When can sending TLS-Secured Email be NOT HIPAA Compliant?
In a question recently submitted to “Ask Erik,” John asked:
“How does sending a TLS-encrypted email sometimes become non-compliant? Lets says I send an email from my Office 365 Business account to a gmail.com account which both support TLS encryption. Is it because I do not know what path and what servers the email has to go through? Does each server have to decrypt the email and is that when it becomes non-compliant? I love the Luxsci forms by the way!”
This is a great question! In a recent survey that LuxSci did, less than 50% the people interested in secure email even knew what TLS is and how it works. So it is not surprising that there is a lot of confusion out there about what is acceptable for compliance and what is not.
TLS-Only Email Encryption is Easy but “Transport Only”
When using only TLS to encrypt email (see also our deep-dive on TLS for SMTP), all you are doing is ensuring that the message is encrypted while it is being transmitted from your email server to your recipient’s email server. Transmission encryption is required by HIPAA and TLS satisfies this requirement. TLS Only is very attractive to senders because it is simple and seamless (when supported — only 80-90% of recipients support TLS as of May, 2018). All of the encryption is taken care of behind the scenes by the servers and it is “business as usual” for senders and recipients (messaging works just like regular insecure email). What could be better?
To understand how TLS-Only email encryption can lead to non-compliance, lets compare it to “Portal Pickup” email encryption (i.e., where the message is securely stored in your secure email providers systems and the recipients merely get a long to come and pick up the message securely) as provided by LuxSci (other companies also provide portal pickup systems, though the level of security of these systems varies… especially the level of recipient authentication). LuxSci calls its “Portal Pickup” service “Escrow“.
|TLS Only||Portal Pickup|
|Storage Encryption||No way to know if it is stored securely on the recipient’s servers. However, one can argue that once the message
arrives to the recipient securely, the responsibility passes to the recipient. You could also argue the other way, depending on the sensitivity of the content and the expectations of the recipient.
|Recipient Authentication||If you send the message to the wrong recipient, you have no way to retract the message or prevent that person from accessing the email. The recipient does not have to prove his/her identity to access the message. So, there is a danger of a breach if you misaddress an email. You are also not taking any steps to protect the message content from improper access.||Yes|
|Audit Trail||Once the message is accepted by the recipient’s email servers, you have lost track of it. You have no way to know for sure or record if the message has been read, attachments downloaded, and no way to control forwarding and replying to messages.||Yes|
|Secure Reply||When sending email via TLS, you have no way to ensure that a recipient’s reply to your message will come back TLS in every case. Just because your message went via TLS, does not mean that a reply will always use TLS. If you are soliciting email replies and not providing a truly secure way for those replies to be sent, then you could be in breach.||Yes|
|Backups/Archives||TLS Delivery does not by itself provide backups of archives of your sent and received email, as required by HIPAA. You need to be sure that you have backup and email archival services as well.||Portal pickup does not by itself provide backups of archives of your sent and received email, as required by HIPAA. You need to be sure that you have backup and email archival services as well.|
So, to use TLS-Only email delivery in a compliant way, one must:
- Not solicit replies to your email messages unless you provide recipients with a secure portal where they can login to send those replies. Or, you can cross your fingers and hope that your recipients replies always come back TLS.
- Be sure you have email archival and backup setup
- Be sure you do not really have a requirement to know if the messages you sent were accessed and/or forwarded.
- Be very careful that all messages you send are addressed to exactly the right people
Also, along with TLS Only comes the philosophy that for recipients of of yours that are not health care providers (e.g., patients), once your email messages arrive at their servers, those messages are completely their responsibility. I.e., you as a HIPAA-compliant organization do not need to track access to the messages, do not need to be responsible for continued protection of the messages, and do not need to help the recipient reply securely or manage the security of those messages.
Indeed, many organizations take that exact philosophy because HIPAA is very gray around these concepts and this allows for secure email in a very user-friendly way. On the flip side, we also see many customers who choose to only use TLS with specific recipients (e.g., their internal staff and trusted partners) and to have all other sensitive messages go via “portal pickup” (or S/MIME or PGP) so that all of these security nuances are taken care of and their risk and liability is significantly reduced. In the end, this is a business decision based on a myriad of factors from the nature of your emailing to the technical sophistication of your recipients to the industry sector in which you find yourself (rules are risk are much stricter for some people, e.g. psychologists and organizations involved with controlled substances, than with others, e.g. PR firms sending out email marketing messages email for dental practices).
This is exactly why LuxSci’s email security solution is extremely flexible. We allow you to dial your security level in to match your exact business and legal needs. Is TLS only Ok for you? Great. Do you want portal pickup for everyone except your own internal staff? Sure. Do you want to be able to escalate message security from TLS to portal pickup on the fly for certain especially sensitive messages? We can do that to. Do you have recipients who use PGP and/or s/MIME … no problem.