Call now for cybersecurity help: 888-646-1616
Josh Ablett

HIPAA Email Encryption: We Reviewed 7 Services and Found the Best

December 30, 2020,

Trying to figure out the best way to handle HIPAA Email encryption?  How do you send PHI via email and still follow HIPAA?  And how do you send encrypted email in cloud services like Gmail or Microsoft365?  These are two of the most common questions we get.

Want to Save Time? Get started with our Secure Cloud for Healthcare.

It’s an understandable question. Email has become the communication tool of choice in the digital age. Most workplaces rely on it heavily.

If you’re a HIPAA-regulated business, email use gets a lot more complicated. It's even more complicated when you want to email PHI, or Protected Health Information.

Good news: it is possible to send PHI via HIPAA compliant email encryption, and we’re going to tell you exactly what it takes!
But before we jump right in, let’s review the basics.

What is PHI?

PHI stands for “Protected Health Information.”

PHI is anything that can identify an individual and provide information about their healthcare.

Think of it this way. If you're emailing ANYTHING that someone can use to figure out medical information, it's PHI.

For healthcare providers and business associates, PHI is everywhere. Even in places that you wouldn’t think to look, like notes on a calendar or files in a “Downloads” folder. This infographic does an awesome job demonstrating all of the different places where PHI can hide.

hipaa compliant email-unsecured-phi-locations
Hint: there are a lot of them.

What is HIPAA Email Encryption?

So, you get it: PHI is important. PHI is everywhere. So what do you do?

First, you need to understand the basics of encryption.

Encryption is at the heart of many of today’s data protection tools. It’s an effective way to shield data from prying eyes.

It’s not important to understand how encryption works.

All you need to know is that you start with an ultra-important secret message:

Be sure to drink your Ovaltine.

When it gets emailed out, it looks like this to anyone who tries to intercept it:

-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0

hQIOAwfq5Jrby+ZxEAf/QOdUNAhEOSfC8FD35VYqbplUXim0t02sGEakLSgPRn5hhk8kB3e1Mcqu6WN1RGXDmb0YMZapWh0oNj0syq4InrXyZMumhrCGWJwDusCH+NEQXfC4LilogaQTxKNwaF2OjRt0I7hPBrndaKhrHVC3XftK1YKwigJuFDDgKy34/5AcfU1id+R4HJucPUzz0KBOKafMpJmjVH98qgP7DWEjb5ZOimQBi7jWJF2jnYBbceFhwpL9BwtiN0yPqaZLFrZfoGAZ8HpDNV5PRgXXe6Ajekx7Jju6sZpdX2euMzOjeRC0W0QvavFkjdVXN9x2UqlQ71S3iS/bAPQCORztWQ7LIwf+JO1q7/eHg/BSuQZkI9mRXAUaslJmqZNqMmjIt1nCC2yPXYDaHEjHfMZWZycKpBPkG6QIDjNZQXgfEoA5O+wkbBWsV/cXyYw5BPECLvcmbiG4rSJ+VS06libmdpPmdOmldNWYFk+PXbh/zAAzt1GT8eBh5o9hzBdSicFNBeSZZJW9O2mQElvKJLHHry2DK1YXpfTNeK/X02nerIqGXq3S7e05klSoIc0JoKaQNzOyJBKwOa2qmG+55HKQ3ElPYM+Y3NNzP/i1nNP/oGClR6WmcuLLYrLH69fZ5rcpPHaaASTzR2g3fzYWn4cUExHRmSYNsfCfFSrdDxawpO5jwCwMYck/ZLs7dHShx9YhQDTAOvmRN6rNadrhTLBD8VZ+7pbcWfeYSTa6K68PO7a3x604MqgveVZ3tgwCIUAweveGoWQi=yIpJ

-----END PGP MESSAGE-----

But then when your patient or customers gets the email, it automatically decrypts it to deliver Ovaltine joy!

Not too complicated, right?

What is HIPAA Email Encryption?

So, you get it: PHI is important. PHI is everywhere. So what do you do?

First, you need to understand the basics of encryption.

Encryption is at the heart of many of today’s data protection tools. It’s an effective way to shield data from prying eyes.

It’s not important to understand how encryption works.

All you need to know is that you start with an ultra-important secret message:

Be sure to drink your Ovaltine.

When it gets emailed out, it looks like this to anyone who tries to intercept it:

-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0

hQIOAwfq5Jrby+ZxEAf/QOdUNAhEOSfC8FD35VYqbplUXim0t02sGEakLSgPRn5hhk8kB3e1Mcqu6WN1RGXDmb0YMZapWh0oNj0syq4InrXyZMumhrCGWJwDusCH+NEQXfC4LilogaQTxKNwaF2OjRt0I7hPBrndaKhrHVC3XftK1YKwigJuFDDgKy34/5AcfU1id+R4HJucPUzz0KBOKafMpJmjVH98qgP7DWEjb5ZOimQBi7jWJF2jnYBbceFhwpL9BwtiN0yPqaZLFrZfoGAZ8HpDNV5PRgXXe6Ajekx7Jju6sZpdX2euMzOjeRC0W0QvavFkjdVXN9x2UqlQ71S3iS/bAPQCORztWQ7LIwf+JO1q7/eHg/BSuQZkI9mRXAUaslJmqZNqMmjIt1nCC2yPXYDaHEjHfMZWZycKpBPkG6QIDjNZQXgfEoA5O+wkbBWsV/cXyYw5BPECLvcmbiG4rSJ+VS06libmdpPmdOmldNWYFk+PXbh/zAAzt1GT8eBh5o9hzBdSicFNBeSZZJW9O2mQElvKJLHHry2DK1YXpfTNeK/X02nerIqGXq3S7e05klSoIc0JoKaQNzOyJBKwOa2qmG+55HKQ3ElPYM+Y3NNzP/i1nNP/oGClR6WmcuLLYrLH69fZ5rcpPHaaASTzR2g3fzYWn4cUExHRmSYNsfCfFSrdDxawpO5jwCwMYck/ZLs7dHShx9YhQDTAOvmRN6rNadrhTLBD8VZ+7pbcWfeYSTa6K68PO7a3x604MqgveVZ3tgwCIUAweveGoWQi=yIpJ

-----END PGP MESSAGE-----

But then when your patient or customers gets the email, it automatically decrypts it to deliver Ovaltine joy!

Not too complicated, right?

Fine, I’m drinking my Ovaltine, but why does all this matter?

Under HIPAA, there are strict rules for sending PHI over email. There are two choices:

  1. You either need to be 100% sure that ONLY your recipient gets the email, or
  2. You need to get permission to send insecure email AND tell them about the risks.

#2 is a hassle. HIPAA compliant email encryption is the only way to guarantee #1. Period.

If you want to send PHI over email, you need to make sure that data is encrypted.

So how do you send secure email?

Like many things in life, it isn’t as straightforward as you might think.
Also like many things in life, it’s a perpetual trade-off between cost and convenience.
When you’re choosing a solution, think about ease-of-use in both sending and receiving. Sure, there are encryption solutions out there that are free or low cost.
But they aren’t worth it if they’re going to be inconvenient or disruptive.
The available solutions fall all over that spectrum. It’s up to you to decide which one will fit your needs best.
Here are a few options:

1) Get consent to email PHI

In a moment, we'll get into some more complicated encryption solutions. But first, we want to note that HIPAA actually does give patients autonomy over their own data.
This means that there is one way that you can send PHI to a patient in an unencrypted email.
You have to:

    1. Inform your patient of the risks associated with sending their PHI in an unencrypted email.
    2. Get their explicit permission to with them through unencrypted email. Here’s an example of the kind of consent form they would have to sign.

hipaa compliant email consent form

Be careful, though.  You have to be absolutely 100% sure that you never accidentally email someone who hasn’t opted in. Because that, my friend, is a breach.

Want to explore this option? Here’s a great article that explains it in better detail.

2) The free options (don’t bother)

Unfortunately, our favorite email and productivity suite (Gmail) doesn’t support sending encrypted emails. That’s a must-have when it comes to sending PHI, but it will work fine if you want to just email non-PHI.

We did find one way to send encrypted email through Gmail, but it’s a huge pain. The tool, SecureGmail, requires you to give the recipient a password via a non-email method.
SecureGmail

That sort of defeats the whole purpose of using email for patient communication. It may be just fine for sporadic personal use, but it’s definitely not scalable in a business setting.

Your mileage may vary, but we don’t recommend it.

There’s only one other completely free option, and that’s to not send PHI via email at all. You can use email for things like setting up appointments, but handle PHI only through phone calls and snail mail.

Unfortunately, those are your only solutions in the $0 price range.

3) The heaviest-advertised option: Virtru

Search online for "secure email," and you'll inevitably see the company Virtru mentioned.

The Virtru add-on is easy to add to your account (though not very easy to use).

Once you install it, here’s how it works -- if you're using it inside of Gmail, it looks like this:
virtu-send

When the patient gets the email, here’s what it looks like:
virtu-receive

Next, the user has to click the "Unlock Message" button.

Here's where it gets a little annoying -- the user then gets another email, which supposedly verifies that this is the correct email address.  Only after clicking the second email can your user access the actual message that was sent.

This double email is a double-edged sword.  On the one hand, it's nice that they're not making you remember yet-another username and password.  On the other hand, this "double email" approach is still pretty confusing for non-technical users (especially older patients!).

On the sending side, we've also found that medical practices can find the add-ons (they also make one for Microsoft Outlook) to be pretty confusing to install.  And you have to install yet another app if you want to send from your mobile phone.

Lastly, some of our customers have told us that the lowest-priced plan for which they will sign a HIPAA Business Associate agreement is for over $500/year, which puts them out of the reach of some small practices.  That's not a lot to pay for HIPAA compliance, but it's a lot to pay for just secure email.

4) The option from your IT company

If you work with an IT company, they might be giving you a HIPAA email encryption add-on.  It might even be free.

Companies with names like Proofpoint, Mimecast, and Reflexion primarily focus on email security.  More specifically, they protect you from phishing attacks, viruses, and ransomware emails.

All of these companies are excellent at keeping your email safe (our favorite, Proofpoint, is what we recommend to clients), but they're not that great at SENDING secure emails.

Here's how most of them work:

When you want to send someone a secure email, you'll use a keyword (like "[SECURE]") in your subject line.  That's the signal to the system to encrypt the email.

Here’s an example in Gmail, though it looks the same in whatever email service you use.  In fact, you can even do this on your mobile phone!
hipaa compliant email sending proofpoint

After sending it, you’ll get a nice confirmation back:
hipaa compliant email proofpoint confirmation
When your recipient gets the email, it will look like this:
hipaa compliant email proofpoint patient

The recipient clicks on the “View Encrypted Email” button.

Sounds easy, right?

Well, not so fast.  Your patient still needs to sign up for (and remember) a username and password.  Patients can find this confusing.

After they log in, they will see the secure email you sent.  They can also respond to it.
hipaa compliant email proofpoint patient email

This one was near the top of our list, but when we tried it with medical practices, we had too many people complain about having to remember usernames and passwords.  It can work for a really small practice that almost never sends sensitive data over email, but what if you forget to type in "secure"?  It's too easy to make a mistake.

5) A clunky option for Microsoft fans: Microsoft365

Microsoft365 can send HIPAA compliant encrypted emails but, I warn you, it's very clunky.  They've made some recent improvements in early 2019 which are described below, but it's still awkward.

First, get Microsoft365.

When you send the email, it looks like this:
Office 365 Secure Email

See that button that says "Encrypt"?  Click that, and it's just that easy!  After you click it, this little header will show up:
Office 365 Secure Email Encrypted

Sending a secure email on your side is pretty simple.  But when it gets to your recipient, that's when it gets ugly.

Here's what shows up on the other side:
Office 365 Secure Email Recipient Message

When you click on that, the patient or recipient sees this:
Office 365 Secure Email Log In
We've found that some older patients really struggle with this, and struggle to remember passwords.

You also need to remember (and train your staff) about how to tell when to send a secure email vs. a regular email.  It's really easy to forget.

So while it CAN work (especially if you don't send a lot of secure messages), it's definitely not as easy to use as our favorite option below (#7).

6) Not safe for HIPAA? - SendSafely

SendSafely is another secure email service, though we wouldn't recommend it for HIPAA email encryption. It specializes in enterprise email encryption and secure file sharing. It can integrate directly with your Gmail or Microsoft365 account.

Alternately, you can send email through their internal portal.

We’ll be blunt: we don’t recommend this option for healthcare providers or HIPAA covered entities. While SendSafely mentions that they're HIPAA compliant on their website, they don't mention anything about being willing to sign a HIPAA business associate agreement.

Still, we’ll give you a tour of how it works ― in case you’re curious or if you’re looking for a solution for non-HIPAA reasons.

After you install and activate SendSafely, here's an example of what happens in the Gmail user interface:
sendsafely-enable

Instead of encrypting the whole email, SendSafely just encrypts the attachment:
sendsafely-encrypt

They do give you an interesting option to enable SMS verification. If you have your patient’s phone number, this could be useful. SMS verification is a great way to ensure the identity of the user.

Keep it in mind if you want to go the extra mile in your email security.
sendsafely-sms-verification

On the receiving side, here’s what it looks like:
sendsafely-receive

Simple, right?

As we said, we don’t recommend SendSafely for HIPAA-related purposes, because HIPAA just doesn’t seem to be a focus of theirs. There are better options for compliance-specific email.

But it’s a good one to keep in mind for comparison or for other future uses.

7) The easiest, best HIPAA Email Encryption

Paubox is an excellent service that will automatically encrypt all of your emails. It's, by far, the best option we've found for HIPAA email encryption.  You’ll need a little help setting it up. But once it’s in place, it’s definitely the easiest for both you and your patients.

The best thing about Paubox is that you don't have to tell it which emails to encrypt.  It automatically encrypts every email you send.

If your patient uses a modern email system like Gmail or Microsoft 365, they won't even have to click anything. The email will appear in their inbox just like any other.
paubox-example

Paubox uses a trick called TLS encryption to transparently encrypt every email.  Actually, over 90% of the emails sent to or received from Gmail are actually encrypted already, according to Google.  Paubox manages the rest.

If your patient is using an older email system or an email system that isn't set up the right way, however, they’ll either need to click a link or sign up for a username or password (your choice). But compared to the alternatives, this is still an extremely convenient option.

Bonus: it works with Google Mail or Microsoft365, too.  And mobile!  Not to steal Apple's tagline, but it's our favorite because "it just works."  Easy for the patient, easy for the doctor.

We also really liked this service while researching this article, and decided to make it part of the solution that we implement for practices who become our clients. We can help you implement Paubox with our Secure Cloud program.

Conclusion

Information around HIPAA email encryption has always been a bit murky. Lots of businesses aren’t sure whether they can safely email PHI.

As we’ve outlined above, the definitive answer is yes. It’s definitely possible to safely and securely send PHI via HIPAA email encryption.

But that’s only if you’re willing to put the time and money into finding a reliable method. Hopefully, this article has given you a clear overview of your options.

It may be a bit more complicated than sending a day-to-day personal email. And sure, it’s a bit more inconvenient. But with experimentation and research, lots of businesses have found encrypted email solutions that work wonderfully for them.

The easiest way to get HIPAA compliant email with Paubox is through Adelia Risk's Secure Cloud for Healthcare Practices program.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

23 comments on “HIPAA Email Encryption: We Reviewed 7 Services and Found the Best”

  1. 1. Virtru will not sign a BAA unless you are paying for their MUCH more expensive business version restoring the purchase of multiple accounts per month.. I believe it costs something like $60 per month.

    2. You can get GAME for Gmail/Google Apps accounts for $35 per year. It's provided by zixcorp, in partnership with Google.

    3. Microsoft365 does not come or of the box with encryption. You must also sigh up for azure rights management and have that configured first. Also, there is a licensing issue with their office software that is included. Commercial businesses cannot install their five "free" copies of office shared by multiple users in a practice. While outlook.com or exchange online accounts can be shared and accessed across computers, you must purchase a separate Microsoft365 account for each separate user in order to install and use office applications. A little gotcha they deliberately aren't clear on.

  2. Good article. I have been using ProtectedTrust and it is very easy to use and implement. They even have an app that allows the login with fingerprint that I use all the time.

  3. Our practice uses SendSafely for HIPPA compliant email and file exchange, and we have a BAA in place with them. I believe the only requirement for them to sign the BAA is that you need to be using the business version (they won't sign for FREE users).

    1. That's not quite right. No HIPAA-compliant email will let you use a free service so, correct, you cannot use the FREE version of Google Mail. However, we have tons of clients who are happily using the paid version of Google Mail (called Google's Google Workspace), and we've set them up so they're HIPAA compliant and using Paubox. It's a great experience for practices and their patients, so it definitely works.

  4. This information is a little out-dated. With Microsoft365 encryption is included as part of most of the E1-E5 subscriptions and IRM is not required. You can also set up a rule to force TLS and if TLS isn't available it can fall back to M365's default encryption email (which you're right isn't the best but 98% of our email goes TLS already) but this is really no different than what Paubox is doing and charging a lot of money for.

    1. Great feedback! We'll take a look when we do our next update. We had looked at the option of doing forced TLS when we did the initial review, but it wasn't supported at that time.

      1. We did a little more digging on this. Based on talking to tech support, the new process in Microsoft365 isn't quite as smooth as the experience in Paubox. Apparently you can set up your Microsoft365 domain to have mandatory TLS encryption. It will bounce any email back to the user if they try to send it to a domain that doesn't have TLS properly configured. Then, they will need to re-send the message, but they will need to manually re-encrypt it using Microsoft365 Message Encryption. If you have users who are fairly tech-savvy, then this might work, but we still prefer the straight-through ease of Paubox.

  5. So a paid for Google Workspace account (with a BAA in place) and Gmail configured correctly; alone, is still not sufficient under HIPAA ? With all of this in place, one would still need a service like Paubox ?

    1. Great question, Hayden -- a lot of people miss the subtlety of this point.

      It depends on two things:
      1) Are you planning to send PHI outside of your company (to patients, other practices, insurance companies, billing companies, etc.)
      2) How carefully are you going to manage emails that do contain PHI?

      If you're only ever going to email PHI within your company, and if your Google Workspace account is configured properly, then you shouldn't need an additional secure email service (like those discussed in this article). Emails inside your four walls would be encrypted and therefore HIPAA compliant.

      However, if you're going to email it outside of your company, then you definitely should think about a secure email service. There are some technical hacks you can use to figure out if an individual email address supports TLS encryption, but this falls apart if you have to email more than a few people each month.

  6. Great article!! It nailed all the points I was looking for, although I would have liked to see the sending-end and receiving-end pictures of Paubox, like the examples you gave for other services. If the user experience is so seemless, what in the interface assures the users that the email is indeed encrypted?

    I would love to read your follow up article! Will Paubox still be your go-to top choice? Thanks again!!

  7. Unfortunately Paubox has a minimum number of users needed. What do you suggest for a solo practitioner who is just starting and on a limited budget? Thanks

    1. Hi - they don't have a minimum number of users, but they do have a minimum monthly fee. We've found their pricing is pretty comparable to other secure email products, so if all secure email outside of your budget, you may want to not use email for handling PHI until you can afford it.

  8. If the email content does not have any PHI at all , would it be any violation of HIPAA privacy rule ? I am thinking this way : if the email address itself would be an ePHI, even if there is no other ePHI at all, would it be a violation ?

    1. Hi - this is a great question, and you may want to check with your attorney for a definitive answer. We're not lawyers.

      That said, I think this falls into a gray area. If the only thing is an email address, then I wouldn't consider that ePHI. However, if it was an email address sent from "Sue's Depression Clinic" or "Sam's Drug Treatment Center," well then that might flip over into ePHI since you've now combined the person's email address with some indication of health information.

      Hope that helps!

  9. Please correct me if I'm wrong, regarding #7 and Paubox:
    wouldn't TLS, whether forced or opportunistic, be insufficient in terms of HIPAA compliance? We know TLS is good for the data in transit, however, TLS does nothing in terms of protecting the data when it's at rest or in use. With TLS only, the email may sit in a public Gmail server once received, in which case we're out of compliance. The email may be opened by anyone with access to the account, where as an actual encryption solution would require a password or other means of authentication. I'm I missing something with HIPAA compliant email or is there more to Paubox that meets these needs?

    1. Matt - this is a really astute question. Thanks for posting it.

      That password used by traditional secure email services is more "security theater" than real security. If an attacker has access to your email, all they'd have to do is click the "forgot password" link in whatever secure email service is being used, and they'll get a new password sent over. Remember, they have access to your email, so nothing would stop them from simply resetting the password and reading the message. Most providers allow you to send a one-time code via email which, again, if an attacker has access to your email gives them full access to the message.

      Also, I would challenge the thought that Gmail servers are "public." The major email providers like Gmail, Outlook.com, even Yahoo have excellent security these days. The way that someone's email account would be breached is not likely to be an attack on Google itself, but it's going to be crappy password hygiene and not using two-factor authentication.

      So, in our opinion, you lose no actual security by using a product like Paubox that uses forced, managed TLS, and you gain ease of use that makes it a lot less likely that employees will circumvent your secure email program, which is what typically happens.

      Thanks for the question!

  10. Thanks so much for the response, Josh. I agree about major email providers having good security over their servers. My question has more to do with the email provider having access to PHI within their email servers. Google stopped scanning email to deliver targeted ads in 2014, but what about other services that might "read" email in hopes of profiling their users? In some cases that content might contain one's medical history. TLS is important, but it seems like it couldn't be enough to make email HIPAA compliant... right?

    1. Boy, you're asking a great (and complicated) question, so let's pull it apart.

      If someone is sending you an email with PHI in it, you're right -- TLS doesn't magically make you 100% HIPAA compliant. There's way more that you'd need to do, from securely configuring your computers to securely configuring your email service, and much much more.

      If you're sending an email to someone outside of your company (let's say to a patient or another medical practice), you're only responsible for getting it to them securely. It's on THEM to handle it securely from that point forward. Obviously, another medical practice will have more in place to protect the email than a patient will, but it's still not reasonable that a medical practice is responsible for ensuring each patient's safe handling of their own PHI.

      But your fundamental question comes down to trust of the cloud providers, like Google or Microsoft. You might be interested in reading through this post on Quora: https://www.quora.com/How-many-Google-employees-can-access-Gmail-data-How-secure-is-Gmail-data-within-Google. It's fairly old, but I think it does a good job of spelling out the protections that these companies have in place against exactly this situation.

      The other thing to keep in mind is that these companies are CONSTANTLY being audited to confirm that they're actually living up to their information security policy. While nothing is 100% safe, that gives me a lot of comfort that not only do they have the right controls in place, but that independent auditors are validating them.

      Lastly, signing a HIPAA Business Associate Agreement is not a decision that a company like Google or Microsoft can take lightly. They only started offering these to medical practices once they were confident that they could live up to all HIPAA requirements.

      Hope that helps -- great questions!

  11. Thanks Josh, I appreciate the thorough responses! I'm finding that HIPAA guidelines can be lacking when it comes to detailing how certain technologies should be used - This is one area where it's been hard to find a solid answer. My gut tells me if you can't ensure the data-at-rest is secure from prying eyes (server admins, employees, algorithms, etc.) then there's still potential for negative repercussions to the practitioner. Maybe it's a breach of client data, maybe it's failing a portion of an audit. Either way, I've found your website to be very helpful and I thank you again for your time. Please keep up the good work!

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved