Call now for cybersecurity help: 888-646-1616
Navigating the complexities of HIPAA-compliant email encryption service providers can be challenging for healthcare providers and other regulated businesses. Questions like “How can we securely send PHI via email while maintaining HIPAA compliance?” and “What are the best practices for encrypted email with platforms like Gmail or Microsoft 365?” are common concerns we hear from organizations aiming to safeguard sensitive data.
Email is an indispensable communication tool in today's digital-first world, but for HIPAA-regulated businesses, using email to handle Protected Health Information (PHI) adds an extra layer of complexity. The good news is that sending PHI securely and in compliance with HIPAA requirements is achievable with the right tools and knowledge.
In this guide, we’ll walk you through what it takes to implement HIPAA-compliant email encryption. But first, let’s cover the essential groundwork.
If you're looking for a straightforward solution, our Secure Cloud for Healthcare provides a fast and reliable way to get started.
PHI stands for “Protected Health Information”. PHI is anything that can identify an individual and provide information about their healthcare. Think of it this way, If you are emailing ANYTHING that someone can use to figure out medical information, it's PHI.
For healthcare providers and business associates, PHI is everything. Even in places that you wouldn't think to look, like notes on a calendar or files in a “Downloads” folder. This infographic does an awesome job demonstrating all of the different places where PHI can hide.
Hint: There are a lot of them.
So, you get it: PHI is important. PHI is everywhere. So what do you do?
First, you need to understand the basics of encryption.
Encryption is at the heart of many of today’s data protection tools. It’s an effective way to shield data from prying eyes.
It’s not important to understand how encryption works.
All you need to know is that you start with an ultra-important secret message:
Be sure to drink your Ovaltine.
When it gets emailed out, it looks like this to anyone who tries to intercept it:
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0hQIOAwfq5Jrby+ZxEAf/QOdUNAhEOSfC8FD35VYqbplUXim0t02sGEakLSgPRn5hhk8kB3e1Mcqu6WN1RGXDmb0YMZapWh0oNj0syq4InrXyZMumhrCGWJwDusCH+NEQXfC4LilogaQTxKNwaF2OjRt0I7hPBrndaKhrHVC3XftK1YKwigJuFDDgKy34/5AcfU1id+R4HJucPUzz0KBOKafMpJmjVH98qgP7DWEjb5ZOimQBi7jWJF2jnYBbceFhwpL9BwtiN0yPqaZLFrZfoGAZ8HpDNV5PRgXXe6Ajekx7Jju6sZpdX2euMzOjeRC0W0QvavFkjdVXN9x2UqlQ71S3iS/bAPQCORztWQ7LIwf+JO1q7/eHg/BSuQZkI9mRXAUaslJmqZNqMmjIt1nCC2yPXYDaHEjHfMZWZycKpBPkG6QIDjNZQXgfEoA5O+wkbBWsV/cXyYw5BPECLvcmbiG4rSJ+VS06libmdpPmdOmldNWYFk+PXbh/zAAzt1GT8eBh5o9hzBdSicFNBeSZZJW9O2mQElvKJLHHry2DK1YXpfTNeK/X02nerIqGXq3S7e05klSoIc0JoKaQNzOyJBKwOa2qmG+55HKQ3ElPYM+Y3NNzP/i1nNP/oGClR6WmcuLLYrLH69fZ5rcpPHaaASTzR2g3fzYWn4cUExHRmSYNsfCfFSrdDxawpO5jwCwMYck/ZLs7dHShx9YhQDTAOvmRN6rNadrhTLBD8VZ+7pbcWfeYSTa6K68PO7a3x604MqgveVZ3tgwCIUAweveGoWQi=yIpJ
-----END PGP MESSAGE-----
But then when your patient or customers get the email, it automatically decrypts it to deliver Ovaltine joy!
Not too complicated, right?
So, you get it: PHI is important. PHI is everywhere. So what do you do?
First, you need to understand the basics of encryption.
Encryption is at the heart of many of today’s data protection tools. It’s an effective way to shield data from prying eyes.
It’s not important to understand how encryption works.
All you need to know is that you start with an ultra-important secret message:
Be sure to drink your Ovaltine.
When it gets emailed out, it looks like this to anyone who tries to intercept it:
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0hQIOAwfq5Jrby+ZxEAf/QOdUNAhEOSfC8FD35VYqbplUXim0t02sGEakLSgPRn5hhk8kB3e1Mcqu6WN1RGXDmb0YMZapWh0oNj0syq4InrXyZMumhrCGWJwDusCH+NEQXfC4LilogaQTxKNwaF2OjRt0I7hPBrndaKhrHVC3XftK1YKwigJuFDDgKy34/5AcfU1id+R4HJucPUzz0KBOKafMpJmjVH98qgP7DWEjb5ZOimQBi7jWJF2jnYBbceFhwpL9BwtiN0yPqaZLFrZfoGAZ8HpDNV5PRgXXe6Ajekx7Jju6sZpdX2euMzOjeRC0W0QvavFkjdVXN9x2UqlQ71S3iS/bAPQCORztWQ7LIwf+JO1q7/eHg/BSuQZkI9mRXAUaslJmqZNqMmjIt1nCC2yPXYDaHEjHfMZWZycKpBPkG6QIDjNZQXgfEoA5O+wkbBWsV/cXyYw5BPECLvcmbiG4rSJ+VS06libmdpPmdOmldNWYFk+PXbh/zAAzt1GT8eBh5o9hzBdSicFNBeSZZJW9O2mQElvKJLHHry2DK1YXpfTNeK/X02nerIqGXq3S7e05klSoIc0JoKaQNzOyJBKwOa2qmG+55HKQ3ElPYM+Y3NNzP/i1nNP/oGClR6WmcuLLYrLH69fZ5rcpPHaaASTzR2g3fzYWn4cUExHRmSYNsfCfFSrdDxawpO5jwCwMYck/ZLs7dHShx9YhQDTAOvmRN6rNadrhTLBD8VZ+7pbcWfeYSTa6K68PO7a3x604MqgveVZ3tgwCIUAweveGoWQi=yIpJ
-----END PGP MESSAGE-----
But then when your patient or customers get the email, it automatically decrypts it to deliver Ovaltine joy!
Not too complicated, right?
Under HIPAA, there are strict rules for sending PHI over email. There are two choices:
#2 is a hassle. HIPAA-compliant email encryption is the only way to guarantee #1. Period.
If you want to send PHI over email, you need to make sure that data is encrypted.
What our clients say
Like many things in life, it isn’t as straightforward as you might think.
Also like many things in life, it’s a perpetual trade-off between cost and convenience.
When you’re choosing a solution, think about ease of use in both sending and receiving. Sure, there are encryption solutions out there that are free or low-cost.
But they aren’t worth it if they’re going to be inconvenient or disruptive.
The available solutions fall all over that spectrum. It’s up to you to decide which one will fit your needs best.
Here are a few options:
In a moment, we'll get into some more complicated encryption solutions. But first, we want to note that HIPAA does give patients autonomy over their own data.
This means that there is one way that you can send PHI to a patient in an unencrypted email.
You have to:
Be careful, though. You have to be absolutely 100% sure that you never accidentally email someone who hasn’t opted in. Because that, my friend, is a breach.
Want to explore this option? Here’s a great article that explains it in better detail.
Unfortunately, our favorite email and productivity suite (Gmail) doesn’t support sending encrypted emails. That’s a must-have when it comes to sending PHI, but it will work fine if you want to just email non-PHI.
We did find one way to send encrypted emails through Gmail, but it’s a huge pain. The tool, Secure Gmail, requires you to give the recipient a password via a non-email method.
That sort of defeats the whole purpose of using email for patient communication. It may be just fine for sporadic personal use, but it’s definitely not scalable in a business setting.
Your mileage may vary, but we don’t recommend it.
There’s only one other completely free option, and that’s to not send PHI via email at all. You can use email for things like setting up appointments, but handle PHI only through phone calls and snail mail.
Unfortunately, those are your only solutions in the $0 price range.
Search online for "secure email," and you'll inevitably see the company Virtru mentioned.
The Virtru add-on is easy to add to your account (though not very easy to use).
Once you install it, here’s how it works -- if you're using it inside of Gmail, it looks like this:
When the patient gets the email, here’s what it looks like:
Next, the user has to click the "Unlock Message" button.
Here's where it gets a little annoying -- the user then gets another email, which supposedly verifies that this is the correct email address. Only after clicking the second email can your user access the actual message that was sent.
This double email is a double-edged sword. On the one hand, it's nice that they're not making you remember yet another username and password. On the other hand, this "double email" approach is still pretty confusing for non-technical users (especially older patients!).
On the sending side, we've also found that medical practices can find the add-ons (they also make one for Microsoft Outlook) to be pretty confusing to install. And you have to install yet another app if you want to send from your mobile phone.
Lastly, some of our customers have told us that the lowest-priced plan for which they will sign a HIPAA Business Associate agreement is over $500/year, which puts them out of the reach of some small practices. That's not a lot to pay for HIPAA compliance, but it's a lot to pay for just secure email.
If you work with an IT company, they might be giving you a HIPAA email encryption add-on. It might even be free.
Companies with names like Proofpoint, Mimecast, and Reflexion primarily focus on email security. More specifically, they protect you from phishing attacks, viruses, and ransomware emails.
All of these companies are excellent at keeping your email safe (our favorite, Proofpoint, is what we recommend to clients), but they're not that great at SENDING secure emails.
Here's how most of them work:
When you want to send someone a secure email, you'll use a keyword (like "[SECURE]") in your subject line. That's the signal to the system to encrypt the email.
Here’s an example in Gmail, though it looks the same in whatever email service you use. In fact, you can even do this on your mobile phone!
After sending it, you’ll get a nice confirmation back:
When your recipient gets the email, it will look like this:
The recipient clicks on the “View Encrypted Email” button.
Sounds easy, right?
Well, not so fast. Your patient still needs to sign up for (and remember) a username and password. Patients can find this confusing.
After they log in, they will see the secure email you sent. They can also respond to it.
This one was near the top of our list, but when we tried it with medical practices, we had too many people complain about having to remember usernames and passwords. It can work for a really small practice that almost never sends sensitive data over email, but what if you forget to type in "secure"? It's too easy to make a mistake.
Microsoft365 can send HIPAA compliant encrypted emails but, I warn you, it's very clunky. They've made some recent improvements in early 2019 which are described below, but it's still awkward.
First, get Microsoft365.
When you send the email, it looks like this:
See that button that says "Encrypt"? Click that, and it's just that easy! After you click it, this little header will show up:
Sending a secure email on your side is pretty simple. But when it gets to your recipient, that's when it gets ugly.
Here's what shows up on the other side:
When you click on that, the patient or recipient sees this:
We've found that some older patients really struggle with this, and struggle to remember passwords.
You also need to remember (and train your staff) about how to tell when to send a secure email vs. a regular email. It's really easy to forget.
So while it CAN work (especially if you don't send a lot of secure messages), it's definitely not as easy to use as our favorite option below (#7).
SendSafely is another secure email service, though we wouldn't recommend it for HIPAA email encryption. It specializes in enterprise email encryption and secure file sharing. It can integrate directly with your Gmail or Microsoft 365 account.
Alternatively, you can send an email through their internal portal.
We’ll be blunt: we don’t recommend this option for healthcare providers or HIPAA-covered entities. While SendSafely mentions that they're HIPAA compliant on their website, they don't mention anything about being willing to sign a HIPAA business associate agreement.
Still, we’ll give you a tour of how it works ― in case you’re curious or if you’re looking for a solution for non-HIPAA reasons.
After you install and activate SendSafely, here's an example of what happens in the Gmail user interface:
Instead of encrypting the whole email, SendSafely just encrypts the attachment:
They do give you an interesting option to enable SMS verification. If you have your patient’s phone number, this could be useful. SMS verification is a great way to ensure the identity of the user.
Keep it in mind if you want to go the extra mile in your email security.
On the receiving side, here’s what it looks like:
Simple, right?
As we said, we don’t recommend SendSafely for HIPAA-related purposes, because HIPAA just doesn’t seem to be a focus of theirs. There are better options for compliance-specific email.
But it’s a good one to keep in mind for comparison or for other future uses.
Paubox is an excellent service that will automatically encrypt all of your emails. It's, by far, the best option we've found for HIPAA email encryption. You’ll need a little help setting it up. But once it’s in place, it’s definitely the easiest for both you and your patients.
The best thing about Paubox is that you don't have to tell it which emails to encrypt. It automatically encrypts every email you send.
If your patient uses a modern email system like Gmail or Microsoft 365, they won't even have to click anything. The email will appear in their inbox just like any other.
Paubox uses a trick called TLS encryption to transparently encrypt every email. Actually, over 90% of the emails sent to or received from Gmail are actually encrypted already, according to Google. Paubox manages the rest.
If your patient is using an older email system or an email system that isn't set up the right way, however, they’ll either need to click a link or sign up for a username or password (your choice). But compared to the alternatives, this is still an extremely convenient option.
Bonus: it works with Google Mail or Microsoft 365, too. And mobile! Not to steal Apple's tagline, but it's our favorite because "it just works." Easy for the patient, easy for the doctor.
We also really liked this service while researching this article, and decided to make it part of the solution that we implement for practices that become our clients. We can help you implement Paubox with our Secure Cloud program.
Information around HIPAA email encryption has always been a bit murky. Lots of businesses aren’t sure whether they can safely email PHI.
As we’ve outlined above, the definitive answer is yes. It’s definitely possible to safely and securely send PHI via HIPAA email encryption.
But that’s only if you’re willing to put the time and money into finding a reliable method. Hopefully, this article has given you a clear overview of your options.
It may be a bit more complicated than sending a day-to-day personal email. And sure, it’s a bit more inconvenient. But with experimentation and research, lots of businesses have found encrypted email solutions that work wonderfully for them.
The easiest way to get HIPAA-compliant email with Paubox is through Adelia Risk's Secure Cloud for Healthcare Practices program.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
PHI stands for “Protected Health Information”. PHI is anything that can identify an individual and provide information about their healthcare. Think of it this way, If you are emailing ANYTHING that someone can use to figure out medical information, it's PHI.
For healthcare providers and business associates, PHI is everything. Even in places that you wouldn't think to look, like notes on a calendar or files in a “Downloads” folder. This infographic does an awesome job demonstrating all of the different places where PHI can hide.
HIPAA Email Encryption ensures Protected Health Information (PHI) sent via email is secure and accessible only to intended recipients. It converts data into unreadable code during transit, meeting HIPAA rules by safeguarding sensitive medical data from unauthorized access or breaches.
To encrypt an email containing PHI: Get consent to send PHI, and use a HIPAA-compliant email encryption service like Proofpoint, Paubox, Virtru, Mimecast, Reflexion, or Microsoft 365. These services encrypt emails to ensure only the intended recipient can access the information, safeguarding sensitive data and meeting HIPAA requirements.
What our clients say
1. Virtru will not sign a BAA unless you are paying for their MUCH more expensive business version restoring the purchase of multiple accounts per month.. I believe it costs something like $60 per month.
2. You can get GAME for Gmail/Google Apps accounts for $35 per year. It's provided by zixcorp, in partnership with Google.
3. Microsoft365 does not come or of the box with encryption. You must also sigh up for azure rights management and have that configured first. Also, there is a licensing issue with their office software that is included. Commercial businesses cannot install their five "free" copies of office shared by multiple users in a practice. While outlook.com or exchange online accounts can be shared and accessed across computers, you must purchase a separate Microsoft365 account for each separate user in order to install and use office applications. A little gotcha they deliberately aren't clear on.
Good article. I have been using ProtectedTrust and it is very easy to use and implement. They even have an app that allows the login with fingerprint that I use all the time.
Our practice uses SendSafely for HIPPA compliant email and file exchange, and we have a BAA in place with them. I believe the only requirement for them to sign the BAA is that you need to be using the business version (they won't sign for FREE users).
Great news! They must have added that since we did the initial review. We'll plan to re-review them again in the future, thanks for the tip!
Paubox requires an email other than Google Mail.
That's not quite right. No HIPAA-compliant email will let you use a free service so, correct, you cannot use the FREE version of Google Mail. However, we have tons of clients who are happily using the paid version of Google Mail (called Google's Google Workspace), and we've set them up so they're HIPAA compliant and using Paubox. It's a great experience for practices and their patients, so it definitely works.
This information is a little out-dated. With Microsoft365 encryption is included as part of most of the E1-E5 subscriptions and IRM is not required. You can also set up a rule to force TLS and if TLS isn't available it can fall back to M365's default encryption email (which you're right isn't the best but 98% of our email goes TLS already) but this is really no different than what Paubox is doing and charging a lot of money for.
Great feedback! We'll take a look when we do our next update. We had looked at the option of doing forced TLS when we did the initial review, but it wasn't supported at that time.
We did a little more digging on this. Based on talking to tech support, the new process in Microsoft365 isn't quite as smooth as the experience in Paubox. Apparently you can set up your Microsoft365 domain to have mandatory TLS encryption. It will bounce any email back to the user if they try to send it to a domain that doesn't have TLS properly configured. Then, they will need to re-send the message, but they will need to manually re-encrypt it using Microsoft365 Message Encryption. If you have users who are fairly tech-savvy, then this might work, but we still prefer the straight-through ease of Paubox.
So a paid for Google Workspace account (with a BAA in place) and Gmail configured correctly; alone, is still not sufficient under HIPAA ? With all of this in place, one would still need a service like Paubox ?
Great question, Hayden -- a lot of people miss the subtlety of this point.
It depends on two things:
1) Are you planning to send PHI outside of your company (to patients, other practices, insurance companies, billing companies, etc.)
2) How carefully are you going to manage emails that do contain PHI?
If you're only ever going to email PHI within your company, and if your Google Workspace account is configured properly, then you shouldn't need an additional secure email service (like those discussed in this article). Emails inside your four walls would be encrypted and therefore HIPAA compliant.
However, if you're going to email it outside of your company, then you definitely should think about a secure email service. There are some technical hacks you can use to figure out if an individual email address supports TLS encryption, but this falls apart if you have to email more than a few people each month.
Great article!! It nailed all the points I was looking for, although I would have liked to see the sending-end and receiving-end pictures of Paubox, like the examples you gave for other services. If the user experience is so seemless, what in the interface assures the users that the email is indeed encrypted?
I would love to read your follow up article! Will Paubox still be your go-to top choice? Thanks again!!
We just updated the article, and Paubox is still our favorite!
As promised, the section on Microsoft365 encryption has been updated. Still not our favorite...
Unfortunately Paubox has a minimum number of users needed. What do you suggest for a solo practitioner who is just starting and on a limited budget? Thanks
Hi - they don't have a minimum number of users, but they do have a minimum monthly fee. We've found their pricing is pretty comparable to other secure email products, so if all secure email outside of your budget, you may want to not use email for handling PHI until you can afford it.
If the email content does not have any PHI at all , would it be any violation of HIPAA privacy rule ? I am thinking this way : if the email address itself would be an ePHI, even if there is no other ePHI at all, would it be a violation ?
Hi - this is a great question, and you may want to check with your attorney for a definitive answer. We're not lawyers.
That said, I think this falls into a gray area. If the only thing is an email address, then I wouldn't consider that ePHI. However, if it was an email address sent from "Sue's Depression Clinic" or "Sam's Drug Treatment Center," well then that might flip over into ePHI since you've now combined the person's email address with some indication of health information.
Hope that helps!
Please correct me if I'm wrong, regarding #7 and Paubox:
wouldn't TLS, whether forced or opportunistic, be insufficient in terms of HIPAA compliance? We know TLS is good for the data in transit, however, TLS does nothing in terms of protecting the data when it's at rest or in use. With TLS only, the email may sit in a public Gmail server once received, in which case we're out of compliance. The email may be opened by anyone with access to the account, where as an actual encryption solution would require a password or other means of authentication. I'm I missing something with HIPAA compliant email or is there more to Paubox that meets these needs?
Matt - this is a really astute question. Thanks for posting it.
That password used by traditional secure email services is more "security theater" than real security. If an attacker has access to your email, all they'd have to do is click the "forgot password" link in whatever secure email service is being used, and they'll get a new password sent over. Remember, they have access to your email, so nothing would stop them from simply resetting the password and reading the message. Most providers allow you to send a one-time code via email which, again, if an attacker has access to your email gives them full access to the message.
Also, I would challenge the thought that Gmail servers are "public." The major email providers like Gmail, Outlook.com, even Yahoo have excellent security these days. The way that someone's email account would be breached is not likely to be an attack on Google itself, but it's going to be crappy password hygiene and not using two-factor authentication.
So, in our opinion, you lose no actual security by using a product like Paubox that uses forced, managed TLS, and you gain ease of use that makes it a lot less likely that employees will circumvent your secure email program, which is what typically happens.
Thanks for the question!
Thanks so much for the response, Josh. I agree about major email providers having good security over their servers. My question has more to do with the email provider having access to PHI within their email servers. Google stopped scanning email to deliver targeted ads in 2014, but what about other services that might "read" email in hopes of profiling their users? In some cases that content might contain one's medical history. TLS is important, but it seems like it couldn't be enough to make email HIPAA compliant... right?
Boy, you're asking a great (and complicated) question, so let's pull it apart.
If someone is sending you an email with PHI in it, you're right -- TLS doesn't magically make you 100% HIPAA compliant. There's way more that you'd need to do, from securely configuring your computers to securely configuring your email service, and much much more.
If you're sending an email to someone outside of your company (let's say to a patient or another medical practice), you're only responsible for getting it to them securely. It's on THEM to handle it securely from that point forward. Obviously, another medical practice will have more in place to protect the email than a patient will, but it's still not reasonable that a medical practice is responsible for ensuring each patient's safe handling of their own PHI.
But your fundamental question comes down to trust of the cloud providers, like Google or Microsoft. You might be interested in reading through this post on Quora: https://www.quora.com/How-many-Google-employees-can-access-Gmail-data-How-secure-is-Gmail-data-within-Google. It's fairly old, but I think it does a good job of spelling out the protections that these companies have in place against exactly this situation.
The other thing to keep in mind is that these companies are CONSTANTLY being audited to confirm that they're actually living up to their information security policy. While nothing is 100% safe, that gives me a lot of comfort that not only do they have the right controls in place, but that independent auditors are validating them.
Lastly, signing a HIPAA Business Associate Agreement is not a decision that a company like Google or Microsoft can take lightly. They only started offering these to medical practices once they were confident that they could live up to all HIPAA requirements.
Hope that helps -- great questions!
Thanks Josh, I appreciate the thorough responses! I'm finding that HIPAA guidelines can be lacking when it comes to detailing how certain technologies should be used - This is one area where it's been hard to find a solid answer. My gut tells me if you can't ensure the data-at-rest is secure from prying eyes (server admins, employees, algorithms, etc.) then there's still potential for negative repercussions to the practitioner. Maybe it's a breach of client data, maybe it's failing a portion of an audit. Either way, I've found your website to be very helpful and I thank you again for your time. Please keep up the good work!