HIPAA-Compliant Secure Email: Understanding Encryption
Email encryption is an important topic to understand when evaluating HIPAA-compliant, secure email vendors. Encryption is an addressable standard for HIPAA compliance, but if you send sensitive information via email, encryption is the easiest way to meet the standard.
The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss their differences and guide users on selecting the right option for HIPAA-compliant secure email.
What is TLS?
Messages encrypted with TLS are only secured while in transmission. This “invisible” encryption prevents the messages from being tampered with or eavesdropped on while in transit from one mail server to another. TLS is one of the most user-friendly forms of encryption. Emails sent with TLS appear like a regular email in the recipient’s inbox- no passwords or security questions are required to read the message. Once the email is delivered, it is unencrypted in the inbox. That means anyone accessing the inbox can read the email, making it less secure than other options.
See: SMTP TLS: All about secure email delivery over TLS.
What is Secure Portal Pick Up?
In comparison, messages encrypted with Secure Portal Pick Up are stored on a secure web server. Instead of receiving the email, the recipient is sent a notification message with a link that directs them to the secure portal. To log in, the recipient must verify their identity to access the message. Once logged in, the recipient can read and respond to the message securely. Secure Portal Pick Up emails can be sent to anyone with an email address.
Email Encryption Options for HIPAA Compliance: TLS vs. Secure Portal Pick Up
This image shows some of the key differences between TLS and Portal Pick Up encryption. Both are sufficient for HIPAA compliance because they securely transmit information over the internet.
As you can see, Secure Portal Pick Up is the more secure method. The message contents are encrypted all the time in the portal. The Portal Pick Up method requires verification of the recipient’s identity before allowing access to the message content. In contrast, emails sent with SMTP TLS are unencrypted in the recipient’s inbox and accessible to anyone with access to that email folder.
So, you should use the more secure option, right? Not necessarily. Encouraging people to log in and retrieve their messages can be a challenge. If you want the maximum amount of people to read and respond to your messages, SMTP TLS is an excellent way to balance security and usability. For the recipients, it works just like regular email. They receive the message in their inboxes and open it without knowing if it is encrypted. Patients can read and respond to time-sensitive messages without taking additional steps. SMTP TLS is an excellent option for patient engagement emails.
People often choose SMTP TLS for its convenience. When additional security is desired, they choose Secure Portal Pickup.
HIPAA-Compliant Secure Email Encryption
HIPAA requires the secure transmission of PHI. It does not require that external emails are encrypted at rest. Once the data is in the recipient’s hands, they are responsible for protecting it.
This means that using SMTP TLS is okay under HIPAA. However, organizations should use TLS 1.2 or 1.3, as NIST recommends. Older versions of TLS are vulnerable to malicious actors.
Even though TLS is ‘good enough’ for compliance, it may not be appropriate in some situations. Users who are not tech-savvy may perceive a TLS email as insecure and worry that the organization does not take privacy and security seriously. We recommend a nuanced and flexible approach to encryption that allows users to toggle between methods on a per-message basis. This allows users to select an appropriate method that takes into account the message contents and their sensitivity.
When to Use TLS vs. Secure Portal Pickup
As established, using TLS with the proper ciphers is okay for HIPAA compliance. However, there are specific scenarios where opting for a more secure form of encryption makes sense.
TLS is an excellent choice for marketing and promotional messages that do not contain a lot of sensitive information. If an unauthorized user came across an appointment reminder in an inbox, it would not divulge highly privileged information. As a result, they would not be able to use the information to harm an individual.
On the contrary, it would be devastating if someone could access highly sensitive data like medical records, test results, or insurance/financial information in plain text in a person’s inbox. In this scenario, it’s wiser to use Secure Portal Pick Up.
Limiting access to sensitive information demonstrates that the organization protects patient data and builds trust with the user. Even though it is mildly inconvenient for the user to log in to the portal, it is necessary to protect the data. A Secure Portal Pick Up method also allows senders to retract incorrect information. This is especially important when dealing with highly sensitive information.
Ultimately, it is up to each organization to assess their risk and decide where they stand on the security versus usability spectrum. HIPAA does not mandate one or the other. However, if a breach occurs and data is unencrypted at rest, HIPAA assigns more liability to those involved.
Conclusion
Without knowing the details of your email campaigns, we generally recommend sticking to these two general guidelines. Use:
- TLS for marketing and transactional messages that are light on PHI.
- Secure Portal Pick Up for messages that contain a lot of PHI.
Using TLS for timely messages like appointment reminders and promotions ensures they will not be missed. On the contrary, Secure Portal Pickup protects sensitive data throughout its transmission and storage, even if the emails are more difficult for the recipient to access. We recommend choosing a HIPAA-compliant secure email provider like LuxSci, whose flexible encryption technology allows users to pick and choose the appropriate level of encryption for their emails on a per-message basis. When in doubt, always choose a secure option to keep data protected.
