be Smart.
be Secure.
Phone: 800-441-6612

Opt-In Email Encryption is too Risky for HIPAA Compliance

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g. if the user “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it is encrypted and HIPAA-compliant.

Opt-in encryption is desirable as it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if most of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in  imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.

What is special about the HIPAA Omnibus Rule that changes the game?

There are two provisions of the Omnibus HIPAA rule that come into play:

  1. Reporting: Previously, you only had to report a breach if there was a significant risk that it would be damaging to the patient.  Now, you have to report every breach, no matter how small, unless special conditions are met.  Read more details.
  2. Penalties: The maximum penalty for a single violation has been raised to $50,000 and enforcement is planned to be strict and pervasive.

With regards to opt-in email security:

If you accidentally send a single email message containing ePHI without encryption, that is likely a reportable breach.

The down side of Opt-In Encryption

No one argues that “opt in” email encryption is user friendly and takes some of the bite out of the pain of enforced encryption.  After all, who is in a better position than the sender to specify which messages contain PHI and which do not?

However, with opt in encryption, it is so very easy for PHI-laden messages to go out without encryption because:

  1. Typo! The sender mistypes the “code” that is supposed to trigger encryption and thus no encryption happens
  2. Distraction! The sender was distracted or very busy and forgot to specify that encryption was needed
  3. Education: The sender did not fully understand what is PHI or the sender does not understand security or care about it very much and so doesn’t bother or remember how to take extra steps to ensure full compliance
  4. Inconvenience: The  sender is sending a message to a recipient who doesn’t like to deal with encryption … and so the sender “skip it”.
If any one of these things happens a single time, that could be a reportable breach.
  • People are very busy and multitasking and distraction happens.
  • It is hard to avoid a typo once in a while if you are in a hurry — or even if you are not.
  • The more people in your organization, the more likely you are to have issues with education and the more likely the other conditions are to occur.
  • If you have to report errant emails as breaches, then all of a sudden you need to be monitoring these as well … and who is going to be doing that?  Does your system even allow you that ability?
Clearly, the usability afforded by opt in encryption automatically increases your HIPAA breach risk exposure dramatically and imposes a burden of monitoring your staff’s email sending.
One alternative is LuxSci’s Second-Generation Opt In Email Encryption which goes you the best of both worlds — ease of use and low risk.

Send Everything Encrypted?

One obvious solution is to send all messages with email encryption.  This significantly mitigates any risk of breach through email.
If most or all messages contain PHI, then this is indeed a good solution (and is supported by LuxSci’s SecureLine encryption software).  However, if many messages are not laden with PHI, then it may be burdensome to your recipients to be forced to jump through any kind of hoop to open your regular email messages.

A better solution: Email Encryption Opt Out

The better solution is the flip side of opt-in encryption: Ensure that all messages are secure unless the sender explicitly says that there is no PHI.  This is encryption “opt out”…. the sender is still in the position to decide what is PHI and what is not; the sender just needs to take an extra step to remove security.
The advantages of this include:
  1. All messages are encrypted by default.
  2. If the sender “does nothing”, then the message is encrypted.
  3. All PHI is sent encrypted.
  4. Messages can be sent in the “regular” way if the sender enters special text (like “insecure” or “nophi” in the subject or if the sender checks a box … so regular email can go out in a regular way.
  5. The sender must consciously certify that a message does not contain PHI before it will go insecurely.  This is much safer in terms of risk as it is much less likely that the sender will send PHI insecurely unless the sender is lacking HIPAA education or being malicious.
  6. If the sender makes a typo in the “opt out” code, the system errors on the side of security…. the message will be encrypted.
LuxSci recommends that companies currently using opt-in encryption change to opt-out encryption as soon as possible.

LuxSci’s Opt Out Encryption Solution

LuxSci does support opt-in encryption for accounts without compliance needs; however, opt in encryption has never been permitted for HIPAA compliant accounts due to the significant risk stated above.  The risk was too high even without Omnibus, in our opinion.
LuxSci’s HIPAA compliant email encryption solution, SecureLine, does support encryption opt out, though it is not enabled by default.
Your administrator can enable it on an account-wide or domain-wide basis by certifying that it is OK for end users to make the decision of what is and what is not PHI themselves, and that you take responsibility for training them properly (which you have to do anyway under HIPAA).
Once enabled, LuxSci encryption opt out supports:
  1. Allowing you to choose what subject line text triggers no encryption.
  2. Removing the special extra subject line text so the recipient does not see it (making it more transparent).
  3. Allowing you to use just a checkbox (and confirmation dialog) in WebMail and Outlook to disable encryption.
  4. Logging the sending of all unencrypted messages for auditing purposes.
  5. Sending copies of all unencrypted messages to a special auditor email address for your review.

For more details, see: HIPAA Compliant Email – You Decide Which Messages Need Encryption

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries