Email Encryption for HIPAA Compliance: SMTP TLS vs Portal Pick Up

February 15th, 2022

Email encryption is an addressable standard for HIPAA compliance, but that doesn’t mean it’s optional. When sending sensitive data via email, it should be protected with encryption. However, there are many ways to send a secure email message and HIPAA does not require the use of a specific method.

The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss the differences between them and provide guidance for what to use in a HIPAA compliance context.

email encryption for hipaa

What is TLS?

Messages encrypted with TLS are only secured while in transmission. This “invisible” encryption prevents the messages from being tampered with or eavesdropped on while in transit from one mail server to another. TLS is one of the most usable forms of encryption. Emails sent with TLS appear like a regular email in the recipient’s inbox- no passwords or security questions are required to read the message. Once the email is delivered, it is unencrypted in the inbox. That means anyone who can access the inbox can read the email, making it less secure than other options.

See: SMTP TLS: All about secure email delivery over TLS.

What is Secure Portal Pick Up?

In comparison, messages encrypted with Secure Portal Pick Up are stored on a secure web server. Instead of receiving the email, the recipient is sent a notification message with a link that directs them to the secure portal. To login, the recipient must verify their identity to access the message. Once logged in, the recipient can read and respond to the message securely. Secure Portal Pick Up emails can be sent to anyone with an email address.

TLS vs Secure Portal Pick Up

SMTP TLS Secure Portal Pick Up
Message Content Transmitted Securely to End User?    
Message Content Encrypted at Rest?  
End User’s Identity Verified?  
Simple: Just like regular email?  
Extra work for the recipient?

In both cases, the message is securely transported to the recipient.

Secure Portal Pick Up is the more secure method. The message contents are encrypted all the time in the portal. The Portal Pick Up method requires verification of the recipient’s identity before allowing access to the message content. In contrast, emails sent with SMTP TLS are unencrypted in the recipient’s inbox and accessible to anyone with access to that email folder.

Many prefer to use SMTP TLS because it is easier to use. For the recipients, it works just like regular email. They receive the message in their inboxes and open it without knowing if it was encrypted. However, to some people, this simplicity is a disadvantage. If lay people can’t tell that the message was delivered securely, they may be worried about privacy.

People often choose SMTP TLS when possible, for its convenience. When added security features are desired, they choose Secure Portal Pickup.

Email Encryption for HIPAA Compliance

HIPAA requires the secure transmission of ePHI. It does not require that external emails are encrypted at rest. Once the data is in the recipient’s hands, they have the responsibility for protecting it.

This means that using SMTP TLS is okay under HIPAA. However, organizations should make sure they are using TLS 1.2 or 1.3 as recommended by NIST. Older versions of TLS are vulnerable to malicious actors.

Just because TLS is ‘good enough,’ it doesn’t mean it’s appropriate for all situations. Users who are not tech-savvy may perceive a TLS email as insecure and worry that the organization does not take privacy and security seriously. We recommend a nuanced approach to encryption that takes the message contents into account.

When to Use TLS vs. Secure Portal Pickup

As established, using TLS with the proper ciphers is okay for HIPAA compliance. However, there are certain scenarios where it makes sense to opt for a more secure form of encryption.

TLS is a great choice for marketing and promotional messages and appointment reminders that do not contain a lot of sensitive information. If an unauthorized user came across an appointment reminder in an inbox, it would not divulge a lot of privileged information. As a result, they would not be able to use the information to harm an individual.

On the contrary, if someone was able to access highly sensitive data like medical records, test results, or insurance/financial information in plain text in a person’s inbox, it could be devastating. In this scenario, it’s wiser to use Secure Portal Pick Up.

By limiting access to sensitive data, it demonstrates that the organization cares about protecting patient data and builds trust with the user. Even though it is inconvenient for the user to login to the portal, it is necessary to protect the data. Using a Secure Portal Pick Up method also allows senders to retract information sent in error. This is especially important when dealing with highly sensitive information.

In the end, it is up to each organization to assess their risk and decide where they stand on the security versus usability spectrum. HIPAA does not mandate one or the other. However, if there is a breach and data was unencrypted at rest, HIPAA assigns more liability to those involved.


Without knowing the details of your email campaigns, we generally recommend sticking to these two general guidelines. Use:

  1. TLS for marketing and transactional messages that are light on ePHI.
  2. Secure Portal Pick Up for messages that contain a lot of ePHI and personal information.

Using TLS for timely messages like appointment reminders and promotions ensures that they will not be missed. On the contrary, Secure Portal Pickup allows sensitive data to be protected, even if the emails are more difficult for the recipient to access. We recommend choosing an email provider like LuxSci, whose flexible encryption technology allows users to pick and choose the appropriate level of encryption for their emails on a per-message basis. When in doubt, always choose a secure option to keep data protected.