Comparing Google Workspace to Paubox for HIPAA compliant email (2023 update)

What's the difference between Google Workspace and Paubox?  (2023 update)

As it relates to providing HIPAA compliant email service, we originally compared Google Workspace to Paubox in 2018.

In our initial review, we found the Google Workspace business associate agreement did not include the actual transmission of email across the internet as being in scope.

Now that it’s 2023, perhaps Google Workspace has changed its stance or scope on providing HIPAA compliant email service. As such, we’ll revisit the question: What’s the difference between Google Workspace and Paubox for HIPAA compliant email?

See related: Is Microsoft 365 HIPAA compliant? (2023 update)

About Google Workspace

Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. It includes services such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Keep, and others.

These tools can be used by individuals, teams, and businesses to communicate, store, and manage data and documents, and collaborate on projects.

About Paubox Email Suite

Paubox Email Suite is for healthcare organizations seeking to remove friction from their HIPAA compliant communications. Paubox Email Suite is a cloud-based solution that provides a seamless user experience for both senders and recipients of secure email.

Unlike incumbent solutions that force recipients to login to a portal to read a secure message, the Paubox solution allows the recipient to read a secure email in their inbox, just like a normal message.

Paubox launched in 2015 and currently has over four thousand customers in all 50 states.

Is Google Workspace HIPAA compliant?

There’s a primary item to consider when it comes to Google Workspace and its ability to provide a HIPAA compliant service.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Google Workspace and its ability to be HIPAA compliant.

In the case of Google Workspace, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.

We googled Google’s site and found their BAA: G Suite HIPAA Business Associate Amendment. From there, we eventually found the Google HIPAA Implementation Guide, which is an informational guide that Google makes available describing how customers can configure and use Google services to support HIPAA compliance.

Google’s HIPAA Implementation Guide

Within Google’s HIPAA Implementation Guide, the first section to pay attention to is called HIPAA Included Functionality.

This page states:
“As of July 21, 2020, The following functionality is Included Functionality under the applicable HIPAA Business Associate Addendum:

Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Apps Script, Keep, Sites, Jamboard, Google Chat, Google Meet, Google Voice (managed users only), Google Cloud Search, Cloud Identity Management, Google Groups, Google Tasks and Vault (if applicable).”

Comparing Google Workspace to Paubox for HIPAA compliant email (2023 update) | HIPAA Included Functionality

As we can see, Gmail is included in the Google Workspace BAA.

The next section within the Google HIPAA Implementation Guide to pay attention is called:

What to consider for specific Google Workspace Core Services

Scrolling down a bit, we find the sub heading called Gmail. The HIPAA guidance here is vague, as Google only makes two claims about Gmail and HIPAA compliance:

  • Intended recipients. “Gmail provides controls to help users ensure that messages and attachments are only shared with the intended recipients.”
  • BCC field. “If Gmail is used to email groups of individuals or mailing lists, users are advised to use the ‘Bcc:’ field instead of the ‘To:’ field so recipients of the email are hidden from each other.”

It should be noted there is a complete absence of two basic tenets of HIPAA compliant email:

  • How is the email encrypted in transit?
  • How is the email encrypted at-rest?

Google’s Best practices and data privacy

In an effort to gain clarity about the ability of Google Workspace to provide encrypted, HIPAA compliant email while it transits the internet, we eventually found a Google Support page called Best practices and data privacy.

From there, we found a page called Security checklist for medium and large businesses. Scrolling down a bit, we found an expandable section called Gmail (Google Workspace only). Once expanded, we found a checkbox labeled Enforce TLS with your partner domains. Bingo. We found the setting we’re looking for:

Google's Best practices and data privacy | Paubox vs. Google Workspace

To learn more about this checkbox, we clicked Require mail to be transmitted via a secure (TLS) connection.

From there, we found several nuggets of useful info:

  • Not all email is encrypted. “By default, Gmail always tries to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn’t use TLS, Gmail still delivers messages, but the connection isn’t secure.”
  • Enforcing strict TLS encryption results in missing email. “Add the Secure transport (TLS) compliance setting to always use TLS for email sent to and from domains and addresses that you specify.” If this setting is enabled, here’s what happens:
    • Outgoing email. “Messages aren’t delivered, and will bounce. You’ll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.”
    • Incoming email. “Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report.”
Enforcing strict TLS encryption results in missing email | Paubox vs. Google Workspace
  • Google allows insecure versions of TLS. “Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.” As we’ve seen from guidance issued by the NSA in 2021, TLS versions 1.0 and 1.1 are insecure. In fact, NSA is on the record as stating:
    • “The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information.”
Google allows insecure versions of TLS | Paubox vs. Google Workspace

See related: Paubox eliminates obsolete TLS protocols, follows NSA guidance

Is Paubox HIPAA compliant?

Paubox was built around the Paubox Foundationsthree big ideas, and a mission to become the market leader for HIPAA compliant communication.

Paubox provides a BAA for all paid and freemium customers.

In addition, the following solutions are HITRUST CSF certified:

While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. Not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.

Paubox was built using patented technology whereby if a secure connection cannot be established to the receiving mail server, Paubox automatically detects this and then converts the message (plus any attachments) to the Paubox Secure Message Center. The recipient then needs only a single extra click to secure access the message.

In other words, the email is not bounced, rejected, or sent unencrypted, as is the case with Google Workspace’s built-in encryption settings.

In addition, Paubox supports only secure versions of TLS. Following the aforementioned NSA guidance, here’s a list of security protocols supported by Paubox:

  • SSL v2 (Not Supported)
  • SSL v3 (Not Supported)
  • TLS 1.0 (Not Supported)
  • TLS 1.1 (Not Supported)
  • TLS 1.2 (Supported)
  • TLS 1.3 (Supported)

Conclusion

Both Google Workspace and Paubox offer HIPAA compliant email services for organizations.

While Google Workspace provides a wide array of services that fall in scope of its BAA, its encrypted email component falls short in the following areas:

  • By default, Google Workspace’s Gmail will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted. This is not a HIPAA best practice.
  • While Google Workspace can be configured to require a secure connection, messages to your recipients whose email addresses do not support encryption will not be delivered. They will be bounced or rejected.
  • Insecure versions of TLS are allowed. As we’ve covered, Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3. As mentioned however, it’s widely known that TLS versions 1.0 and 1.1 are insecure and should not be allowed.

Paubox Email Suite can be quickly configured to integrate and compliment Google Workspace.

The extra layer of security (HITRUST CSF certified), ease of use, and peace of mind are the reasons why thousands of customers choose to Paubox to supplement Google Workspace.

Is Hotmail HIPAA compliant? (2023 update)

Is Hotmail HIPAA compliant? (2023 update) | Paubox

We originally wrote about Hotmail and its ability to provide HIPAA compliant email in 2015.

In our initial review, we found that Hotmail was not HIPAA compliant and should be avoided by healthcare professionals. Now that it’s 2023, we’ll revisit the question: Is Hotmail HIPAA compliant?

Hotmail

Hotmail was founded in 1996 as one of the world’s first free webmail services. It was acquired by Microsoft in 1997 and was soon rebranded as MSN Hotmail.

In 2013, Hotmail was replaced with Outlook.com, which features Microsoft’s Metro design language, and closely mimicked the interface of Microsoft Outlook. It should be noted that outlook.com is not the same product as Microsoft 365.

See related: Is Microsoft 365 HIPAA compliant?

Hotmail and the business associate agreement

There’s a primary item to consider when it comes to Hotmail and its ability to provide a HIPAA compliant email service.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Hotmail, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its email platform.

We checked Microsoft’s site and found a page called, Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health (HITECH) Act. The page outlines each Microsoft product that is considered in scope for the Microsoft BAA. Hotmail was not listed anywhere on the page.

Does Hotmail offer HIPAA compliant service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.

In regards to being considered a HIPAA compliant email solution, we were able to learn the following about Hotmail and its parent company Microsoft:

  • Microsoft 365 can be HIPAA compliant and is considered in scope by the Microsoft BAA
  • Hotmail however, is not covered by the Microsoft BAA

Conclusion: As we originally concluded in 2015, Hotmail remains not HIPAA compliant. It should be avoided by covered entities and business associates.

Can I email a face sheet and be HIPAA compliant?

Can I email a face sheet and be HIPAA compliant? | Paubox

A face sheet, also known as a cover sheet or demographic sheet, is a document that contains a summary of a patient’s personal and demographic information.

In this post, we’ll answer the question, “Can I email a face sheet and be HIPAA compliant?”

Face sheets

Face sheets, or demographic sheets, typically include the patient’s name, address, date of birth, insurance information, and emergency contact information. They may also include information about the patient’s medical history, current medications, and allergies.

Face sheets are often used in hospitals and clinics to provide quick access to a patient’s information for healthcare providers.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

HIPAA compliant email

At a high level, here’s what to look for in a HIPAA compliant email solution:

  • How is email encrypted in transit?
  • How is email encrypted at rest?
  • Will each vendor that processes or handles PHI in email sign a BAA with your organization?
  • As a best practice, is the HIPAA compliant email solution HITRUST CSF certified?

For example, Google Workspace and Microsoft 365 are popular cloud-based email service providers that are willing to sign BAAs. Their out-of-the-box encryption solutions however, are widely regarded as either non-existent or incredibly cumbersome.

Solutions like Paubox Email Suite can integrate seamlessly with these providers, without the need for customers to change their email addresses, download an app, or even alter the way email is sent.

See related: HIPAA Compliant Email: The Definitive Guide

Can I email a face sheet and be HIPAA compliant?

The simple answer here is yes, as long as you choose a HIPAA compliant email solution that encrypts your email data as it travels across the internet (in transit), encrypts your email at rest (i.e., your mailbox), and is able to sign a BAA with your organization.

It should be noted it’s common to select an email service provider like Google or Microsoft to handle the hosting of the email (encryption at rest) and choosing another provider to handle the email encryption component (encryption in transit).

Bonus points if your email encryption provider(s) are able to provide HITRUST CSF certification, like Paubox.

See also: Paubox renews, expands HITRUST CSF certification through 2023

Why should primary care doctors use Paubox? A Paubox employee story

Why should primary care doctors use Paubox? A Paubox Employee Story

As a person with a disability, I love how the Internet makes life easier for me. But when it comes to interacting with my primary care doctor, making the appointment is where convenience ends. You see, my doctor’s clinic doesn’t use Paubox for HIPAA compliant communication.

Last year I became physically unable to drive my vehicle due to progression of a neurological condition. However, some amazing technology exists that makes it possible to drive using just a joystick – a video game-style joystick! It was an exciting thing to discover and I wanted to make it happen.

But it’s a long road going from seeing something on YouTube to making it a reality – especially when the DMV is involved. The first part of my long road involved getting a new learner’s permit for modified-vehicle driving. To do this I had to have my primary care physician fill out a DMV form that said I would be medically ok to drive so I emailed my doctor the blank form to fill out.

Unfortunately, she could not simply email the completed form back because her clinic could not guarantee that the communication would be HIPAA compliant. Instead I had three options:

  1. Come and pick it up.
  2. Have it snail-mailed to me.
  3. Have it faxed to me.

Imagine my frustration, being told the fastest way to get the form was to get in my car when I can’t even drive myself without getting the form in the first place!

The second option wasn’t optimal because that meant delaying my return to driving by a week.

And the third option – in the 2020s – is to BUY A FAX MACHINE and then install a landline just so I can use it???

It sounds ridiculous but had I known then what I know now, I actually would have scoured Craigslist for a $10 fax machine since I ended up needing over a dozen forms filled out by my doctor last year. 

I understand the law and I understand its importance. What I don’t understand is why medical organizations large and small don’t realize that regular email CAN be HIPAA compliant.

Hospitals, clinics, and doctors  just need Paubox to secure patient email communication and be HIPAA compliant. 

Had my doctor’s clinic been using Paubox, she could have sent me the scanned form back the day she filled it out. I wouldn’t have had to coordinate multiple rides to her office, wasting time and gas. The clinic wouldn’t have had to print out a label, put it on an envelope, and stuff the envelope with my form then have someone find it when I got there. It’s a win for everyone.

Making lives easier for patients like me is one of the reasons I work at Paubox.

HIPAA Compliant Email: The Definitive Guide

HIPAA Compliant Email: A Definitive Guide

Last updated: 25 January 2023

Welcome to the definitive guide on HIPAA compliant email.

This guide will provide you with a thorough understanding of the requirements for HIPAA compliant email and the steps you can take to ensure your organization is in compliance.

We will cover topics such as what to look for in a HIPAA compliant email solution, email encryption methods, HIPAA violations and fines, and an FAQ section you won’t find anywhere else.

This guide is intended for healthcare professionals, IT staff, and anyone else responsible for maintaining or acquiring a HIPAA compliant email solution.

By the end of this guide, you will have the knowledge necessary to confidently use email for healthcare communication while ensuring the protection of PHI.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was enacted in 1996. It sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI). The law applies to health plans, healthcare clearinghouses, and certain healthcare providers that conduct certain financial and administrative transactions electronically, such as billing and claims submissions.

HIPAA includes two main rules: the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for protecting the privacy of PHI. It specifies how PHI can be used and disclosed, and gives individuals certain rights with respect to their PHI. The Security Rule establishes national standards for protecting the security of electronic PHI. It specifies administrative, physical, and technical safeguards that covered entities must implement to secure ePHI.

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Protected health information (PHI)

Protected health information needs to be protected in all mediums: electronic, paper, and oral. PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.

A related term is ePHI, which stands for electronic protected health information. The terms can be used interchangeably when referring to HIPAA compliant email.

Covered entities and business associates

HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Business associate agreement

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

At a minimum, a BAA must include ten provisions.

HIPAA compliance and email

To ensure HIPAA compliance when using email, it’s imperative to use secure email solutions that encrypt messages and attachments in transit and at rest.

It’s now a common practice to use an email service provider like Google Workspace or Microsoft 365 to maintain the hosting of your organization’s email, while using a separate company to provide additional protection like email encryption, security, data loss prevention, and backups.

See related: Can I use Google Workspace (G Suite) and be HIPAA compliant?

See related: Is Microsoft 365 HIPAA compliant?

What to look for in a HIPAA compliant email solution

Here’s what to look for in a HIPAA compliant email solution:

  • How is email encrypted in transit?
  • How is email encrypted at rest?
  • Will each vendor that processes or handles PHI in email sign a business associate agreement with your organization?
  • As a best practice, is the HIPAA compliant email solution HITRUST CSF certified?

HIPAA violations and fines

The penalties for a HIPAA violation can be severe. Both civil and criminal penalties can be enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

In general, breaches that fall under reasonable cause range from $100 to $50,000 per breach. Willful neglect cases range from $10,000 to $50,000 and often result in criminal charges being brought against the people involved.

This chart that shows how civil penalties can reach a maximum of $1.5 million per violation:

ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties can also be applied when HIPAA violations are knowingly committed with increases in the fine per violation and imprisonment.

Criminal penalties are divided into three tiers:

TierPotential Jail Term
Reasonable cause or no knowledge of violationUp to one year
Obtaining PHI under false pretensesUp to five years
Obtaining PHI for personal gain or malicious intentUp to ten years

Read more: The complete guide to HIPAA violations

Paubox HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes protected health information (PHI) breaches affecting 500 or more people as reported to the Department of Health & Human Services (HHS).

Paubox has been compiling a monthly HIPAA Breach report since June 2017. Since that time, the data clearly shows email breaches are statistically the most likely entry point for organization to suffer a HIPAA breach.

Email encryption methods

There are four approaches to encrypting email:

  • Transport Layer Security (TLS)
  • PGP and S/MIME
  • Portals
  • Apps

FAQ

Here are some frequently asked questions about HIPAA compliant email.


Q: When does my HIPAA liability end when sending email?

A: Once an email has been delivered to the end recipient’s system using encryption, the covered entity or business associate has fulfilled their obligations for the HIPAA Privacy Rule.

Read more: How do I know when my HIPAA privacy obligation for email encryption ends?


Q: Does the subject line of an email have to be encrypted?

A: If the subject line contains ePHI, yes it must be encrypted. It should be noted that it is not the responsibility of a healthcare provider to assure that incoming email is encrypted (although many organizations like having this feature).

Read more: Does an email subject line have to be HIPAA compliant?


Q: Does the email message header have to be encrypted?

A: An email message header includes fields that provide information about the sender, recipient, and routing of the message.

Some common email header fields include:

  • From: the email address of the sender
  • To: the email address of the primary recipient
  • Subject: the subject or topic of the message
  • Date: the date and time the message was sent
  • Cc: (carbon copy) list of recipients who are to receive a copy of the message
  • Bcc: (blind carbon copy) list of recipients who receive a copy of the message without the other recipients being aware
  • Reply-To: the email address that should be used when replying to the message
  • Message-ID: a unique identifier for the message
  • In-Reply-To: the Message-ID of the message that this message is a reply to
  • References: a list of Message-IDs for messages that this message is related to

As you can see, there are myriad instances in which PHI can be inserted into a message header. You should therefore be encrypting email message headers as a best practice.


Q: Do all email encryption methods encrypt a message header?

A: Email sent via Transport Layer Security (TLS) does encrypt the message header while it’s in transit across the internet.

Email sent using PGP and S/MIME however, do not encrypt the message header.

If we already know it’s likely message headers will invariably contain PHI, we can conclude PGP and S/MIME are not sufficient forms of encryption for HIPAA compliant email.


Q: Why isn’t PGP more widely used to encrypt email?

A: PGP (Pretty Good Privacy) is a widely used standard for email encryption, but it is not as widely adopted. Here are several reasons why:

  1. Complexity. PGP requires users to generate and manage their own public and private keys, which can be a complex and time-consuming process for non-technical users.
  2. Lack of Integration. PGP requires additional software and plugins to be installed in order to work with most email clients, which can be a barrier to adoption for some users.
  3. Security concerns. PGP has been criticized for having numerous security vulnerabilities in the past, which has led to some organizations being hesitant to adopt it.
  4. Ease of use. PGP is not as user-friendly as some other encryption methods, which can make it less appealing.

Q: Does PGP email still have security vulnerabilities?

A: PGP has had a number of notable security vulnerabilities identified over the years. They include:

  1. EFAIL. In May 2018, a group of researchers discovered a vulnerability in the way PGP and S/MIME handle email encryption, known as EFAIL. It allows attackers to read the plaintext of encrypted emails by intercepting, manipulating, and then re-encrypting the ciphertext. Ciphertext is the result of encryption performed on plaintext using an algorithm.
  2. Key-pair collision. PGP uses a hash function to generate a “fingerprint” of a public key, which is used to identify the key. In 2017, it was discovered that it’s possible to generate two distinct keys with the same fingerprint, which could be used to impersonate someone else’s key.
  3. Key-server vulnerability. PGP relies on key servers to distribute public keys. In 2011, a vulnerability was discovered that could allow an attacker to upload a malicious key to a key server, which could then be used to impersonate someone else.
  4. Malicious Key. PGP relies on users to verify the authenticity of public keys before using them to encrypt messages. In some cases, attackers have been able to trick users into using a malicious key, which could allow them to decrypt the messages.

It should be noted most of these vulnerabilities have since been addressed by the PGP community and vendors.

Read more: PGP and S/MIME aren’t as secure as you think


Q: Are email attachments encrypted?

A: Yes. Email attachments encrypted by either TLS, PGP, or S/MIME will be encrypted in transit.


Q: Am I responsible for incoming emails to be HIPAA compliant?

A: HIPAA does not require covered entities and business associates to encrypt their inbound email. To maintain HIPAA compliance, healthcare organizations need to implement technical safeguards for outbound email that contains PHI. The best technical safeguard is using encryption.

Read more: Do you need inbound email security to be HIPAA compliant?


Q: If I password protect an email attachment, does that make it HIPAA compliant?

A: The guidance from HHS is clear, forgoing encryption and only using password protection for a document (or an entire hard drive for that matter) is not sufficient and has already led to publicized HIPAA fines.

Therefore, using only password protection for attaching a document via email is not a HIPAA compliant approach and should be avoided.

Read more: Is my password-protected PDF document HIPAA compliant?


Q: Is it HIPAA or HIPPA?

A: People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.


Q: What versions of Transport Layer Security encryption are considered secure?

A: In January 2021, the NSA issued the following guidance:

“The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information… Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.”

Furthermore:

“NSA recommends that only TLS 1.2 or TLS 1.3 be used; and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used.”

Following NSA guidance, here’s a list of security protocols supported by Paubox:

  • SSL v2 (Not Supported)
  • SSL v3 (Not Supported)
  • TLS 1.0 (Not Supported)
  • TLS 1.1 (Not Supported)
  • TLS 1.2 (Supported)
  • TLS 1.3 (Supported)

Read more: Paubox eliminates obsolete TLS protocols, follows NSA guidance


Q: Do international companies need to abide by HIPAA?

A: If an international company handles or transmits PHI of U.S. citizens, it is subject to HIPAA regulations.

Read more: Do international companies have to abide by HIPAA?


Q: Does email qualify under the HIPAA Conduit Exception rule?

A: The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in December 2000. In a nutshell, the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form). Since every email account has email stored in it, this would preclude it from being a transmission-only service.

In summary, email does not qualify under the HIPAA Conduit Exception rule.

Read more: HIPAA Conduit Exception Rule – what is it?


Q: Can a covered entity or business associate use a consumer email service provider like Yahoo or Hotmail?

A: As we’ve covered, a business associate agreement is required for any vendor handling or processing PHI on behalf of a covered entity or business associate. We have not found a single consumer email service that provides a BAA. Therefore, using a provider like Yahoo or Hotmail is not HIPAA compliant and should be avoided.

Read more: Is Yahoo HIPAA compliant?

Read more: Is Hotmail HIPAA compliant?


Q: What is HITRUST?

A: HITRUST is a standards development organization that was founded in 2007. It develops and maintains a healthcare compliance framework called the HITRUST CSF. The HITRUST CSF is designed to unify security controls from federal law (HIPAA), state law, and non-governmental frameworks (PCI-DSS) into a single framework that’s tailored towards use in the healthcare industry.

Paubox solutions have been HITRUST CSF certified since 2019.

Read more: Paubox renews, expands HITRUST CSF certification through 2023


Q: Does Paubox have patents for its work on encrypted email?

A: Yes, Paubox currently has four patents.

Read more: U.S. Patent Office approves our approach to email encryption


Q: What is the HHS Notification of Enforcement Discretion and does it apply to email?

A: When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Email is not in scope of the HHS Notification of Enforcement Discretion act. It applies only to non-public facing audio and video communication services.

See also: HIPAA privacy and security guidelines as they relate to telehealth

Understanding the patient journey

Understanding the patient journey | Paubox

The patient journey in healthcare is the process that a patient goes through from the moment they first seek medical attention to the time they are fully recovered or their condition is stabilized.

Understanding the patient journey is essential for healthcare professionals, as it allows them to provide better care and improve the overall patient experience.

This post will expound on the distinct stages of the patient journey.

See related: Using email to personalize messaging during the patient journey

Pre-appointment

The first stage of the patient journey is the pre-appointment. This is the stage where a patient first becomes aware of their need for healthcare services and starts researching potential providers.

During this stage, patients may be experiencing symptoms that are causing them concern, or they may have been referred to a healthcare professional by another practitioner.

Scheduling and appointment

This is the stage where a patient schedules an appointment with a healthcare provider and may receive pre-appointment instructions. HIPAA compliant email can a useful solution during this stage.

Consultation

This is the stage where the patient meets with the healthcare provider to discuss their condition and treatment options. The initial consultation is an opportunity for the healthcare professional to gather information about the patient’s symptoms, medical history, and overall health status. This information will be used to make a diagnosis and develop a treatment plan.

Diagnosis and treatment

This is the stage where the patient receives a diagnosis and begins treatment. This is when a healthcare professional conducts tests and procedures to confirm or rule out a diagnosis. This may include lab tests, imaging studies, or other diagnostic procedures.

During this stage, patients may feel anxious or uncertain as they wait for test results. It’s important for healthcare professionals to keep patients informed and provide support during this time. This is another key stage where a solution like Paubox Email Suite can be beneficial for both the patient and provider.

This stage is also when a patient begins to receive treatment for their condition. The type of treatment will depend on the diagnosis and may include medication, therapy, or surgery. During this stage, patients may have to make significant lifestyle changes, such as starting a new medication regimen or undergoing surgery. This can be a challenging time for patients, and healthcare professionals should provide support and guidance to help patients navigate this stage of their journey.

Recovery and follow-up

This is the stage where the patient recovers from their condition or treatment and may have follow-up appointments or check-ins with their healthcare provider.

Ideally, this is when a patient’s condition begins to improve and they begin to return to their normal activities. Recovery can be a slow process, and patients may experience setbacks or complications. During this stage, healthcare professionals should monitor patients closely and provide ongoing support and care.

Post-treatment

This is the stage where the patient completes their treatment and may continue to receive follow-up care or support. A patient’s condition should be stabilized by this point, such that they are able to manage themselves with minimal intervention.

Patients may still need to take medication or attend follow-up appointments, but their overall health has improved. During this stage, healthcare professionals should continue to provide support and guidance to help patients maintain their health and prevent complications.

See related: Personalized email marketing in healthcare

Conclusion

In conclusion, understanding the patient journey in healthcare is essential for healthcare professionals, as it allows them to provide better care and improve the overall patient experience.

It’s important for healthcare professionals to be aware of the different stages of the patient journey and the challenges that patients may face at each stage.

By providing support and guidance, healthcare professionals can help patients navigate the healthcare system and improve their overall health outcomes.

Managing your healthcare IT cybersecurity budget in 2023

abstrack image of healthcare tech

As a CISO or Director of IT in the healthcare industry, you know that cybersecurity is a top priority. But with so many other demands on your budget, how do you prioritize spending?

In this blog post, we’ll share some tips on how to allocate your healthcare IT cybersecurity budget. We’ll discuss the most important areas to invest in and offer advice on getting the most bang for your buck.

Healthcare is one of the most targeted industries by cybercriminals

Cybercriminals have been increasingly targeting the healthcare industry since personal data is required to be collected to deliver quality patient care. In fact, according to a recent report, 2021 showed cybersecurity incidents reaching an all-time high in healthcare.

To protect against various digital threats, it is essential for healthcare organizations to secure their emails, monitor their inbound communications and seal all entry points into their networks. While no one solution can completely protect you from being affected by ransomware or other cyberattacks, having solid systems in place can help mitigate threats and prevent a potential data breach.

Healthcare IT cybersecurity budgets are on the rise

In response to the growth of cybercrime, the trend towards increased budgets for cybersecurity is becoming more and more apparent. The cost of a data breach in the U.S. in 2022 averaged $9.4 million, according to IBM. And not only do organizations suffer financial losses but also a gigantic hit to their reputation that is hard to earn back.

It is estimated that 2023 will see an increase in cybersecurity budgets due to global cybercrime threats. This means healthcare organizations will be pushed even further to protect their networks and patient data with firewalls, encryption and identity and access management. Healthcare IT security officers will need to continuously stay ahead of future risks and current threats to keep sensitive patient information secure.

How to allocate your cybersecurity budget

Budgeting for cybersecurity is a tricky equation—especially now, as we face an uncertain economic landscape. Not to mention a gap in cybersecurity and infosec manpower to address increasing needs, making it critical to be efficient in budgeting.

One approach is look at budgeting from three key angles: prevention, detection and response.

For prevention, focus on cost-effective solutions that limit potential organizational risks, such as enforcing multi-factor authentication into all systems with sensitive information.

In terms of detection, evaluate where sensitive information is stored and if you have the means to automate monitoring and alerts if there are any anomalies. this should also be weighed against how much it would cost you to use existing or potential new solutions.

Finally, with response, identify what kind of reaction will have the best outcome for your organization if something goes wrong. Plan for this accordingly by allocating resources to the people and technology necessary for responding effectively and mitigating loss.

Look at gaps in these areas, especially looking at your current cybersecurity stack to see where you can leverage existing solutions, or easily implement new solutions, to understand where you’ll need to budget. Don’t underestimate the value of budgeting more heavily in prevention to stop threats before they happen.

With any new tech introduced, there could be needs to further staff your team if the solution is not easy to use, so be sure to consider headcount as well.

The benefits of investing in healthcare IT cybersecurity

Investing in cybersecurity is essential for healthcare given HIPAA regulations and maintaining the security and privacy of sensitive patient data.

From a financial perspective, the C-suite should consider that an ounce of prevention often means saving both money and your reputation when compared to the cost of any resulting damages post-breach.

Plus, cybersecurity investments can help convince patients, health plans and others that their data is safe. And having adequate protocols and tools in place not only helps protect your organization but can also equip your IT staff and infosec professionals with resources to strengthen their defenses against potential threats.

Tips for stretching your cybersecurity budget

Making the most of your cybersecurity budget can be a challenge. Still, with the right strategies, you can optimize existing tools, train staff and invest in new reliable tools to avoid attacks.

It helps to start by assessing your current software solutions to identify any areas that need strengthening or adjustments.

Next, you’ll want to ensure your employees receive training on proper IT security protocols. This is key to avoiding cyberattacks. Improving employee understanding helps protect against malicious intent or simple user errors that can lead to costly data breaches.

Lastly, investing in quality tools—such as endpoint protection or data encryption software—is important for keeping confidential data safe from potential cybercriminals.

Implementing these strategies will help you optimize your budget and give you added peace of mind.

It pays to invest in cybersecurity

Cyberattacks against healthcare organizations are becoming more common and more costly. As a result, IT cybersecurity budgets are on the rise. However, it is important to allocate your funds in a way that will maximize the benefits of investing.

By following the tips we’ve provided, you can stretch your budget and still invest in the best possible security for your organization.

Try Paubox for free

Paubox Email Suite

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free

What is the OCR and what does it do?

Civil rights book on desk

What is the Office for Civil Rights?

The Office for Civil Rights (OCR) is a department within the United States Department of Health and Human Services (HHS). It enforces federal civil rights laws that prohibit discrimination based on race, color, national origin, disability, age and sex in programs and activities that receive federal financial help from HHS.

This includes enforcing the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting certain health information. The OCR also provides technical guidance to help covered entities comply with these laws and regulations.

How does the OCR enforce HIPAA?

The OCR enforces HIPAA by investigating complaints and conducting compliance reviews to ensure that covered entities, such as healthcare providers and insurance companies, comply with HIPAA regulations. If the OCR finds that a covered entity has violated HIPAA, it can take a number of enforcement actions, including:

  • Issuing a warning letter to the covered entity
  • Imposing a monetary fine on the covered entity
  • Requiring the covered entity to implement a corrective action plan to address the violation
  • Terminating the covered entity’s ability to receive federal funding
  • Referring the case to the Department of Justice for criminal prosecution

The specific enforcement action that the OCR takes will depend on the severity of the violation and the covered entity’s history of compliance with HIPAA.

What are the different fines for violating HIPAA?

There are two categories of HIPAA violations: civil and criminal.

Civil HIPAA violations can result in fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for multiple violations of the same requirement.

Criminal HIPAA violations can result in much more severe fines and prison sentences. For example, obtaining or disclosing individually identifiable health information with the intent to sell, transfer or use it for personal gain is a criminal HIPAA violation. It can result in a fine of up to $50,000 and up to one year in prison.

Other criminal HIPAA violations, such as obtaining or disclosing individually identifiable health information under false pretenses, can result in fines of up to $100,000 and up to five years in prison.

It’s important to note that these are maximum fines and prison sentences and that the actual penalties imposed by the courts may be lower. The specific penalty will depend on the circumstances of the case.

How do you report a HIPAA breach to the OCR?

If you suspect a HIPAA breach, you can report it to the OCR by:

  • Filing a complaint online: You can file a complaint through the OCR’s website. You will need to provide your name and contact information, as well as the name of the covered entity that you believe has violated HIPAA.
  • Contacting the OCR by phone: You can call the OCR’s toll-free hotline at 1-800-368-1019 to report a HIPAA breach.
  • Sending a written complaint: You can also send a written complaint to the OCR by mail or fax. The mailing address and fax number can be found on the OCR’s website.

It’s important to note that the OCR only has jurisdiction to investigate HIPAA violations by covered entities, such as healthcare providers, health plans and healthcare clearinghouses. If you want to report a HIPAA violation by a business associate of a covered entity, it’s best to contact the covered entity directly.

Try Paubox for free

Paubox Email Suite

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free

Sandboxing for healthcare IT

laptop in a sandbox

What is sandboxing?

Sandboxing is a technique for isolating a program or process so that it can run without affecting other parts of the system. It lets you run potentially untrusted or malicious code in a contained environment where you can monitor and analyze it without posing a risk to the rest of the system.

This can be useful for testing, debugging and analyzing software, as well as for protecting against security threats. You can implement sandboxing in various ways, depending on the desired level of isolation and the resources available. Some common methods include using virtual machines, containers or restricted user accounts.

Why use sandboxing?

There are several reasons why you might want to use sandboxing:

  1. Security: To protect your system from malicious software, you can run it in a sandbox to monitor and analyze it without affecting the rest of your system.
  2. Testing: Sandboxing can be useful for testing and debugging software. It allows you to run code in a controlled environment where you can observe its behavior and identify any issues.
  3. Analysis: Sandboxing can be used to analyze software. It works for reverse engineering or malware analysis, as it allows you to safely run code and examine its behavior.
  4. Development: Sandboxing can be helpful for software development. It allows you to experiment with new code and test it without worrying about breaking your system or other software.
  5. Isolation: Sandboxing can be used to isolate different processes or programs from each other. This can be useful for preventing conflicts or interference between them.

See more: What is URL sandboxing?

Who uses sandboxing?

Anyone who wants to run potentially untrusted or harmful code in a contained environment can use sandboxing. This can include individuals, organizations and governments. Some common users of sandboxing include:

  1. Security professionals: Sandboxing is often used by security professionals to analyze and test software for vulnerabilities or malicious behavior.
  2. Software developers: Sandboxing can be useful for software development. It allows developers to experiment with new code and test it without worrying about breaking their systems or other software.
  3. System administrators: Sandboxing can be used by system administrators to isolate different processes or programs from each other. This can be useful for preventing conflicts or interference between them.
  4. Users: Many modern operating systems include sandboxing features for users to protect their systems from potentially harmful software.
  5. Governments: Sandboxing helps governments analyze and test software for vulnerabilities or malicious behavior, as well as isolate sensitive systems from potential threats.

See more: What’s the difference between heuristics and sandboxing in email security?

Sandboxing and HIPAA compliance

Sandboxing can be a useful tool for achieving Health Insurance Portability and Accountability Act (HIPAA) compliance. HIPAA is a U.S. law that establishes standards for the protection of sensitive medical information, known as protected health information (PHI). Sandboxing for healthcare IT can help isolate PHI from other parts of a system, which can help prevent unauthorized access or disclosure of information.

However, it’s important to note that sandboxing alone is not sufficient for HIPAA compliance. In order to comply with HIPAA, an organization must implement a range of technical, physical and administrative safeguards to protect PHI.

Sandboxing is just one component of a broader HIPAA compliance strategy, rather than the sole means of protection. It’s also important to ensure that you properly configure and maintain any sandboxes you use to handle PHI.

See more: Google’s privacy sandbox and HIPAA

Try Paubox for free

Paubox Email Suite

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free

Successful patient engagement in 2023

Pateint Engagement

Patient engagement is even more critical in 2023

By engaging patients more effectively, you can improve their satisfaction, loyalty and outcomes. But the increase in digital tools and the proliferation of health information online can actually create distance between patients and providers.

From the increasing importance of online communication to the role of patient portals, we’ll cover the tools and techniques that healthcare organizations can use to engage with their patients and improve their healthcare experience.

Let’s explore the key trends and best practices for successful patient engagement in 2023.

See more: Top 7 healthcare marketing trends for 2023

Remote patient monitoring

Remote patient monitoring (RPM) is a trend that’ll see significant growth in 2023. RPM involves using technology to remotely collect and transmit patient data, such as vital signs, to healthcare providers. This means you can monitor your patients without seeing them in person.

There are several benefits to RPM for both patients and healthcare organizations. For patients, RPM can provide greater convenience, as patients can monitor their health from the comfort of their homes. It can also improve patient outcomes, as healthcare providers can identify and address potential issues more quickly.

For healthcare organizations, RPM can reduce costs by reducing the need for in-person visits and improve patient satisfaction by providing more personalized care. It can also improve the efficiency of care delivery, as healthcare providers can monitor multiple patients at once and respond to any issues in real time.

It’s expected that RPM will continue to see widespread adoption in the coming years as technology improves and healthcare organizations look for ways to improve care delivery and reduce costs.

See more: HIPAA privacy and security guidelines as they relate to telehealth

Automating multi-channel appointment reminders

Remembering appointments can be challenging for patients, particularly if they juggle multiple medical appointments or have busy schedules. This is where automating multi-channel appointment reminders can be a game-changer for healthcare organizations.

Multi-channel appointment reminders involve using various channels, such as email, text messages and phone calls, to remind patients about their appointments. By automating this process, healthcare organizations can slash no-shows, which cost healthcare providers roughly $150 billion, and improve patient retention.

It can be more convenient and less stressful to receive reminders through a patient’s preferred communication channel automatically. For healthcare organizations, it can improve efficiency and reduce the workload of staff members who would otherwise have to send reminders manually.

See more: How to make HIPAA compliant email stress-free for doctors

Self-service patient portals

A patient portal is an online platform that lets patients access their medical records, schedule appointments and communicate with their healthcare providers. Self-service patient portals offer numerous benefits for both patients and healthcare organizations.

However, because portals require additional logins and passwords, the adoption rate is often low. If you want to engage more effectively with your patients, it’s best to communicate with them via channels they’re already using.

Related: Are patient portals ruining your healthcare business?

The rise of healthcare consumerism

Healthcare consumerism refers to the shift towards patients taking a more active role in their own healthcare decisions, including choosing their healthcare providers and treatments.

This trend has been driven by several factors, including the increasing availability of online healthcare information, the rising cost of healthcare and the increasing emphasis on patient experience. Patients are now more empowered to make informed decisions about their healthcare and are looking for healthcare organizations that meet their needs and preferences.

When it comes to engaging healthcare consumers, healthcare organizations should focus on providing transparent, personalized care and making it easy for patients to access information and services. This includes having a strong online presence, offering convenient appointment scheduling and payment options, and using customer relationship management (CRM) tools to track and analyze patient data.

Healthcare consumerism also requires organizations to be transparent and upfront about their services and pricing. Patients are increasingly looking for value and are more likely to choose healthcare providers that offer clear and fair pricing.

Healthcare organizations can effectively market to healthcare consumers in 2023 and beyond by focusing on patient-driven care and transparent, personalized service.

See more: What does HHS consider healthcare marketing?

Security awareness and Paubox

Security awareness is a crucial aspect of patient engagement in the digital age. The increasing amount of personal and medical information shared online makes it essential for healthcare organizations to prioritize the security and privacy of their patients. This includes implementing strong security measures and regularly training staff on best practices for protecting patient data.

One aspect of security awareness that’s particularly relevant is email security. Email is a commonly used communication tool in healthcare, but it can also be vulnerable if not properly protected. Hackers can use tactics such as phishing scams to gain access to sensitive information, and healthcare organizations need to have measures in place to prevent these types of attacks.

Paubox is a tool that can help healthcare organizations enhance patient engagement by enabling secure communication. It allows patients to securely receive and send sensitive information via email, such as test results and appointment reminders. This helps improve the patient experience and protects the privacy of personal and medical information.

Paubox also integrates with electronic health record (EHR) systems, allowing seamless communication between healthcare providers and patients.

Besides using a secure email platform, healthcare organizations must educate their employees on best practices for email security. This can include training on identifying phishing scams, creating strong passwords and not sharing sensitive information over email.

Overall, security awareness is crucial for healthcare organizations looking to protect sensitive patient information and prevent data breaches.

By using a secure email platform like Paubox and educating employees on best practices, healthcare organizations can ensure the security of their email communications.

See more: HIPAA compliant email: The definitive guide

Try Paubox for free

Paubox Email Suite

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free