Are Replies to my HIPAA-Compliant Secure Emails also Secure?

October 11th, 2013

HIPAACustomers of LuxSci HIPAA-compliant email accounts can send secure email messages in a secure and compliant manner to anyone with an email address.   One common question is whether the replies back to these messages will also be HIPAA compliant.  This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant.  At the end, we provide some recommendations for best practices for maximizing data security.

How are HIPAA-compliant messages sent securely?

LuxSci supports 4 different mechanisms for securely delivering an email to your recipient.  The mechanism used in any particular case depends upon your LuxSci SecureLine settings combined with what capabilities the recipient’s email service support.

1 and 2. PGP and S/MIME Encryption

LuxSci supports these excellent methods of email encryption for those who wish to take advantage of them.  However, as it requires more setup and coordination with your recipients, most HIPAA-compliant accounts do not choose to use PGP and S/MIME.  To learn more about what these are, see: The Case for Email Security, Section 7.

3. Message Escrow

With SecureLine Message Escrow, your message is encrypted and stored in a secure database at LuxSci.  A simple non-PHI notification message is sent to your recipient.  The recipient clicks on a link in this notice, verifies his/her identity at our free secure web portal, and then can access your message.

This is very secure and works with any recipient’s email address; however, it requires a little extra work on the recipient’s part — going to a portal to access the secure message.


With SMTP TLS, the secure message is sent just like any other regular message; however, it is encrypted using TLS as it is transmitted from LuxSci’s servers to your recipent’s servers.  For how this works, see: SMTP TLS: All About Secure Email Delivery over TLS.

SMTP TLS works with any recipient whose servers support TLS for inbound email. Some, like Gmail, do. Others, like Yahoo and AOL, do not.

SMTP TLS is very user friendly, as the secure email message arrives in the recipient’s INBOX and looks and works like any other email message.  It’s easy.

The downside is that the recipients can’t easily tell that the message arrived securely (though it is possible to tell).

We are going to focus on the Escrow and TLS methods in the remainder of this article.

Ok, So What About Replies?

When your recipient replies to your message, here is what could happen:

1. Message Escrow

When a recipient view a secure email in the Message Escrow portal, the recipient has the option of replying to this message.  That reply is automatically secured.

However, the recipient could choose to reply from his/her email program by replying to the escrow notification message itself (people will do anything). This may or may not be secure, depending upon whether their email system supports TLS or other email security measures.  You can assume in the general case that this will be insecure.


When a recipient replies to an email sent to them using SMTP TLS, they use their regular email system to send that message.  Like the previous example, this may or may not be secure, depending on if their email system supports TLS or other email security measures.  You can assume in the general case that this will be insecure.

So, unless you are sending messages to recipients using only Escrow, many replies will come back insecurely.

So if its Insecure, is it non-Compliant?

This is where the questions arise — if some replies are insecure, does this mean that the system is non-Compliant?

The short answer is: No.

Why? Because HIPAA requires that you be sure that PHI that you transmit be properly secured.  When your patient/recipient/etc. replies to your message, it is that person who is transmitting the information — not you.

  1. If that person is transmitting PHI about themselves, it is up to them if they wish it to be secured or not, or if they trust their email service.
  2. If that person is not a covered entity or business associate of one, then the HIPAA regulations do not apply to messages sent by them … so they cannot be violating HIPAA by replying insecurely.
  3. If that person is a covered entity or business associate of one, then HIPAA does apply and that person should be using a secure email system to reply — and the burden is on them (and not you) to ensure that there is no breach.

So, for example, if you use TLS and send an email to a patient who uses Gmail, that message will arrive and look like any other message and the reply may or may not use TLS on its way back to you (Gmail will generally use TLS, but you cannot count on it as there is no promise from Gmail that this will always happen).  As a result:

  1. The message you sent was properly secured, and either
  2. The reply is by someone who is not subject to HIPAA and so the content doesn’t need to be encrypted, or
  3. The reply is by someone who is subject to HIPAA and they should not be using Gmail and are in violation of themselves if they are sending PHI that is not about themselves.

Should SMTP TLS be Used?

HIPAA is notorious for being technology neutral.  It tells you what to do but not how to do it.  As a result, what is minimally required and what is best are sometimes very different things. Because of that, customers have a wide range of expectations and desires in terms of how they would like things to work.

At LuxSci, HIPAA-compliant email accounts have use of SMTP TLS enabled so it is used preferentially whenever it is available. This is for maximum usability.  Customers have the ability to completely turn off use of SMTP TLS as the sole method of secure email delivery, or to use it with only selected recipients (e.g. people in their own organization).  It is up to the customer which methods they think best for their organization to use.

Recommended Best Practices

The best practices for best security are often at odds with the simplest and most user friendly experience.  This is often true in security and usually true for HIPAA.  The more flexibility you have and the more it works like regular email, the more room for error.  E.g. see Opt-In Email Encryption is too Risky with HIPAA Omnibus.

LuxSci would recommend the following to HIPAA customers as it strikes a good balance between security and usability:

  1. Disable use of “SMTP TLS whenever possible”.
  2. Enable use of “SMTP TLS” for delivery to email addresses hosted at LuxSci (This ensures that Escrow is used for general recipients, but that regular TLS is used for “internal messages”)
  3. Use “Opt Out” to allow users to send non-PHI email messages as normal messages on demand.
  4. Upgrade to “Message Center” so that recipients using Escrow can see a history of all messages received and sent through the secure portal in on place.
  5. Customize your Message Escrow “you have a new secure message” notification to request recipients to not reply directly to it … but to instead reply through the secure portal.  (Requires Private Labeling)