.

Covered entities and business associates

HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Business associate agreement

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

At a minimum, a BAA must include ten provisions.

HIPAA compliance and email

To ensure HIPAA compliance when using email, it’s imperative to use secure email solutions that encrypt messages and attachments in transit and at rest.

It’s now a common practice to use an email service provider like Google Workspace or Microsoft 365 to maintain the hosting of your organization’s email, while using a separate company to provide additional protection like email encryption, security, data loss prevention, and backups.

See related: Can I use Google Workspace (G Suite) and be HIPAA compliant?

See related: Is Microsoft 365 HIPAA compliant?

What to look for in a HIPAA compliant email solution

Here’s what to look for in a HIPAA compliant email solution:

  • How is email encrypted in transit?
  • How is email encrypted at rest?
  • Will each vendor that processes or handles PHI in email sign a business associate agreement with your organization?
  • As a best practice, is the HIPAA compliant email solution HITRUST CSF certified?

HIPAA violations and fines

The penalties for a HIPAA violation can be severe. Both civil and criminal penalties can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

In general, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved.

This chart that shows how civil penalties can reach a maximum of $1.5 million per violation:

ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties can also be applied when HIPAA violations are knowingly committed with increases in the fine per violation and imprisonment.

Criminal penalties are divided into three tiers:

TierPotential Jail Term
Reasonable cause or no knowledge of violationUp to one year
Obtaining PHI under false pretensesUp to five years
Obtaining PHI for personal gain or malicious intentUp to ten years

Read more: The complete guide to HIPAA violations

Paubox HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes protected health information (PHI) breaches affecting 500 or more people as reported to the Department of Health & Human Services (HHS).

Paubox has been compiling a monthly HIPAA Breach report since June 2017. Since that time, the data clearly shows email breaches are statistically the most likely entry point for organization to suffer a HIPAA breach.

Email encryption methods

There are four approaches to encrypting email:

  • Transport Layer Security (TLS)
  • PGP and S/MIME
  • Portals
  • Apps

FAQ

Here are some frequently asked questions about HIPAA compliant email.


Q: When does my HIPAA liability end when sending email?

A: Once an email has been delivered to the end recipient’s system using encryption, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.

Read more: How do I know when my HIPAA privacy obligation for email encryption ends?


Q: Does the subject line of an email have to be encrypted?

A: If the subject line contains ePHI, yes it must be encrypted. It should be noted that it is not the responsibility of a healthcare provider to assure that incoming email is encrypted (although many organizations like having this feature).

Read more: Does an email subject line have to be HIPAA compliant?


Q: Does the email message header have to be encrypted?

A: An email message header includes fields that provide information about the sender, recipient, and routing of the message.

Some common email header fields include:

  • From: the email address of the sender
  • To: the email address of the primary recipient
  • Subject: the subject or topic of the message
  • Date: the date and time the message was sent
  • Cc: (carbon copy) list of recipients who are to receive a copy of the message
  • Bcc: (blind carbon copy) list of recipients who receive a copy of the message without the other recipients being aware
  • Reply-To: the email address that should be used when replying to the message
  • Message-ID: a unique identifier for the message
  • In-Reply-To: the Message-ID of the message that this message is a reply to
  • References: a list of Message-IDs for messages that this message is related to

As you can see, there are myriad instances in which PHI can be inserted into a message header. You should therefore be encrypting email message headers as a best practice.


Q: Do all email encryption methods encrypt a message header?

A: Email sent via Transport Layer Security (TLS) does encrypt the message header while it’s in transit across the internet.

Email sent using PGP and S/MIME however, do not encrypt the message header.

If we already know it’s likely message headers will invariably contain PHI, we can conclude PGP and S/MIME are not sufficient forms of encryption for HIPAA compliant email.


Q: Why isn’t PGP more widely used to encrypt email?

A: PGP (Pretty Good Privacy) is a widely used standard for email encryption, but it is not as widely adopted. Here are several reasons why:

  1. Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users.
  2. Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which can be a barrier to adoption for some users.
  3. Security concerns. PGP has been criticized for having numerous security vulnerabilities in the past, which has led to some organizations being hesitant to adopt it.
  4. Ease of use. PGP is not as user-friendly as some other encryption methods, which can make it less appealing.

Q: Does PGP email still have security vulnerabilities?

A: PGP has had a number of notable security vulnerabilities identified over the years. They include:

  1. EFAIL. In May 2018, a group of researchers discovered a vulnerability in the way PGP and S/MIME handle email encryption, known as EFAIL. It allows attackers to read the plaintext of encrypted emails by intercepting, manipulating, and then re-encrypting the ciphertext. Ciphertext is the result of encryption performed on plaintext using an algorithm.
  2. Key-pair collision. PGP uses a hash function to generate a “fingerprint” of a public key, which is used to identify the key. In 2017, it was discovered that it’s possible to generate two distinct keys with the same fingerprint, which could be used to impersonate someone else’s key.
  3. Key-server vulnerability. PGP relies on key servers to distribute public keys. In 2011, a vulnerability was discovered that could allow an attacker to upload a malicious key to a key server, which could then be used to impersonate someone else.
  4. Malicious Key. PGP relies on users to verify the authenticity of public keys before using them to encrypt messages. In some cases, attackers have been able to trick users into using a malicious key, which could allow them to decrypt the messages.

It should be noted most of these vulnerabilities have since been addressed by the PGP community and vendors.

Read more: PGP and S/MIME aren’t as secure as you think


Q: Are email attachments encrypted?

A: Yes. Email attachments encrypted by either TLS, PGP, or S/MIME will be encrypted in transit.


Q: Am I responsible for incoming emails to be HIPAA compliant?

A: HIPAA does not require covered entities and business associates to encrypt their inbound email. To maintain HIPAA compliance, healthcare organizations need to implement technical safeguards for outbound email that contains PHI. The best technical safeguard is using encryption.

Read more: Do you need inbound email security to be HIPAA compliant?


Q: If I password protect an email attachment, does that make it HIPAA compliant?

A: The guidance from HHS is clear, forgoing encryption and only using password protection for a document (or an entire hard drive for that matter) is not sufficient and has already led to publicized HIPAA fines.

Therefore, using only password protection for attaching a document via email is not a HIPAA compliant approach and should be avoided.

Read more: Is my password-protected PDF document HIPAA compliant?


Q: Is it HIPAA or HIPPA?

A: People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.


Q: What versions of Transport Layer Security encryption are considered secure?

A: In January 2021, the NSA issued the following guidance:

“The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information… Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.”

Furthermore:

“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used.”

Following NSA guidance, here’s a list of security protocols supported by Paubox:

  • SSL v2 (Not Supported)
  • SSL v3 (Not Supported)
  • TLS 1.0 (Not Supported)
  • TLS 1.1 (Not Supported)
  • TLS 1.2 (Supported)
  • TLS 1.3 (Supported)

Read more: Paubox eliminates obsolete TLS protocols, follows NSA guidance


Q: Do international companies need to abide by HIPAA?

A: If an international company handles or transmits PHI of U.S. citizens, it is subject to HIPAA regulations.

Read more: Do international companies have to abide by HIPAA?


Q: Does email qualify under the HIPAA Conduit Exception rule?

A: The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in December 2000. In a nutshell, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form). Since every email account has email stored in it, this would preclude it from being a transmission-only service.

In summary, email does not qualify under the HIPAA Conduit Exception rule.

Read more: HIPAA Conduit Exception Rule – what is it?


Q: Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?

A: As we’ve covered, a business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.

Read more: Is Yahoo HIPAA compliant?

Read more: Is Hotmail HIPAA compliant?


Q: What is HITRUST?

A: HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework that’s tailored towards use in the healthcare industry.

Paubox solutions have been HITRUST CSF certified since 2019.

Read more: Paubox renews, expands HITRUST CSF certification through 2023


Q: Does Paubox have patents for its work on encrypted email?

A: Yes, Paubox currently has four patents.

Read more: U.S. Patent Office approves our approach to email encryption


Q: What is the HHS Notification of Enforcement Discretion and does it apply to email?

A: When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Email is not in scope of the HHS Notification of Enforcement Discretion act. It applies only to non-public facing audio and video communication services.

See also: HIPAA privacy and security guidelines as they relate to telehealth

Is Twilio SendGrid HIPAA compliant? (2023 update)

Is Twilio SendGrid HIPAA compliant? (2023 update) | Paubox

Since Paubox is a Business Associate to thousands of customers, we’ve been wondering if they are able to use Twilio SendGrid in a HIPAA compliant manner.

As context, in 2018 we wrote the post, Can I Use SendGrid and be HIPAA Compliant?

Now that SendGrid has been acquired, we’re doing an updated post in 2023 to see if circumstances have changed (SendGrid was not HIPAA compliant in 2018).

In fact, we’ve noticed more vendors, customers, and prospects asking about HIPAA compliant services.

This is especially true now as we see an accelerated, long overdue adoption of digital transformation in healthcare.

We know the HIPAA industry is vast, so we can empathize with just how many people need to use cloud services in this sector.

Today we will determine if Twilio SendGrid offers HIPAA compliant email service or not.

Twilio SendGrid

Twilio SendGrid is a cloud-based email delivery service that helps businesses to send emails that land in the recipient’s inbox. It provides a scalable, reliable, and cost-effective solution for businesses to send transactional emails without having to worry about the infrastructure and maintenance of an in-house email infrastructure. The company provides various features to help businesses send emails, such as APIs for integration with other systems, marketing campaigns, and real-time analytics.

It was acquired by Twilio in 2018 for $2 billion and shortly after, changed its name to Twilio Sendgrid.

Twilio SendGrid and the business associate agreement

There’s a primary item to consider when it comes to Twilio SendGrid and its ability to provide a HIPAA compliant email API.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We once again checked the Twilio SendGrid site, as well as SendGrid’s standalone site, for mention of their ability to sign a BAA.

We found the following pages:

On those pages, we can see that:

  • Twilio does offer HIPAA compliant products and services and is willing to sign a BAA for them.
  • SendGrid is still not HIPAA compliant.
  • SendGrid is not a product listed by Twilio as a HIPAA eligible product.

Does Twilio SendGrid offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.

We were able to learn the following about Twilio SendGrid about their ability to be considered a HIPAA compliant solution:

  • Twilio SendGrid is still not HIPAA compliant.
  • While Twilio does offer HIPAA products and services, SendGrid Twilio is not one of them.

Conclusion: Twilio SendGrid remains not in compliance with HIPAA regulations.

Amazon SES vs. Paubox Email API for HIPAA compliant email

Amazon SES vs. Paubox Email API for HIPAA compliant email

A question we hear a lot in the HIPAA industry is whether healthcare organizations can use Amazon Web Services and be HIPAA compliant. A related question is how Amazon Simple Email Service (SES), which offers a transactional email API, stacks up to Paubox Email API.

This post will compare and contrast Amazon SES and Paubox as it relates to HIPAA compliant email.

Amazon SES

Amazon SES (Simple Email Service) is a cloud-based email service provided by Amazon Web Services (AWS) that allows developers to send and receive email using an AWS SDK or via a RESTful Web Service interface. It is designed to handle large volumes of email, making it a good choice for businesses and other organizations that need to send a lot of email. It also includes features such as bounce and complaint handling, and email tracking.

See related: Is Amazon Web Services (AWS) HIPAA compliant?

Paubox Email API

Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.

Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.

Paubox launched in 2015 and currently has over four thousand customers in all 50 states.

Is Amazon SES HIPAA compliant?

There’s a couple items to consider when it comes to Amazon SES and its ability to provide HIPAA compliant email.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We’ve written in the past about AWS and its stance on HIPAA compliance. In a nutshell, Amazon will sign a BAA with customers and that as of July 2019, it does include Amazon SES as being in scope.

However, it should be noted:

  • By default, Amazon SES will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted.
  • You can configure Amazon SES to require a secure connection, however.  But if you do, messages to your patients whose email addresses do not support encryption will not be delivered. They will be silently deleted.

It’s referenced here in Data protection in Amazon Simple Email Service:

By default, Amazon SES uses opportunistic TLS. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If it can’t establish a secure connection, it sends the message unencrypted. You can change this behavior so that Amazon SES sends the message to the receiving email server only if it can establish a secure connection.

Is Paubox HIPAA compliant?

Paubox was built around the Paubox Foundationsthree big ideas, and a mission to become the market leader for HIPAA compliant communication.

Paubox provides a BAA for all paid and freemium customers.

In addition, the following solutions are HITRUST CSF certified:

While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.

When it comes to Paubox Email API, it was built using patented technology whereby if a secure connection cannot be established to the receiving mail server, Paubox automatically detects this and then converts the message (plus any attachments) to the Paubox Secure Message Center. The recipient then needs only a single extra click to secure access the message.

In other words, the email is not bounced, silently dropped, or sent unencrypted, as is the case with Amazon SES.

See also: U.S. Patent Office approves our approach to email encryption

Conclusion

Both Amazon SES and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.

Amazon SES however, is not well suited for U.S. healthcare. This is apparent from its its technical capabilities, as out of the box, its usage may expose customers to HIPAA violations by allowing unencrypted email to be sent.

Even when configured with extra encryption precautions, a double-digital percentage of email on the internet is still sent unencrypted in transit, and it’s these types of emails that will silently deleted by Amazon SES.

Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).

Mailchimp Transactional vs. Paubox for HIPAA compliant email

Mailchimp Transactional vs. Paubox for HIPAA compliant email

A question we hear a lot in the HIPAA industry is whether healthcare organizations can use Mailchimp and be HIPAA compliant. A related question is how Mailchimp Transactional, which offers a transactional email API, stacks up to Paubox Email API.

This post will compare and contrast Mailchimp Transactional and Paubox as it relates to HIPAA compliant email.

Mailchimp Transactional

Mailchimp Transactional is a service offered by Mailchimp that allows users to send automated, personalized email messages to specific individuals or groups of people in response to specific actions or triggers, such as abandoned cart reminders, purchase receipts, and account updates. These types of emails are often referred to as “transactional emails” because they are triggered by a transaction or action, rather than being part of a bulk marketing campaign.

The service is built on top of the Mailchimp platform and uses the same user interface, but includes additional features and functionality specifically designed for sending transactional emails. Mailchimp Transactional was formerly known as Mandrill.

See related: Is Mailchimp HIPAA compliant?

Paubox Email API

Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.

Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.

Paubox launched in 2015 and currently has over four thousand customers in all 50 states.

Is Mailchimp Transactional HIPAA compliant?

There’s a primary item to consider when it comes to Mailchimp Transactional and its ability to provide HIPAA compliant email.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We’ve written in the past about Mailchimp and its stance on HIPAA compliance. In a nutshell, Mailchimp will not sign a BAA with its customers. We can evidence of that on the Mailchimp Terms of Use page:

Mailchimp Transactional vs. Paubox for HIPAA compliant email

Of particular note is:

“If you’re subject to regulations (like HIPAA) and you use the Service, then we won’t be liable if the Service doesn’t meet those requirements.”

It’s a natural conclusion that if Mailchimp does not offer a BAA to its customers, then all services provided by the company will not meet HIPAA compliance requirements.

So when it comes sending HIPAA compliant email via Mailchimp Transactional, it is not recommended from a risk and compliance standpoint.

Is Paubox HIPAA compliant?

Paubox was built around the Paubox Foundationsthree big ideas, and a mission to become the market leader for HIPAA compliant communication.

Paubox provides a BAA for all paid and freemium customers.

In addition, the following solutions are HITRUST CSF certified:

While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.

Conclusion

Both Mailchimp Transactional and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.

Mailchimp Transactional however, is not tailored for U.S. healthcare. This is apparent from its its compliance statements.

Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).

Comparing Mailgun to Paubox for HIPAA compliant email

Comparing Mailgun to Paubox for HIPAA compliant email

A question recently popped up in my inbox that others may find useful. It was concerning a digital health startup and their evaluation of Mailgun and Paubox Email API. They wanted to learn how the solutions stack up.

This post will compare and contrast Mailgun and Paubox as it relates to HIPAA compliant email.

About Mailgun

Mailgun was launched in 2010 as an API-based email delivery service, allowing companies to build email into their existing applications rather than building an email system from scratch. With Mailgun, customers can scale email campaigns, send transactional emails, and send email from within an application or website. It also provides advanced features such as real-time analytics, A/B testing, and email validation.

About Paubox Email API

Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.

Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.

Paubox launched in 2015 and currently has over four thousand customers in all 50 states.

Is Mailgun HIPAA compliant?

There are several things to consider when it comes to Mailgun and its ability to provide HIPAA compliant email.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We’ve written in the past about Mailgun and its stance on HIPAA compliance. In a nutshell, while Mailgun will sign a BAA with customers, the fine print reveals it does not cover much as it relates to their ability to provide HIPAA compliant email. For example, the company readily admits that by using their service, customers will likely be exposing sensitive patient data during email transmission, which is a HIPAA violation.

So when it comes sending HIPAA compliant email via Mailgun, it is not recommended from a risk standpoint.

Is Paubox HIPAA compliant?

Paubox was built around the Paubox Foundationsthree big ideas, and a mission to become the market leader for HIPAA compliant communication.

Paubox provides a BAA for all paid and freemium customers.

In addition, the following solutions are HITRUST CSF certified:

While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.

Conclusion

Both Mailgun and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.

Mailgun however, is not tailored for U.S. healthcare. This is apparent both from its technical design and its compliance statements.

Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).

Comparing Twilio SendGrid to Paubox for HIPAA compliant email

Comparing Sendgrid to Paubox for HIPAA compliant email | Paubox

During a staff meeting today, it was our suggested our audience would love to learn more about the differences between Twilio SendGrid, which offers a transactional email API, and our own Paubox Email API.

This post will compare and contrast Twilio SendGrid and Paubox as it relates to HIPAA compliant email.

About SendGrid

SendGrid is a cloud-based email delivery service that helps businesses to send emails that land in the recipient’s inbox. It provides a scalable, reliable, and cost-effective solution for businesses to send transactional emails without having to worry about the infrastructure and maintenance of an in-house email infrastructure. The company provides various features to help businesses send emails, such as APIs for integration with other systems, marketing campaigns, and real-time analytics.

It was acquired by Twilio in 2018 for $2 billion and shortly after, changed its name to Twilio Sendgrid.

About Paubox Email API

Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.

Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.

Paubox launched in 2015 and currently has over four thousand customers in all 50 states.

Is Twilio SendGrid HIPAA compliant?

There are several nuances when it comes to Twilio SendGrid and its ability to provide HIPAA compliant email.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We’ve written in the past about Twilio SendGrid and its stance on HIPAA compliance. In a nutshell, while Twilio does offer a range of HIPAA compliant solutions, SendGrid is not one of them. The clearest example is a SendGrid documentation article called, “Is SendGrid HIPAA Compliant?

So when it comes sending HIPAA compliant email via Twilio SendGrid, this is not a supported feature.

Is Paubox HIPAA compliant?

Paubox was built around the Paubox Foundations, three big ideas, and a mission to become the market leader for HIPAA compliant communication.

Paubox provides a BAA for all paid and freemium customers.

In addition, the following solutions are HITRUST CSF certified:

While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.

Conclusion

Both Twilio SendGrid and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems. Publicly traded, Twilio SendGrid is a much larger company than Paubox.

Twilio SendGrid however, is not tailored for U.S. healthcare. This is apparent both from its technical design and its compliance department.

Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).

Four trends in healthcare startups and how APIs help with HIPAA compliance

Startup

The healthcare tech industry is constantly evolving. However, four major trends will likely impact the success of healthcare tech start-ups in 2023. 

Learn about the top trends of successful healthcare start-ups and how tapping into the power of existing APIs can help your company lift off the runway faster. 

Four trends in healthcare start-ups and how HIPAA compliant APIs can help

  1. Digital health adoption: The COVID-19 pandemic has accelerated the adoption of digital health technologies, and this trend will likely continue in the coming years. This may create opportunities for healthcare tech start-ups that offer digital health solutions such as telemedicine platforms, remote monitoring devices, or digital health management tools.
  2. Personalized medicine: There is growing interest in personalized medicine, which involves tailoring treatment and prevention strategies to an individual’s unique characteristics, such as their genetic makeup or lifestyle.
  3. Artificial intelligence: Artificial intelligence (AI) is increasingly used in healthcare to analyze large amounts of data and make predictions or recommendations.
  4. Data privacy and security: As more personal health information is collected and stored digitally, there is growing concern about data privacy and security. Healthcare tech start-ups that can offer solutions to help protect personal health information may be in high demand.

Overall, the healthcare tech industry will continue to evolve. However, start-ups developing solutions that respond to industry needs are better positioned for success.

How can APIs help healthcare tech start-ups?

By using APIs, developers easily integrate functionality from one system into another, which speeds up the development process and gets new products or features to market faster.

Three benefits to using APIs to get to market faster

  1. Reuse existing functionality: By using APIs, developers can leverage the functionality already built in other systems rather than recreate it from scratch. 
  2. Easily integrate with other systems: APIs make it easy to integrate different systems and exchange data between them. 
  3. Rapid prototyping: APIs can help developers quickly test new ideas to see how they work in a real-world environment. 

Overall, using APIs can be a powerful tool for getting new products or features to market faster. This is because they allow developers to leverage existing functionality, easily integrate with other systems and rapidly prototype new ideas.

Why use a HIPAA compliant email API for your healthcare app? 

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that sets standards for protecting personal health information (PHI). It applies to healthcare providers, insurance companies, and other organizations that handle personal health information.

Using a HIPAA compliant email API can help ensure that PHI is transmitted securely and in compliance with HIPAA regulations. This is especially important if you send sensitive information via emails, such as patient records or test results.

Secure email API for HIPAA compliance

It’s an exciting time for healthcare startups. Emerging technology is evolving and transforming modern healthcare. Make sure to make the most of your development runways and get to market faster with the best possible tech by leveraging APIs.

Paubox Email API instantly levels up your healthcare app by adding the ability to send secure and HIPAA compliant email that includes PHI.

Additional Paubox Email API resources

Start Paubox Email API today

Send secure, transactional emails that engage and improve the patient experience

HIPAA compliant email with Paubox Email API via Python3 wrapper

PythonAPI
PythonAPI

Using the Python3 wrapper for Paubox Email API

In today’s post, we are going to use the Python3 wrapper for the Paubox email api. Python is one of the most popular languages of 2022 and has a thriving developer community. You can learn how to use Paubox’s secure email api with your Python3 application by following some simple steps as shown below. 

  • Creating a Python project
  • Configuring the credentials
  • Invoking the API

Creating a Python Project

In this example, we are using Visual Studio Code to set up the Python project and configure our Paubox credentials. We start by creating a simple folder to house the project, but you can create a virtual environment to keep it separate from other environments.

Create a folder named paubox-python3-wrapper and open it in Visual Studio Code. Make sure you have Python installed. Open a terminal and execute the following command: pip3 install paubox-python3. This installs the python3 SDK for Paubox. Create a new file and name it paubox-python-wrapper.py. This file will contain all the logic for calling the API. Create one more file named config.cfg. We will use this to store our Paubox credentials.

Configuring the credentials

To configure the credentials, you must have a Paubox account. You can sign up here. After signing up, follow this 5-minute guide to verify your domain and generate an API key. Copy the API key and keep it safe as it is shown only once. If you forget it or lose it, you must generate a new one.

Navigate to the config.cfg file and add these two lines. Enter the values from your account. 

PAUBOX_HOST: ‘https://api.paubox.net/v1/ENTER_YOUR_USERNAME_HERE’
PAUBOX_API_KEY: ‘ENTER_YOUR_API_KEY_HERE’

Paste the API key that you generated earlier in the PAUBOX_API_KEY field and paste your username from the Paubox dashboard in the designated area of the PAUBOX_HOST field. Your username is present in the unique API endpoint for your domain. See the image below for reference. The blurred portion is your unique username.

Lastly, you must install the config package to use the configuration file in your application. To do this, run the following command: pip3 install config.

Invoking the API using the helper class

We now have the project and credentials configured. Let’s write some code to invoke the API. There are two ways in which you can invoke the API. The first method uses the Mail helper class and the second one is without it. 

A9B2635D 3D9A 4835 8083 26ACAE2885E0

In the first two lines, we are importing the main paubox class and the Mail helper class. In the next section, we are importing the config class and opening the config.cfg file created earlier. Next, we create an instance of the PauboxApiClient by passing the API key and host from the config file. The next four lines contain the recipients, from address, subject and content. After this, we prepare an object of the Mail helper class by setting the from address, subject, recipients list and content. Lastly, we invoke the get() method from the mail object and pass it as an argument to the send method of the paubox_client. If everything went well, you should see something similar in your logs and an email in your inbox. 

{“sourceTrackingId”:”x00x0x00-0x00-0x00-xx00-00000x0xxx00″, “data”:”Service OK”}

3FA56B13 B63E 46F8 A6BC A7938C8CF64E

Invoking the API without the helper class

Without the helper class, you can invoke the API using a JSON payload. The first few steps remain the same as before. After creating an instance of the PauboxApiClient, you must create a json object that contains the recipients, subject, from_address and content. See below to understand the structure.

C3629BD6 EE65 4370 BDE4 CFCC529FD87A

Instead of calling the get() method of the Mail helper class and passing it as an argument, we can just send the json object as a parameter to the send() method. You should see the same response as before if everything went well.

Configuring other options

Option for Helper ClassOption for JSON payloadOption for JSON payload
Description
optional_headers = {
    ‘allowNonTLS’: True
}
‘allowNonTLS’: TrueAdd this option to allow sending mails that need
Add it to the Mail object as shown:
mail = Mail(from_, subject, recipients, content, optional_headers)
Add this inside the message field in the JSON payloadnot be HIPAA compliant
optional_headers = {    
    ‘forceSecureNotification’: True
}

Add it to the Mail object as shown:
mail = Mail(from_, subject, recipients, content, optional_headers)
‘forceSecureNotification’: ‘true’
 
Add this inside the message field in the JSON payload
Add this to use 2-factor authentication. Instead of an email, the recipient receives a notification about a new message in Paubox.

You can also add other headers or options for different functionality. See the table below. See our Github page to view the complete list of available options and headers that you can use.

DevOps

Send your first HIPAA compliant email in minutes.

HIPAA compliant email with Paubox Email API using the Java wrapper

Java logo w API icon
Java

Using the Java wrapper for HIPAA compliant email with the Paubox Email API

In the previous post, we went over the NodeJS wrapper to integrate Paubox with your application for HIPAA compliant email. Today, we’re looking at the Java wrapper. The main steps remain the same as before. 

  • Creating a Java project
  • Configuring the credentials
  • Invoking the API

Creating a Java Project

In this example, we are using Eclipse to create a Java project. Open the Eclipse IDE, click on File from the top navbar and select New → Java Project. Enter a project name and click on Next. Then click Finish.

To use the Paubox Java SDK, you must download the stable JAR and include it in the classpath. You can download the JAR from here. To include it in your classpath, right-click on the project in Eclipse and navigate to Build PathConfigure Build Path. Select the Libraries tab and click on Classpath. From the right menu, select Add External JARs. Now, navigate to the downloaded JAR and click on Apply and Close.

Java build path
01

The next step is to create the main class. This can be done by simply right clicking on the src directory and navigating to New Class. Enter a name for the class and click Finish. In this example, we are naming the class JavaWrapper.

Configuring the credentials

The next step is to configure the credentials. For this, you must have a Paubox account. You can sign up here. After signing up, follow this 5-minute guide to verify your domain and generate an API key. Copy the API key and keep it safe as it is shown only once. If you forget it or lose it, you must generate a new one.

Right click the project once again and navigate to New File. To use Paubox’s secure email api, you must configure the credentials inside a properties file. Name the file as config.properties and click Finish. Inside the file add these two lines and enter the values from your account. 

APIKEY: ENTER_YOUR_API_KEY_HERE
APIUSER: ENTER_YOUR_USERNAME_HERE

Paste the API key that you generated earlier in the APIKEY field and paste your username from the Paubox dashboard in the APIUSER field. Your username is present in the unique API endpoint for your domain. See the image below for reference. The blurred portion is your unique username.

Domain info

Invoking the API

We now have the project and credentials configured. Let’s write some code to invoke the API. The great thing with an IDE like Eclipse is that you can resolve imports very easily by just hovering over the unresolved classes. 

F398BE95 83DD 405C BD2A 1A115F8D392C
F398BE95 83DD 405C BD2A 1A115F8D392C

The main function has only two lines of code. The first line uses the ConfigurationManager class to get the properties file. This loads the API key and username. The next line invokes the SendMessage() method. Notice that we use the classname directly since the method is static. In a production scenario you must use an instance of this class and invoke the method in a non-static manner as the arguments will be computed at runtime. 

Now, let’s take a look at the SendMessage method that houses most of the logic. In the first three lines, we create objects of Message, Content and Header. In the next line, we add recipients using the setRecipients() method of the Message object. It accepts a String array. In the next three lines, we set the from address, subject and reply to address using the setFrom(), setSubject(), and setReplyTo() methods from the Header object. All three methods accept String arguments. In the next two lines, we set the header and content objects created and configured earlier to the message object. 

Lastly, we create an instance of the EmailService class and invoke the sendMessage() method passing the message object. If everything went well, you should see something similar in your logs and an email in your inbox. 

[“sourceTrackingId”:”x00x0x00-0x00-0x00-xx00-00000x0xxx00″, “data”:”Service OK”, errors=null]

02
02

Configuring the options variable

OptionDescription
message.setAllowNonTLS(true);Add this option to allow sending mails that need not be HIPAA compliant.
message.setForceSecureNotification(“true”);Add this to use 2-factor authentication. Instead of an email, the recipient receives a notification about a new message in Paubox
message.setCc(new String[] { “[email protected]” });Sets the CC field in the email. The field accepts a single argument (of type String array) containing the email addresses.
message.setBcc(new String[] { “[email protected]” })Sets the Bcc field in the email. The field accepts a single argument (of type String array) containing the email addresses.

The options variable used in the above example also accepts other configuration parameters. See the table below. To view the source code, visit this Github page.

DevOps

Send your first HIPAA compliant email in minutes.

OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks