AOL Supports SMTP TLS: It’s Still Not HIPAA Compliant

November 4th, 2013

For those of you just tuning in, “SMTP TLS” is a technology that allows email servers to transmit your email messages between themselves securely, preventing eavesdropping on the email messages sent. Read all about SMTP TLS.

Use of TLS is not standard on an email server. It requires special certificates to be purchased, installed, updated periodically.  It also imposes a burden on the servers … all that encryption takes a lot more effort and thus costs more money to operate and maintain.  For large providers like AOL which receive extremely large numbers of email messages every day for their members, support for SMTP TLS requires many more email servers and much more work by the server administration staff.

As a result, most major free ISPs (like AOL, and Yahoo, and Comcast) do not support TLS and have never supported it.  But with the increasing demand for security and with TLS being “something relatively easy”, we are seeing more hosts offering TLS.

Gmail/Google apps recently start supporting TLS.  Now, we see that supports TLS for inbound email delivered to its users.

Why is this good?’s support of TLS is great because:

  1. Security: It shows that they are becoming more interested in security.  That is good for everyone, due to their very large subscriber base.
  2. HIPAA: HIPAA requires some degree of email security when sending ePHI to patients.  There are many ways to provide that, however the simplest and most easy to use approach is to be able to send messages “normally” but encrypt using SMTP TLS to the patients.  This can work only if the patient’s email system supports TLS … so now folks with AOL addresses can receive ePHI-laden messages more conveniently, should their medical providers use a HIPAA compliant host that uses TLS for message delivery.

Careful, though, as AOL is not HIPAA Compliant!

While AOL now supports SMTP TLS, it is not a HIPAA compliant email service.  Apart from enabling inbound email to arrive securely, they really do not do much that would be required for HIPAA compliance, such as ensuring outbound email is encrypted, signing a Business Associate Agreement, or anything else.

This means that while doctors may now be able to send AOL customers private messages using TLS.  Doctors and others covered by HIPAA should never be using AOL themselves, in any way, for email that could contain protected health information.  If you know anyone who falls into this category and is still using AOL … please give them a wake up call as they are way out of compliance.