HIPAA-Compliant Email Hosting or Outbound Email Encryption?

January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

HIPAA-Compliant Email Hosting

The most straightforward solution is to use a HIPAA-compliant email host. These are providers who specifically design their email services to comply with HIPAA regulations. A good example is LuxSci’s Secure Email.

A HIPAA-compliant email provider will sign a Business Associate Agreement and include the following features:

  • encrypt data at rest and in transit
  • access controls and audit logs
  • user authentication controls
  • data integrity controls
  • email backup and archival

While many HIPAA-compliant email hosts have their own webmail portals, they can also be used with standard email programs like Outlook, Mac Mail, and Thunderbird.

Some organizations may pursue this option because they need specific features these programs offer, while others may find the switch too complicated or expensive. Moving to a new system can be time-consuming for IT staff and may involve migrating large volumes of emails to the new system. In addition, staff will need to be trained on using the new email program.

HIPAA-compliant Outbound Email Encryption

If an organization is already using Google Workspace or Microsoft 365, it is possible to make those programs HIPAA-compliant with an email encryption tool. Both Google and Microsoft will sign Business Associate Agreements with healthcare organizations to secure data at rest. However, the terms of the BAA stipulate that they will not protect ePHI in outgoing emails. We call this “quasi-compliance.” Using an outbound encryption tool like Secure Connector can help secure outgoing emails to meet HIPAA requirements without switching email providers.

This is appealing to many organizations because many people like the functionality and features that Microsoft 365 and Google Workspace offer. They are two of the most popular email providers for a reason. However, they are unsuitable for protecting ePHI straight out of the box.

Google Workspace Encryption Options

Google uses TLS to encrypt emails whenever possible. If TLS is unavailable, Google will send messages insecurely with no encryption at all. To use Google Workspace in a HIPAA-compliant manner, organizations must use a third-party tool to encrypt outgoing emails that contain sensitive data. Opportunistic TLS is not secure enough when sending ePHI.

Microsoft 365 Encryption Options

Microsoft has an encryption solution called Office Message Encryption (OME) that organizations can purchase. However, it is clunky and difficult to configure. OME encrypts all internal emails with TLS and external emails with portal pickup. Portal pickup is highly secure but requires recipients to log in to a portal to read and respond to messages.

OME is an opt-in encryption model, which means that recipients must remember to encrypt every message that contains sensitive data. This is risky because it relies on humans making the correct decisions. Read more about the risks of opt-in encryption: Opt-In Email Encryption is Too Risky for HIPAA Compliance.

Secure Connector: A Third-Party Outbound Email Encryption Option

LuxSci’s Secure Connector allows organizations to encrypt all outgoing emails automatically with TLS. Our “opt-out” encryption model means that users can choose not to send encrypted emails, but the default is to send all emails with TLS. LuxSci’s encryption is very flexible, and users can choose more secure encryption (Portal Pickup, PGP, and S/MIME) depending on the sensitivity of the message contents.

Should An Organization Use A HIPAA-Compliant Email Host or an Outbound Email Encryption Service?

Every organization will come to its own conclusion based on historical precedent and the IT resources available. If the organization is new, the barriers to implementing a HIPAA-compliant email host are much lower.

In contrast, some established organizations lack the resources or desire to switch to a new email host. Suppose they rely on specific software features in Google Workspace or Microsoft 365. In that case, it may be best to deploy a third-party email encryption service like LuxSci’s Secure Connector to protect sensitive data.

However an organization chooses to secure sensitive data in email, LuxSci is here to help. Contact our email security experts to help determine which solution is best for your organization.