May 10th, 2018

TLS Exclusive: HIPAA-compliant email marketing just got a whole lot better

If you are a healthcare organization and have to abide by HIPAA regulations, you may be struggling with HIPAA-compliant email marketing.  Besides getting patient consent, there is the whole concern that the marketing email messages need to be secured, as in many cases the marketing messages plus the addresses or list being used imply something about the recipients … something ePHI-related.

SMTP TLS Exclusive

It is a best practice to use a HIPAA-compliant email marketing service to send healthcare-related email marketing messages, newsletters, appointment reminder emails, etc.  Such a service signs the required HIPAA Business Associate Agreement with you, takes care of your data, and ensures that your email messages go securely to your recipients.

The difficulty with secure email: TLS is not universally supported.

When sending a secure email message, there are many ways to ensure the level of encryption needed by HIPAA.  The simplest is called “TLS” – “Transport Layer Security” (All about SMTP TLS).  TLS secures email messages as they are transmitted across the Internet from sender to recipient.  Unlike its “big brothers” alternatives, it does not secure messages as they are “at rest” in people’s Inboxes.  As a result, TLS is the least secure … but it is also seamless (the messages look like normal email) and meets the minimum requirements for HIPAA, which is in most cases appropriate for email marketing.

Unfortunately, not everyone’s email system supports TLS yet (about 85% of recipients of messages sent from LuxSci’s systems currently support TLS).  So, when sending secure email messages, 15% of them can’t be delivered “the easy way.”  Typically, LuxSci solves this for you be auto-detecting TLS support and using something else (usually a secure “web portal pickup method”) when TLS is not available.  This works great for regular email messages.  People are used to portal pickups and will readily go into a portal to pickup lab results, and other important email messages.

However, for email marketing messages … people will never bother with added complexity.  Sending marketing messages that require effort to open is simply annoying to the recipients — akin to spamming them.  So, what can you do to stay compliant, obey best practices, and not annoy people on your emailing lists … people who are probably your customers?

Exclusive TLS: The solution for HIPAA-compliant email marketing

LuxSci’s email marketing customers now have a solution.  By enabling LuxSci’s new “TLS Exclusive” feature in your account, you turn on a unique and easy solution to the secure email marketing problem:

  1. LuxSci dynamically determines which recipients email systems support TLS and delivers your messages to those systems over Forced TLS (i.e., there is no chance that the message will go insecurely).
  2. For recipients whose systems do not yet support TLS, LuxSci simply discards the email marketing messages to them (and logs that fact for reference).

When you use TLS Exclusive, your HIPAA-compliant email marketing messages will go seamlessly to the 85% of recipients whose systems support TLS.  They will see your email messages in their Inboxes and the messages will appear just like every other message.  This maximizes your open rates while ensuring your compliance.

For the 15% of your list that does not support TLS yet — they will be dynamically exempted from receiving your marketing messages.  Better to not send them anything than to annoy them with marketing email that they have to “do something” to open.  And, when their systems do support TLS in the future, LuxSci will dynamically discover that and automatically start including them in your mailings.

The key point – you do not have to manage this process or even pay attention to who supports what.  That is all taken care of seamlessly for you.  If you are interested, LuxSci’s delivery status reports will tell you all you need to know about you email message deliveries.

How do I turn on Exclusive TLS?

LuxSci customers with SecureLine (our email encryption service) can enable Exclusive TLS either for all sending in the account (account-wide), all sending for all users in a domain (domain-wide), and/or in the SecureLine settings for specific users.  To enable TLS Exclusive account-wide, you would navigate to your “Account Administration – Account Settings – Security – SecureLine” area.  There, in the “SecureLine TLS” section of the page, enable the toggle next to “TLS Exclusive” … and also the one for using “TLS Wherever Possible.”

Once enabled, any messages sent from email programs will use this setting.  Messages sent from LuxSci WebMail are unaffected — they will always be sent to all recipients using appropriate levels of encryption based on your account’s configuration.

Give it a try!


Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.