" email encryption Archives - LuxSci

Posts Tagged ‘email encryption’

New Feature: Secure Email Tagline

Thursday, June 23rd, 2022

LuxSci is introducing a new email tagline feature to inform recipients that email messages are secured. This helps build trust and increase confidence with less tech-savvy recipients who do not understand how email encryption works.

secure email tagline

TLS Encryption

TLS encryption is now widely supported by the most popular email providers. As a result, more organizations are choosing to send emails containing sensitive data with TLS encryption. There are a few reasons for this:

  1. TLS encryption is permitted under HIPAA and most compliance regulations.
  2. It’s easier to use and does not require recipients to log in to portals to access their messages.
  3. The open and response rates are higher on TLS encrypted messages.

However, using only TLS to encrypt emails can be confusing to the laypeople receiving them. While it’s easy to use and “invisible,” that can be concerning when transmitting sensitive information. If it looks like a regular email, recipients may be concerned that the organization does not care about the security of their personal information. This perception can negatively impact the business and dissuade people from using digital channels.

Introducing a New Email Tagline

For these reasons, all Email Hosting, Secure Connector, Secure High Volume Email, and Secure Marketing customers who send emails encrypted via SecureLine will have a small tagline at the bottom of the email that indicates the message is secure. It looks like this:

message secured by LuxSci tagline

This tagline builds trust and lets the recipient know that the company has taken steps to secure sensitive data. If you are an existing customer, visit your email settings or contact Customer Support to enable this feature. New customers will automatically have the tagline enabled when sending SecureLine encrypted emails.

Does TLS Email Encryption Meet Compliance Requirements?

Tuesday, February 22nd, 2022

In this article, we discuss what types of email encryption are sufficient to comply with government regulations. TLS encryption is a good option for many organizations dealing with sensitive data and legal requirements. However, TLS does not protect data at rest. Each organization must undertake their own risk assessment to determine which encryption methods are suitable to fulfill legal requirements.

Read the rest of this post »

Email Encryption for HIPAA Compliance: SMTP TLS vs Portal Pick Up

Tuesday, February 15th, 2022

Email encryption is an addressable standard for HIPAA compliance, but that doesn’t mean it’s optional. When sending sensitive data via email, it should be protected with encryption. However, there are many ways to send a secure email message and HIPAA does not require the use of a specific method.

The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss the differences between them and provide guidance for what to use in a HIPAA compliance context.

email encryption for hipaa

Read the rest of this post »

HIPAA-Compliant Email Hosting or Outbound Email Encryption?

Tuesday, January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

Read the rest of this post »

Hidden Security Dangers of Google Workspace and Google Drive

Tuesday, November 30th, 2021

Google is one of the world’s most popular email providers. Many businesses choose to utilize Google Workspace for their email communications because of their collaboration tools like Calendar, Docs, and File Sharing via Google Drive. Google Workspace includes basic privacy and security protections, but their security measures are not enough for HIPAA compliance. Even though Google will sign a BAA with HIPAA covered entities, it may not apply to all of the Google apps. Google Workspace has hidden dangers that may lead to a violation of HIPAA rules.

is google workspace hipaa compliant


Google Calendar is a core service of Google Workspace and is covered by a Business Associates Agreement. The problem is that email encryption is not a standard feature of Google Workspace. That is, although Google supports encrypted messages within its servers, emails sent to other systems are not encrypted.

Google does not even offer a native end-to-end email encryption solution; one has to purchase such services from a third party and integrate it with your Google account.

So, even though Calendar and other core services – including Gmail, Drive, Meet and Google Cloud Search – are covered by the company’s BAA, the emails that Gmail automatically schedules and sends via Calendar are not encrypted.

In addition, it is extremely important to make sure your calendar settings are completely private and that your calendars are not visible to anyone who should not have access to PHI. Many of these settings are public to your organization by default, so make sure you take the time to configure the account properly.


HIPAA has a ‘per violation’ penalty, imposing a fine on every email that fails to comply with HIPAA rules. As far as emails go, you can send PHI via email as long as it is secure and encrypted and other requirements are met (i.e., access control, backups, audit trails, etc.). If you think about it, encryption protects PHI in many ways; for instance, if an email containing PHI is sent to the wrong recipient, it cannot be read or used without the keys needed to decrypt it. On the other hand, by choosing to send emails unencrypted, you expose your organization to security, financial and legal risks.

For the record, ‘reasonable cause’ penalties range from $1,000-$50,000 per breached data item, ‘willful neglect (corrected)’ attracts penalties between $10,000-$50,000. ‘Willful neglect (not corrected)’ penalties will cost you a flat $50,000 fine per breached data item.

You can, potentially, send out all kinds of ePHI courtesy of the Calendar-Gmail integration. Examples include:

  • Meeting invitations
  • Appointment reminders
  • Appointment follow-up instructions
  • Health-related advice and comments
  • Patient satisfaction survey containing identifying information
  • Mentions of new or urgent symptoms
  • A brief discussion of mental or sensitive health problems
  • Details of the patient’s care
  • Emailing patient’s details to a colleague
  • Information related to test results or prescription refills

Your BAA with Google isn’t very useful if Google Workspace poses a regulatory risk of ePHI breach.


Your BAA does not cover all Google Services. For example, your internal policies should disallow the use of PHI with Google+ and Google Contacts, should you enable these services. To be on the safe side, you also need to set checks and balances for HIPAA-compliant services in Google Workspace. Some other common risks include:

  • Files uploaded to Google Drive must not contain PHI in file or folder titles or within team drives. Restrict file and folder sharing to trusted entities.
  • Free Gmail accounts pose a big risk of ePHI breach. Gmail does not offer a native encryption solution, and on its own, can never be HIPAA compliant. Free Gmail services do not come with a BAA and as a result do not meet compliance standards.
  • Assess the appropriate uses of Google Meet and Chat in relation to PHI and train staff appropriately. The use of messaging apps on mobile devices is one area where violations can occur and potentially stack up pretty quickly.
  • You cannot send emails with PHI from Google Workspace, even if you have a BAA with Google. Emails with PHI must be encrypted and using a third-party email encryption service is required to meet compliance standards.


You can address many common compliance challenges with proper user training and appropriate administrative controls. However, encrypting emails sent from Google requires the use of a third party encryption solution. LuxSci’s SecureLine encryption technology was designed for HIPAA compliance and is compatible with any email program.

SecureLine is a simple system that offers advanced email security. You can choose the encryption method (TLS, PGP, S/MIME or ESCROW), and automatically secure all outbound email from Google Workspace apps. You can continue to receive email from any program or web service.

SecureLine is linked with the SecureSend Portal, our free web-based service that your recipients can access for free in order to send encrypted email.


By configuring your Google Workspace account to send all outbound email through LuxSci for processing and delivery, you will not only be adding encryption that secures ePHI but also masking your IP address. By using a third-party connector, you can also add outbound email archival to meet HIPAA requirements.

LuxSci’s Secure Connector is a better option than others because of our always on encryption settings. Administrators can enforce encryption for all users who are likely to be sending PHI via email. Instead of relying on employees remembering to encrypt emails, all of their emails are automatically encrypted via TLS. More on that here: Opt-In Email Encryption is Too Risky for HIPAA Compliance.

Is Google Workspace HIPAA Compliant?

If you still want to use Google Workspace for your business, make sure you take the appropriate steps to secure your accounts. Google Workspace can be HIPAA-compliant, but it does not come automatically configured to meet those standards. Admins must take the time to disable public sharing settings for users with access to PHI and set up clear policies regarding app usage. They must also set up an encryption solution to send emails that contain PHI. Only after these steps are taken, can Google Workspace be HIPAA compliant.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization? Contact one of our email security experts today.