Sending HIPAA-compliant emails is easy when you use an encryption solution like LuxSci. But what happens when someone replies to an encrypted message? Are the replies also secure? This is primarily a concern when using SMTP TLS as a secure means of email delivery.
This article will explain how messages are sent securely, how replies behave, and whether they are secure and compliant. At the end, we provide some recommendations for how to balance security and usability.
How are HIPAA-compliant Secure Emails Sent?
In general, there are four ways to securely send HIPAA-compliant email messages to a recipient. The way the original message is encrypted will determine the nature of how secure the reply is.
PGP and S/MIME Encryption
LuxSci supports these highly secure email encryption methods for those who wish to use them. However, as they require more setup and coordination with your recipients, most HIPAA-compliant accounts use something other than PGP and S/MIME for business email communications.
To send messages using PGP and S/MIME encryption, you must exchange certificates with the recipient and install them in the mail client to encrypt and decrypt messages. Some organizations will use this technology for internal communications because they can manage the setup. However, this method is impractical for securing large-scale external communications. When most people talk about encrypted email messages, they refer to one of the methods: secure web portal or SMTP TLS encryption.
Secure Web Portal Encryption
Messages that utilize the secure web portal method of encryption are secured, stored, and accessed via a secure database. It works like this. The sender’s message is sent to a secure web portal, and a simple notification message (that does not contain PHI) is sent to the recipient. The recipient clicks on a link in this notice, verifies their identity by logging in, and then can access the message within the portal.
This is very secure and works with any recipient’s email address. However, accessing the message requires extra work on the recipient’s part. They must log into the portal to read the secure message.
SMTP TLS Encryption
Messages encrypted with SMTP TLS appear like any other email in the recipient’s inbox. They are only encrypted as they are transmitted from the sender’s servers to the recipient’s servers. Unless the recipient knows where to look in the metadata, they may not know TLS-encrypted messages are secured at all.
Unlike secure web portal encryption, which can send encrypted messages to any active email address, SMTP TLS can only be used to secure messages if the recipient’s email service supports the technology. Today, the majority of email providers support TLS. However, some older email service providers do not. If the recipient’s servers do not support TLS, you cannot send them encrypted messages using this technology.
Are Replies to Encrypted Emails Also Encrypted?
That brings us back to our original question: are replies to encrypted emails also secured? The answer will depend on what type of encryption was initially used. When your recipient replies to your HIPAA-compliant secure email message, here is what could happen:
PGP and S/MIME Replies
We won’t spend much time discussing PGP and S/MIME, but we will answer the question. Replies to email messages secured with PGP and S/MIME encryption will also be encrypted, assuming all certificates are correctly configured.
Secure Web Portal Replies
Most secure web portals offer an option for the recipient to reply directly within the portal. If the recipient replies in the portal, the message is automatically secured with the same high level of encryption it was sent with.
However, we can’t assume that the recipient will use the portal to reply. Some people could use their email program to reply to the notification message instead of using the portal. In that case, the reply may or may not be secure, depending upon whether their email system supports TLS or other email security measures. It’s best to assume these replies to the notification message will be insecure.
Replies to SMTP TLS Messages
When a recipient replies to an email sent using SMTP TLS, they use their regular email system to send that message. This may or may not be secure, depending on whether their email system supports TLS or other email security measures. For HIPAA compliance reasons, you should assume that the message will be sent insecurely.
If the Reply to an Encrypted Message is Insecure, Is the Email Non-Compliant?
That leads us to an interesting follow-up question- if replies to encrypted messages are not secure, does this mean the system is non-compliant?
The short answer is: No.
Why? HIPAA only applies to covered entities and their business associates. To comply with HIPAA regulations, these organizations must properly secure any PHI transmitted or stored in their systems. Patients are not subject to HIPAA regulations.
The patient can choose to send their information insecurely or use alternate channels like a phone call or in-person appointment to communicate their health information if concerned about the security of their account. When a patient replies to a message from their healthcare provider, they are transmitting their own information and do not have to do so securely.
Should SMTP TLS be Used to Send HIPAA-Compliant Secure Emails?
HIPAA is notoriously technology-neutral. It tells you what to do but not how to do it. As a result, what is minimally required and what is best are sometimes very different things. Because of that, customers have a wide range of expectations for how they would like things to work.
At LuxSci, HIPAA-compliant email accounts have SMTP TLS enabled automatically, so every message is sent with a base level of encryption. This is for maximum usability. Customers can turn off SMTP TLS as the sole method of secure email delivery or use it only for selected recipients (like their co-workers). It is up to the customer to choose which encryption methods they think are best for their organization. At a minimum, using TLS is better than using no encryption, but each organization will have different requirements and risk factors.
There are no compliance reasons why SMTP TLS should not be used. Still, organizations may want to reduce their risk by increasing the level of encryption when sending communications that contain PHI to patients.
Recommended Best Practices For Sending HIPAA-Compliant Secure Emails
The best practices for security are often at odds with the best user experience. This is often true in security and HIPAA compliance. Finding the right balance of security and usability is essential to protect patient data and meet business objectives. Utilizing TLS for some emails and secure web portal encryption for others is likely the best solution. When spreading awareness and engaging patients with low-sensitivity messages like appointment and vaccine reminders is the goal, using TLS (with some fallback or exclusion to avoid sending insecurely) is likely the right idea. When sending highly sensitive information like lab results, medical records, or billing statements, using a more secure form of encryption, like a secure web portal, is wise to reduce the risk of inappropriate disclosures.
Contact our sales team today to learn more about LuxSci’s flexible and secure HIPAA-compliant email options.
