HIPAA-compliant Email
Email anyone securely; use your favorite email program
Home Email Services HIPAA-compliant Email
Home Email Services HIPAA-compliant Email
Secure your ePHI during email communications.
Watch the video to learn more.
Book 1 in the LuxSci Internet Security Series.
Created by Erik Kangas, PhD
Get the HIPAA eBook
It's unfortunate that hackers can exploit online communication on a hunt for sensitive information. However, with advanced cybersecurity, you can protect your private email information from hacking vulnerabilities. At LuxSci, we specialize in email encryption to ensure communication security. Not only are our email services encrypted, but they're also HIPAA- (Health Insurance Portability and Accountability Act) compliant for those of you in the medical and Healthcare fields. Medical records hold some of your and your patients' most sensitive information: Social Security numbers, insurance IDs, addresses, credit cards, medical records and scheduling, and more. LuxSci provides the leading software in HIPAA-compliant email, which guarantees the privacy of all ePHI (electronic patient health information) sent within your organization, as well as to patients and other appropriate, outside recipients. HIPAA makes it your legal responsibility to secure your patients' ePHI, and it's our responsibility to provide those securing services.
Complying with HIPAA can overwhelm and confuse when you're trying to find a user-friendly platform. LuxSci is here to make this easy for you. We provide HIPAA-compliant email with form and Web abilities, as well as HIPAA-compliant email hosting services. We also help back up your data and offer extensive auditing. Most important, we offer forced encryption that always comes with a verified seal that links to us and allows your recipients to know you properly protected their information.
Yes. LuxSci SecureLine enables you to send compliant email to anyone with an email address. Your recipients do not need to use LuxSci themselves.
Yes. LuxSci's HIPAA-compliant email services do not require you or your recipients to install any special software. LuxSci works with any modern desktop or mobile Web browser, with all modern email programs (such as Outlook and Mac Mail), and with mobile email programs as well.
Yes. Recipients of your secure email messages can reply to you.
Yes. HIPAA customers get a trustmark that looks like this:
In addition to email encryption, HIPAA-compliant email hosting accounts include email access and sending from email programs (e.g. using IMAP, POP, and SMTP) and from our Web interface. LuxSci also highly recommends use of our Email Archival, Premium Email Filtering, and Mobile Secure Chat.
If some messages do not include ePHI, you can choose to opt out of using encryption for them. LuxSci does not support opt-in encryption (where you manually specify which messages need encryption), because it's too risky for HIPAA compliance.
If only some people need to send ePHI, we can segregate your users into two (or more) domains. For example, users who must be fully compliant can have addresses in "secure.yourdomain.com." Users who do not need HIPAA-compliant email can have addresses in "yourdomain.com" and can send and receive without any encryption at all. (We call this per-domain HIPAA compliance.) Users can have addresses in both domains, if needed.
When you send an email message through WebMail, from either your mobile device or your email program, that message transmits securely to LuxSci's servers using TLS. Once the message arrives, LuxSci encrypts the message for each of your recipients and then delivers the encrypted message to the recipient's email servers. Based on your account preferences, who the recipients are, where their email host is, and settings in your account, the encryption used can take the form of: SMTP TLS, Secure Message Pick Up (Escrow), PGP, or S/MIME.
Yes, it can be. It depends on your choice of account settings. See Ensuring all data is encrypted at rest with LuxSci.
It depends. Messages sent using SMTP TLS do not require anything special to open them since they're encrypted only during transmission. Messages sent using Escrow (Secure Message Pick Up) do require the recipients to authenticate themselves to our secure web site in order to access their secure messages. You can do this either (a) by using a username/password for a free account to access any received message, or (b) by providing an answer to a custom question designated by the message sender. See: SecureLine Escrow and SMTP TLS.
Yes, you can use any of these standard email programs with LuxSci HIPAA compliant email. You can even use the encryption opt-out features from these email programs.
Yes, you can use any of these devices with LuxSci HIPAA compliant email. You can even use the encryption opt-out features from these email programs and Exchange ActiveSync for real-time, compliant synchronization of email, calendars, tasks, contacts, and notes. LuxSci does not provide a dedicated mobile app since secure email integrates with any mobile email app that supports IMAP, POP, SMTP, or ActiveSync.
Yes, you can move your email hosting to LuxSci so that you can use your existing domain. You can smarthost your outbound email from your existing email server to use LuxSci's outbound email encryption or use a subdomain (for instance "secure.yourdomain.com") so that only LuxSci hosts your secure email. There are lots of possibilities.
New accounts ready in 1 hour*
Account term is month-to-month
Free 30-minute training call included
*for non-dedicated-server orders placed between 9am and 10pm Eastern Time, USA. Provisioning can be delayed due to issues validating orders.
HIPAA Compliance requires that the transfer of any sensitive or confidential patient health information (ePHI) over the Internet is done securely. Our SecureLine email encryption system is designed to do just that. SecureLine seamlessly integrates the following modes of secure email communication to ensure that you can securely communicate with anyone, no matter what kind of email system they are using.
LuxSci requires a signed Business Associates Agreement (BAA) and a signed Account Restrictions Agreement (ARA) in order to certify your account as HIPAA-compliant.
When you sign up for our HIPAA-compliant Email, SecureLine will ensure that all email messages sent via SMTP or through our WebMail interface are sent securely to any recipient, while remaining flexible enough to allow exceptions where appropriate for usability. The chart below shows how SecureLine can be adjusted to fit the scope of your compliance.
| Who sends ePHI? | Is non-ePHI sending required? | Solution |
|---|---|---|
 Everyone | Never | Full account-wide lockdown. All users are required to send securely. Insecure sending is entirely prohibited. |
| Everyone | Occasionally for some users | Account-wide lockdown with opt-out enabled. All users are required to send securely, but certain users are permitted to opt-out on an individual message basis. All opt-outs are logged. |
| Everyone | Occasionally for all users | All users have logins to two separate domains — one for secure sending (typically a subdomain), and one for non-ePHI sending. The secure domain is completely locked down to prohibit non-ePHI sending. |
| Some Users | Never | Majority of users have logins in a non-HIPAA domain, while the few that send ePHI have logins in a different HIPAA-secure domain (typically a subdomain). The secure domain is locked down to prohibit non-ePHI sending. |
| Some Users | Occasionally | Majority of users have logins in a non-HIPAA domain, while the few that send ePHI have logins in a different HIPAA-secure domain (typically a subdomain). The secure domain is set to allow opt-outs. All opt-outs are logged. |
Your security settings are locked down as soon as your account is created. Once we have your signed BAA and ARA, LuxSci gives your account a final review to make sure everything is in order. At this point your account is considered HIPAA-compliant.
Users are locked down to certain security settings based on whether they will be sending ePHI or not:
| Feature | Sending non-ePHI | Sending ePHI |
|---|---|---|
| Global enforcement of outbound email encryption via WebMail |  |
 |
| Global enforcement of outbound email encryption via SMTP | |
|
| Opt-out of secure sending | |
|
| Forced secure logins for all services | |
|
| Email forwarding only over TLS | |
|
| Insecure forwards and aliases allowed | |
|
| WebAide encryption allowed | |
|
| Auditing of Blog, Document, and Password WebAides | |
|
| Password strength requirement | Strength may vary | 8+ Alphanumeric + Hard to Guess |
| WebMail session timeout after inactivity | Length may vary | up to 3 hours |
Beyond email sending, LuxSci ensures compliance of your email and other data (e.g. WebAides, Widgets, etc.) per the terms of our Business Associate Agreement with you.
LuxSci's HIPAA-compliant email was specifically designed to satisfy all HIPAA rules and security requirements. With the implementation and utilization of the following features, and after review and lock down by LuxSci Support, we will confirm your account as being HIPAA compliant in terms of our HIPAA Business Associate Agreement.
| HIPAA Account Feature | Included |
|---|---|
 Signed HIPAA Business Associate Agreement | |
LuxSci provides a Business Associate Agreement compatible with the HITECH amendments of HIPAA. This defines LuxSci's role in maintaining the Privacy of Protected Health Information (PHI) for you as you seek to be HIPAA-compliant. A document like this is required by HIPAA of any vendor that you use. | |
| HIPAA Compliance Seal / Trust Mark | |
Once your account is certified by LuxSci as meeting its HIPAA Security Requirements, you can use a LuxSci HIPAA Compliance Seal on your web site or in your HTML Email Signatures, Taglines, or Disclaimers. A sample HIPAA Seal looks like this (click on it to see an example certification page): | |
| |
| Accounts with Mixed HIPAA and non-HIPAA Domains | |
HIPAA accounts can be either globally secure, so all users are compliant and encryption and security are fully-enforced for all messages, or they can be secured on a per-domain basis. In the per-domain case, only users in specified "HIPAA Domains" are required to send all email securely; users in other domains can send insecure email messages but cannot deal with ePHI at all. All users in these accounts share certain basic security considerations such as strong passwords, required use of SSL and TLS for server access, etc. Use of per-domain HIPAA allows organizations to easily manage their compliant and non-compliant domains in a single account and also permits limited collaboration and sharing between non-HIPAA and HIPAA user logins. Customers can select account-wide or per-domain HIPAA accounts during the ordering process. | |
| ePHI Safeguarded | |
As required by the HITECH amendment to HIPAA, LuxSci follows the HIPAA Security and Privacy Rules with respect to all ePHI in your HIPAA-enabled accounts. This means that LuxSci actively ensures that the privacy of all electronic health information is safeguarded while it is stored on our servers, passing through our servers, or on our backups. It also means that LuxSci staff comply with all HIPAA Security and Privacy requirements:
I.e. LuxSci staff themselves obey all of the same HIPAA Security and Privacy requirements that our customers face when dealing with ePHI. | |
| Secure Mobile Email, Calendar, Contact, Task, and Notes Access | |
Mobile Sync is an optional service that enables you to synchronize email, calendars, contacts, tasks, and notes on your mobile devices automatically and in real time. Mobile Sync is HIPAA-compliant and provides "Remote Wipe", so you can delete ePHI from your mobile device should it become lost or stolen -- preventing possible HIPAA breaches. Even without Mobile Sync, LuxSci's IMAP, POP, and SMTP services can be used to securely send and receive email on most mobile devices. | |
| Email Archival | |
LuxSci can offer you an archival solution that is comprehensive, cost-effective, and compliant with most current federal regulations including:
| |
| Data Transmission Security & Encryption | |
In addition to enforced use of SSL and TLS for all connections to our servers, all users automatically send and receive email securely using our SecureLine end-to-end encryption service. All outbound messages sent via SMTP, WebMail, or Premium Mobile Sync will be automatically encrypted. Additionally, SecureLine allows your users to send secured messages to anyone with any valid email address, even if they do not have TLS or S/MIME or PGP support. Those recipients can easily reply back securely or use our SecureSend portal to register for free and initiate secure messages to your SecureLine users. To provide a user-friendly environment, certain work-arounds are possible, such as the use of TLS transmission for certain recipients instead of end-to-end encryption. See Restrictions to HIPAA Accounts at LuxSci. | |
| Message Integrity Controls | |
LuxSci's SecureLine and enforced connection encryption (SSL & TLS) ensures that the messages cannot be modified while in transit. Message integrity is assured. Additionally, LuxSci's SecureLine permits the addition of digital signatures to encrypted messages to further ensure the message integrity and prove the identity of the sender. | |
| Unique User Identification & Authentication | |
LuxSci requires that user names and passwords be entered for access to any of its services. The system recognizes users based on their login information, and controls access based on their identity. HIPAA-compliant accounts are required to utilize a high level of password complexity: 8 characters consisting of letters and numbers or symbols. The password must have "high entropy" and not be easily guessable. Automatic auditing of password changes and password resets is required and performed for HIPAA accounts. | |
| Emergency Access to Email | |
LuxSci provides a facility for securely archiving copies of all
inbound and/or outbound messages for backup and auditing purposes.
Administrators thus have secure access to copies of all message content
for emergency or other reasons. LuxSci also provides other optional
features such as Message Continuity that is used to ensure access to email
messages in the event of LuxSci server or data center failure. | |
| Automatic System Logoff | |
HIPAA compliant accounts have a 20 minute default idle period to web-based interfaces (WebMail). The system will automatically log users off after 20 minutes of inactivity; this can be increased to 3 hours by account administrators. Other services such as POP, IMAP, SMTP, Mobile Sync, and Secure FTP also have automatic idle timeouts. | |
| Access Audit Controls | |
LuxSci provides comprehensive security auditing for all accounts. Included in the security audits are password changes, resets, and lookups by LuxSci staff; user access to services such as WebMail, Email Sending (SMTP), POP, IMAP, Mobile Sync, and more; changes to any of the specific "Maximal Security" settings, as well as changes to the "Maximal Security" lock down status. These reports enable verification of user, administrator, and LuxSci Support staff activity on access and security specific changes to the account. | |
| Data Backups & Data Disposal | |
LuxSci automatically makes backup copies of all data on our servers, including all customer ePHI. Daily backup copies are kept on-site for 2 days and Weekly backup copies are kept off-site for 4 weeks. All data is transmitted securely to the backup servers and stored there in a HIPAA-compliant way. After 4 weeks, all backup copies are destroyed. Accounts can ask for data to be restored from backup for free once/month. LuxSci's Email Archival provides permanent, immutable email storage on servers in multiple geographic locations, updated in real-time, with weekly backups made to optical media. See our complete backup and restore statement for additional information. | |
| Maximal Security Enforcement | |
The LuxSci "Maximal Security" setting provides individual accounts with the highest level of email security. Security includes implementing the 20 minute WebMail timeout maximum, forcing appropriate outbound encryption, setting password strength requirements, and forcing secure logins. LuxSci support manually reviews any account needing to be HIPAA compliant and ensures that the Maximal Security setting is locked down so these security settings cannot be altered. | |
| Optional Encryption Opt Out on a Per-Message Basis | |
Though disabled by default, administrators can choose to allow users the option to opt out of SecureLine encryption for a particular message. However, the user must explicitly agree that the message they are sending does not contain any ePHI. All messages sent without SecureLine encryption are logged for auditing purposes, and copies of them can be sent to an auditor email address for review. Opt Out is available both in WebMail and for messages sent via email programs using our SecureLine Outlook Plugin or via adding opt out content to the email subject line. | |
| Optional VPN Access for Enhanced Security | |
LuxSci can provide a Virtual Private Network (VPN) connection to further secure access to our email, web, and database servers. | |
New accounts ready in 1 hour*
Account term is month-to-month
Free 30-minute training call included
*for non-dedicated-server orders placed between 9am and 10pm Eastern Time, USA. Provisioning can be delayed due to issues validating orders.
We have been very happy with the HIPAA-compliant services, especially the customer support. Doing well!"
I am happy to say that we have had a very positive experience with your products. With the help of your support team and your support library resources, this is going well. I am very impressed and pleased to find such excellent support! We made the right decision when we decided to go with LuxSci for HIPAA-compliant email hosting."
You are exceeding expectations. I have been very impressed with your organization. From sales and billing to tech support, everyone has been very responsive and knowledgeable. Most problems are resolved during the first contact. Thank you for your dedication to service and excellence. I will be recommending you without hesitation."
Again you have made things easier, and I cannot begin to tell you and your colleagues that LuxSci has far and away the best tech support/customer service I have ever encountered."
I just wanted to say thanks to all the great support and sales people I've dealt with from LuxSci. Our website launched this weekend nearly flawlessly and had great help from your support department. Keep up the good work!"
Nate McVay, Lifecare Oklahoma
Angie Duran, VNA El Paso
Jason Brown, Trinity Medical Associates
Bryan Patrick, Website Administrator, CentrePointe Counseling, Inc.
