Opt-In Email Encryption is Too Risky for HIPAA Compliance

July 11th, 2017

A majority of companies that offer email encryption for HIPAA compliance allow senders to “opt-in” to encryption on a message-by-message basis. If the sender “does nothing special” then the email will be sent in the normal/insecure manner of email. If the sender explicitly checks a box or types a keyword in the body or subject of the message, then it will be encrypted and HIPAA-compliant.

Opt-in encryption is desirable because it is “easy.” End users don’t want any extra work and don’t want encryption requirements to slow them down, especially if many of their messages do not contain PHI. It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule. Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization. Organizations are responsible for the mistakes and lapses of their employees. Accidentally sending unencrypted emails with PHI is an automatic breach with serious penalties.

How Does the HIPAA Omnibus Rule Change Reporting and Enforcement?

There are two provisions of the Omnibus HIPAA rule that come into play:

  1. Reporting: Previously, you only had to report a breach if there was a significant risk that it would be damaging to the patient. Now, you have to report every breach, no matter how small, unless special conditions are met.
  2. Penalties: The maximum penalty for a single violation is $50,000 and enforcement is strict and pervasive.

With regards to opt-in email security:

If you accidentally send a single email message containing ePHI without encryption, that is likely a reportable breach.

The downside of Opt-In Encryption

No one argues that opt-in email encryption is not user friendly and takes some of the bite out of the pain of enforced encryption. After all, who is in a better position than the sender to specify which messages contain PHI and which do not?

However, with opt-in encryption, it is very easy to send PHI-laden messages without encryption because:

  1. Typo: The sender mistypes the “code” that is supposed to trigger encryption and thus no encryption happens.
  2. Distraction: The sender was distracted or very busy and forgot to specify that encryption was needed.
  3. Education: The sender did not fully understand what is PHI or the security risks involved so they don’t take extra steps to ensure full compliance.
  4. Inconvenience: The sender is sending a message to a recipient who doesn’t like to deal with encryption and so the sender “skips it.”
If any one of these things happens a single time, that could be a reportable breach. If you have many employees, then these inadvertent breaches will not be one-off events, but a constant stream of errors.
The usability afforded by opt-in encryption automatically increases your HIPAA breach risk exposure. It also imposes a burden of monitoring your staff’s email sending. One alternative is LuxSci’s next generation Opt-In Email Encryption which goes you the best of both worlds — ease of use and low risk.

Send Everything Encrypted?

One obvious solution is to send all messages with email encryption. This significantly mitigates any risk of breach through email. Using Forced TLS or TLS Exclusive encryption allows you to send encrypted emails that appear like normal messages in your recipient’s inbox. No portals or passwords are required to read emails encrypted via TLS.
If most or all messages contain PHI, then this is indeed a good solution (and is supported by LuxSci’s SecureLine encryption software). However, if many messages do not contain PHI, then it may be burdensome for your recipients to open email messages.

A better solution: Opt-Out Email Encryption

An alternate solution is opt-out encryption. It ensures that all messages are secure unless the sender explicitly says that there is no PHI. This is encryption “opt-out” – the sender is still in the position to decide what is PHI and what is not; the sender just needs to take an extra step to remove security.
The advantages of this include:
  1. All messages are encrypted by default.
  2. If the sender “does nothing,” then the message is encrypted.
  3. All PHI is sent encrypted.
  4. Messages can be sent in the “regular” way if the sender enters special text (like “insecure”) in the subject or if the sender checks a box, so regular email can go out in a regular way.
  5. The sender must consciously certify that a message does not contain PHI before it will go insecurely. This reduces the risk that the sender will send PHI insecurely unless they are lacking HIPAA education or being malicious.
  6. If the sender makes a typo in the “opt-out” code, the system errs on the side of security and the message will be encrypted.
LuxSci recommends that companies currently using opt-in encryption change to opt-out encryption as soon as possible.

LuxSci’s Opt-Out Encryption Solution

LuxSci supports opt-in encryption for accounts without compliance needs; however, opt-in encryption has never been permitted for HIPAA-compliant accounts due to the significant risk stated above. The risk was too high even without Omnibus, in our opinion.
LuxSci’s HIPAA-compliant email encryption solution, SecureLine, does support encryption opt-out, though it is not enabled by default (by default, everything is encrypted for HIPAA customers).
Your administrator can enable it on an account-wide or domain-wide basis by certifying that it is OK for end users to make the decision of what is and what is not PHI themselves. Administrators take responsibility for training users properly (which you have to do anyway under HIPAA).
Once enabled, LuxSci opt-out encryption supports:
  1. Allowing you to choose what subject line text triggers no encryption.
  2. Removing the special extra subject line text so the recipient does not see it (making it more transparent).
  3. Allowing you to use just a checkbox (and confirmation dialog) in WebMail and Outlook to disable encryption.
  4. Logging the sending of all unencrypted messages for auditing purposes.
  5. Sending copies of all unencrypted messages to a special auditor email address for your review.

LuxSci’s opt-out email encryption solution can also be used in conjunction with your existing Exchange or other email service via a smart host connection, where all outbound email is relayed from your current provider through LuxSci for encryption. Smart hosted email encryption is especially simple if you are currently using Microsoft Outlook 365 or Google Workspace.

Learn more about opt-out encryption: Schedule a Consultation