How Do You Know if Software is HIPAA Compliant?

Business Solutions, HIPAA Compliant Email, HIPAA Email Marketing
Pete Wermter
February 21, 2025

As in any industry, the healthcare sector is eager to embrace any new technology solution that increases productivity, enhances operational efficiency, and cuts costs. However, the rate at which healthcare companies – and their patients and customers – have had to adopt new software and digital tools has skyrocketed since the pandemic. And while a lot of this software is beneficial, a key question arises: is it HIPAA compliant? While an application may serve an organization’s needs – and may be eagerly embraced by patients – it also needs to have the right measures in place to safeguard protected health information (PHI) to determine if it is indeed HIPAA compliant.

Whether you’re a healthcare provider, software vendor, product team, or IT professional, understanding what makes software HIPAA compliant is essential for safeguarding patient data and insulating your organization from the consequences of falling afoul of HIPAA regulations.

With this in mind, this post breaks down the key indicators of HIPAA compliant software, the technical requirements you should look for, and best practices for ensuring your software is HIPAA compliant.

What Does It Mean for Software to Be HIPAA-Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for safeguarding PHI, which includes any data related to a patient’s health, treatment, or payment details. In light of this, any applications and systems used to process, transmit, or store PHI must comply with the stringent privacy, security, and breach notification requirements set forth by HIPAA.

Subsequently, while healthcare organizations use a wide variety of software, most of it is likely to be HIPAA-compliant. Alarmingly, many companies aren’t aware of which applications are HIPAA-compliant and, more importantly, if there’s a need for compliance in the first place.

However, it’s important to note that HIPAA itself does not certify software. Instead, it’s up to software vendors to implement the necessary security and privacy measures to ensure HIPAA compliance. Subsequently, it’s up to healthcare providers, payers, and suppliers to do their due diligence and source HIPAA compliant software.

How to Determine If Software Is HIPAA Compliant

So, now that we’ve covered why it’s vital that the applications and systems through which sensitive patient data flows must be HIPAA compliant, how do you determine if your software meets HIPAA requirements? To assess whether software is HIPAA compliant, look for these key indicators:

1. Business Associate Agreement (BAA)

A HIPAA compliant software provider must sign a Business Associate Agreement (BAA) with covered entities, i.e., the healthcare company. A BAA is a legal contract that outlines the vendor’s responsibility for safeguarding PHI. If a software provider doesn’t offer a BAA, their software is NOT HIPAA compliant.

Now, if a vendor offers a BAA, it should be presented front and center in their benefits, terms or conditions, if not on their website homepage as part of their key features. If a vendor has taken the time and effort to make their infrastructure robust enough to meet HIPAA regulations, they’ll want to make it known to reassure healthcare organizations of their suitability to their particular needs.

2. End-to-End Encryption

A key requirement of the HIPAA Security Rule is that sensitive patient data is encrypted end to end during its transmission. This means being encrypted during transit, i.e., when sent in an email or entered into a form, and at rest, i.e., within the data store in which it resides.

In light of this, any software that handles PHI should use strong encryption standards, such as:

Transport Layer Security (TLS – 1.2 or above): for secure transmission of PHI in email and text communications.
AES (Advanced Encryption Standard) 256: the preferred encryption method for data storage as per HIPAA security standards, due to its strength.

3. Access Controls and User Authentication

One of the key threats to the privacy of patient data is access by unauthorized parties. This could be from employees within the organization who aren’t supposed to have access to PHI. In some, or even many, cases, this may come down to lax and overly generous access policies. However, this can result in the accidental compromise of PHI, affecting both a patient’s right to privacy and, in the event patient data is unavailable, operational capability.

Alternatively, the exposure of PHI can be intentional. One on hand, it may be from employees working on behalf of other organizations, i.e., disgruntled employees about to jump ship to a competitor. More commonly, unauthorized access to patient data is perpetrated by malicious actors impersonating healthcare personnel. To prevent the unintended exposure of PHI, HIPAA compliant infrastructure, software and applications must support access control policies, such as:

Role-based access control (RBAC): the restriction of access to PHI based on their job responsibility in handling PHI, i.e.., an employee in billing or patient outreach. A healthcare organization’s security teams can configure access rights based on an employee’s need to handle patient data in line with their role in the company.
Multi-factor authentication (MFA): this adds an extra layer of security beyond user names and passwords. This could include a one-time password (OTP) sent via email, text, or a physical security token. MFA is very diverse and can be scaled up to reflect a healthcare organization’s security posture. This could include also biometrics, such as retina and fingerprint scans, as well as voice verification.
Zero-trust security: a rapidly emerging security paradigm in which users are consistently verified, as per the resources they attempt to access. This prevents session hijacking, in which a user’s identity is trusted upon an initial login and verification. Instead, zero trust continually verifies a user’s identity.
Robust password policies: another simple, but no less fundamental, component of user authentication is a company’s password policy. While conventional password policies emphasize complexity, i.e., different cases, numbers, and special characters, newer password policies, in contrast, emphasize password length.

4. Audit Logs & Monitoring

A key HIPAA requirement is that healthcare organizations consistently track and monitor employee access to patient data. It’s not enough that access to PHI is restricted. Healthcare organizations must maintain visibility over how patient data is being accessed, transferred, and acted upon (copied, altered, deleted). This is especially important in the event of a security event when it’s imperative to pinpoint the source of a breach and contain its spread.

In light of this, HIPAA compliant software must:

Maintain detailed audit logs of all employee interactions with PHI.
Provide real-time monitoring and alerts for suspicious activity.
Support log retention for at least six years, as per HIPAA’s compliance requirements.

5. Automatic Data Backup & Disaster Recovery

Data loss protection (DLP) is an essential HIPAA requirement that requires organizations to protect PHI from loss, corruption, or disasters. With this in mind, a HIPAA-compliant software solution should provide:

Automated encrypted backups: real-time data backups, to ensure the most up-to-date PHI is retained in the event of a security breach.
Comprehensive disaster recovery plans: to rapidly restore data in case of cyber attack, power outage, or similar event that compromises data access.
Geographically redundant storage: a physical safeguard that sees PHI. stored on separate servers in different locations, far apart from each other. So, if one server goes down or is physically compromised (fire, flood, power outage, etc.,) patient data can still be accessed.

6. Secure Messaging and Communication Controls

For software that involves email, messaging, or telehealth, i.e., phone or video-based interactions, in particular, HIPAA regulations require:

End-to-end encryption: for all communications, as detailed above.
Access restrictions: policies that only enable those with the appropriate privileges to view communications containing patient data.
Controls for message expiration: automatically deleting messages after a prescribed time to mitigate the risk of unauthorized access.
Audit logs: to monitor the inclusion or use of patient data.

7. HIPAA Training & Policies

Even the most secure software can be compromised if its users aren’t sufficiently trained on how to use it. More specifically, the risk of a security breach is amplified if employees don’t know how to identify suspicious behavior and who to report it to if an event occurs. With this in mind, it’s prudent to look for software vendors that:

Offer HIPAA compliance and cyber safety awareness training for users.
Implement administrative safeguards, such as usage policy enforcement and monitoring.
Support customizable security policies to align with your organization’s compliance needs.

Shadow IT and HIPAA Compliance

Shadow IT is an instance of an application or system being installed and used within a healthcare organization’s network without an IT team’s approval. Despite its name, shadow IT is not as insidious as it sounds: it’s simply a case of employees unwittingly installing applications they feel will help them with their work. The implications, however, are that:

IT teams are unaware of said application, and how data flows through it, so they can’t secure any PHI entered into it.
The application may have known vulnerabilities that are exploitable by malicious actors. This is all the more prevalent with free and/or open-source software.

While discussing the issue of shadow IT in general, it’s wise to discuss the concept of “shadow AI” – the unauthorized use of artificial intelligence (AI) solutions within an organization without its IT department’s knowledge or approval.

It’s easily done: AI applications are all the rage and employees are keen to reap the productivity and efficiency gains offered by the rapidly growing numbers of AI tools. Unfortunately, they fail to stop and consider the data security risks present in AI applications. Worse, with AI technology still in its relative infancy, researchers, vendors, and other industry stakeholders have yet to develop a unified framework for securing AI systems, especially in healthcare.

Consequently, the risks of entering patient data into an AI system – particularly one that’s not been approved by IT – are considerable. The privacy policies of many widely-used AI applications, such as ChatGPT, state the data entered into the application, during the course of engaging with the platform, can be used in the training of future AI models. In other words, there’s no telling where patient data could end up – and how and where it could be exposed.

The key takeaway here is that entering PHI into shadow IT and AI applications can pose significant risks to the security of patient data, and employees should only use solutions vetted, deployed, and monitored by their IT department.

Best Practices for Choosing HIPAA Compliant Software

Now that you have a better understanding of how to evaluate software regarding HIPAA compliance, here are some best practices to keep in mind when selecting applications to facilitate your patient engagement efforts:

✔ Look for a BAA: quite simply, having a BAA in place is an essential requirement of HIPAA-compliant software. So, if the vendor doesn’t offer one, move on.

✔ Verify encryption standards: ensure the software encrypts PHI both at rest and in transit.

✔ Test access controls: choose HIPAA-compliant software that allows you to restrict access to PHI based on an employee’s role within the organization.

✔ Review audit logging capabilities: HIPAA compliant software should track every PHI interaction. This also greatly assists in incident detection and reporting (IDR), as it enables security teams to pinpoint and contain cyber threats should they arise.

✔ Ensure compliance support: knowing the complexities of navigating HIPAA regulations, a reputable software vendor should provide comprehensive documentation on configuring their solution to match the client’s security needs. Better yet, they should provide the option of cyber threat awareness and HIPAA compliance training services.

✔ Create a List of Software Vendors: combining the above factors, it’s prudent for healthcare organizations to compile a list of HIPAA compliant software vendors that possess the features and capabilities to adequately safeguard PHI.

Choosing HIPAA Compliant Software

Matching the right software to a company’s distinctive workflows and evolving needs is challenging enough. However, for healthcare companies, ensuring the infrastructure and applications within their IT ecosystem also meet HIPAA compliance standards requires another layer of, often complicated, due diligence.

Failure to deploy a digital solution that satisfies the technical, administrative, and physical security measures required in a HIPAA compliant solution exposes your organization to the risk of suffering the repercussions of non-compliance.

If select and deploy the appropriate HIPAA compliant software, in contrast, your options for patient and customer engagement are increased, and you’ll be able to include PHI in your communications to improve patient engagement and drive better health outcomes. Schedule a consultation with one of our experts at LuxSci to discuss whether the software in your IT ecosystem meets HIPAA regulations. and how we can assist you in ensuring your organization is communicating with patient and customers in a HIPAA compliant way.

Pete Wermter

As a marketing leader with more than 20 years of experience in enterprise software marketing, Pete's career includes a mix of corporate and field marketing roles, stretching from Silicon Valley to the EMEA and APAC regions, with a focus on data protection and optimizing engagement for regulated industries, such as healthcare and financial services. Pete Wermter — LinkedIn

Get in touch

Find The Best Solution For Your Organization

Talk To An Expert & Get A Quote

First Name

Last Name

Work Email

Phone

Company

Type of Inquiry

Company Size

Message (optional)

Acceptance

I consent to be contacted by LuxSci for this inquiry and other relevant content, products, and services. You may unsubscribe from these communications at any time. We're committed to your privacy. For more information, check out our Privacy Policy.

A member of our staff will reach out to you

Search

Get Your Free E-Book!

LuxSci High Email Deliverability Best Practices Paper

What you’ll learn:

Rethinking HIPAA Compliant Email – Not Just a Checkbox

January 20, 2026
Pete Wermter

The compliance-only mentality is outdated.

Let’s be honest—when most healthcare organizations think about HIPAA compliant email, it’s usually in the context of avoiding fines or satisfying checklists. And while yes, compliance is critical, viewing it only through the lens of risk management is a missed opportunity.

In reality, HIPAA compliant email, when implemented properly, is one of the most powerful tools for patient and customer engagement. Why? Because it unlocks the ability to leverage protected health information (PHI) safely, enabling personalized, timely, and high-impact email communication that drives better engagement, satisfaction, and outcomes.

What Makes Email Truly HIPAA Compliant?

As a reminder, HIPAA compliant email requires that protected health information (PHI) is safeguarded both in transit and at rest. That means your email provider must:

Use encryption at all times

Be access-controlled

Include audit logs

Be stored and transmitted in a secure manner

Provide a Business Associate Agreement

Regular email services just don’t cut it. In fact, most consumer or marketing email platforms like Sendgrid or Constant Contact, while great at sending email, are not HIPAA compliant or have limitations when it comes to using PHI in your messages. Even when bolted-on encryption solutions are used, they often lack the flexibility, scalability, and automation needed for safe and effective healthcare email engagement.

LuxSci goes beyond the basics with policy-based encryption, secure TLS, PKI encryption and escrow/secure portal options. LuxSci’s SecureLine™ encryption technology dynamically selects the appropriate encryption method based on recipient capabilities and messaging context and can be configured to enforce secure delivery automatically according to organizational policies. LuxSci also provides the ability to enforce advanced multi-factor authentication. Every message is tracked with full audit trails—no guesswork, no loose ends.

The Real Opportunity – Secure, Personalized Email with PHI

Using PHI to Drive Personalized Messaging
Imagine sending a personalized reminder to a diabetic patient about an upcoming check-up. Or reaching out to new mothers with postnatal care resources tailored to their needs. Or sending automated email workflows to all your members to accelerate and increase new plan enrollments. Or email customer and prospects about a new product upgrade or new service offering. The list goes on. That’s the power of PHI-personalized email—when done securely.

Targeted Segmentation with Sensitive Data
With HIPAA compliant email solutions like LuxSci, you can segment your audience based on real health data with high levels of precision, such as chronic conditions, appointment history, insurance status, health risks, and more, without compromising patient trust or security.

Breaking the One-Size-Fits-All Approach in Healthcare Email
Generic email blasts are over. Modern patients expect personalization. With LuxSci, you can deliver highly targeted, highly secure emails with encrypted content, while staying HIPAA compliant.

Real Business Results from Secure Email

Here’s how secure, personalized email can drive improved results across a range of healthcare communications, including:

Increased Patient Appointments and Follow-ups – Sending encrypted, personalized appointment reminders and follow-up notices can reduce no-shows and boost overall appointment volume.
Boosting Preventative Care with Outreach Campaigns – Preventative campaigns (think flu shots or cancer screenings) sent securely to the right segments can lead to higher response rates, better health outcomes, and a lower cost of care.
Improving Health Plan Enrollments – Targeted email outreach during open enrollment, tailored by eligibility or plan type, and powered by automated workflows leads to higher enrollments and lower call center costs.
Driving Awareness and Sales of New Services or Products – Have a product upgrade offer, new wellness program or telehealth service? Send secure, PHI-informed HIPAA compliant email to the right audience for increased sales and faster adoption.
Optimize Explanation of Benefits Notices – Replace snail mail with email that’s fast, reliable and trackable, ensuring customers are informed and compliance is met.

The Healthcare Marketer’s Secret Weapon: Using PHI Responsibly

In a world moving away from third-party cookies, first-party data is more valuable than ever, and PHI is the most powerful form of it in healthcare. With secure HIPAA compliant email, PHI doesn’t have to be locked away. Marketers can safely use it to understand patient needs and send relevant, timely messages. PHI-driven segmentation lets you build hyper-targeted campaigns that speak to relevant conditions, unique needs and timely topics, increasing open rates, clicks throughs, and campaign conversions.

Meeting the Personalization Demands of Today’s Patients and Customers

HIPAA-compliant email is no longer just about checking a box. It’s about unlocking the full potential of your patient and customer data to drive better engagement, healthier outcomes, and measurable business results.

In closing, below are some final thoughts on how secure, HIPAA compliant email delivers long-term value for your organization and better connections with your patients and customers, including:

- Future-Proofing Healthcare Engagement – Patients expect Amazon-level personalization. HIPAA-compliant tools let you meet those expectations securely.

- Adapting to Data Privacy Regulations Beyond HIPAA – From GDPR to state-level privacy laws, secure communication is no longer optional, it’s foundational.

- Building Trust Through Secure Communication – Each secure, personalized message sent is a trust-building moment with your patients and customers.

Why LuxSci? The Infrastructure Behind the Performance

With LuxSci’s secure email infrastructure and email marketing solutions, healthcare organizations can confidently personalize communication, reach patients more effectively, and fuel growth with PHI-safe segmentation, messaging, and email automation.

LuxSci takes data security and email performance to the next level by offering dedicated cloud infrastructure for each customer, which means your email campaigns aren’t slowed down by other vendors on shared cloud services and your attack footprint is much smaller. In short, you get higher delivery rates and throughput with proven HIPAA compliance and data security.

The future of healthcare engagement is personal, secure, and performance-driven—and it starts with HIPAA compliant email done right.

Reach out today with any questions or to learn more about LuxSci.

FAQs

1. Is HIPAA-compliant email necessary for marketing communications?
Yes—if your emails include or are based on PHI (like appointment reminders, condition-based messaging, or insurance info), you need HIPAA-compliant email and recipient consent to avoid legal risk and preserve patient trust.

2. Can PHI be used in marketing emails under HIPAA?
Yes, with proper consent and secure, HIPAA compliant infrastructure like LuxSci’s, PHI can be safely used in emails for personalized, segmented campaigns.

3. How does LuxSci ensure high email deliverability for healthcare messages?
LuxSci uses dedicated cloud servers for each customer, active email reputation monitoring, and best-practice configurations to ensure high deliverability rates for sensitive emails.

4. Is LuxSci only for marketing teams?
No—LuxSci supports marketing, clinical, operations, and IT teams by enabling secure, compliant email communication across the entire organization.

5. What types of PHI can I use to segment campaigns using LuxSci?
You can segment based on chronic conditions, visit history, insurance status, provider details, age, gender, location, and more—all while staying fully compliant.

Most Popular LuxSci Blog Posts of 2025

December 30, 2025
Pete Wermter

As we close out 2025, healthcare communicators, IT and compliance leaders, and digital marketers face an ever-changing landscape of security threats, regulatory updates, and technology innovations. At LuxSci, we’re committed to helping you with continuous updates and guidance on the future of secure healthcare communications.

In case you missed it, or need a refresh, below are some of our most popular blog posts from 2025. Enjoy!

1. Improve Email Engagement and Marketing Results with Automated Workflows

Automated workflows are transforming how healthcare organizations engage patients and customers — enabling dynamic, event-driven campaigns that easily scale your outreach and keep you HIPAA compliant. In this post, we introduce LuxSci’s Automated Workflows capability for our Secure Marketing healthcare solution. Learn how sequence-based journeys can personalize outreach and optimize engagement with behavior-based triggers that improve campaign performance — without sacrificing data security.

Read the full post: LuxSci Enhances Secure Marketing with Automated Workflows

2. Healthcare Email Threat Readiness Strategies

Email remains a frontline channel for healthcare communications, and a prime target for cyber threats and criminals. This deep-dive into email threat readiness strategies covers essential practices like continuous monitoring, business continuity planning, and workforce training to mitigate email-borne security risks. Whether you’re responsible for clinical systems, marketing, or enterprise IT, this post provides a strategic playbook to strengthen your defenses, while maximizing your results.

Read the full post: Healthcare Email Threat Readiness Strategies

3. HIPAA Compliant Email — 20 Tips in 20 Minutes

For practical guidance you can apply right now, this on-demand webinar distills 20 key tips for HIPAA-compliant email across technical, legal, and operational domains. Whether you’re refining your infrastructure, improving deliverability, or modernizing your data security posture in 2026, this resource is a time-efficient way to elevate your compliance and security.

Read the post and watch the webinar on demand: HIPAA Compliant Email: 20 Tips in 20 Minutes

4. Is SendGrid HIPAA-Compliant? What You Should Know

Choosing the right email provider matters, especially when Protected Health Information (PHI) is at stake. In this post, we examine SendGrid’s capabilities in the context of HIPAA compliance, outline what it takes to send PHI securely, and offer guidance on evaluating third-party services for secure healthcare email and communication needs.

Read the full post: Is SendGrid HIPAA-Compliant?

5. LuxSci Shines in G2 Winter 2026 Reports

Customer feedback matters to LuxSci. In this post, we share the most recent news about LuxSci’s performance in the G2 Winter 2026 Reports, where we earned 20 badges across categories like Email Security, Encryption, Gateway, and HIPAA-Compliant Messaging. These reviews reflect not just product excellence, but trust from real users, which we work hard to build every day!

Read the full post: LuxSci Shines in G2 Winter 2026 Reports

Looking Ahead to 2026

We look forward to providing more information and insights on secure healthcare communications in the coming year, including the latest on HIPAA compliant email, PHI security, healthcare marketing, threat readiness, and personalized engagement. In the meantime, if you’re not already, follow us on LinkedIn below, and we’ll see you here in 2026!

Follow LuxSci on LinkedIn

LuxSci Welcomes Angel Mazariegos as Head of Finance

December 9, 2025
Pete Wermter

LuxSci, a leader in secure healthcare communications and HIPAA compliant email, is pleased to announce the appointment of Angel Marie Mazariegos as the company’s new Head of Finance. With over 25 years of experience in financial management, accounting, and human resources, Angel will play a central role in advancing LuxSci’s operational excellence and supporting the company’s rapid growth in 2026 and beyond.

Angel brings a wealth of expertise to LuxSci, having held senior leadership positions at organizations focused on financial services, language and access services for healthcare, and human resources. In these roles, Angel has led multi-department Finance and HR teams, spearheading critical initiatives, including ERP implementations, streamlined employee onboarding, and financial process optimization.

In her role at LuxSci, Angel will oversee all aspects of the company’s finance operations, including budgeting, forecasting and reporting. Additionally, Angel will manage the company’s HR function, ensuring that LuxSci continues to foster a strong, people-driven culture based on its Secure, Trust, Responsible and Smart company values.

“Angel’s blend of financial and HR leadership makes her an invaluable addition to the LuxSci executive team and a real asset for our people,” said Mark Leonard, CEO of LuxSci. “We look forward to working with Angel to build the high-performing teams that will be critical to our future growth and serving the evolving needs of our customers.”

Angel holds dual MBA degrees in Accounting and Human Resource Management from Cappella University, as well as dual BS degrees in Business Administration (Accounting and CIS Business Systems) from California State University, Los Angeles.

“I am honored to join the LuxSci team at such an exciting time for the company,” said Mazariegos. “I look forward to working with the team and helping build on LuxSci’s reputation for excellence and reliability in secure healthcare communications.”

LuxSci Shines in G2 Winter 2026 Reports, Underscoring Commitment to Product Leadership and Trusted Relationships

December 4, 2025
Pete Wermter

We’re pleased to announce that LuxSci has been recognized for excellence and leadership for HIPAA compliant email and messaging in the just-released G2 Winter 2026 Reports!

Based on verified customer reviews, LuxSci earned 20 G2 badges as part of the most recent G2 reports, including top honors such as Grid Leader, Highest User Adoption, Best Support, and Best Estimated ROI.

This recognition further validates what we’ve always believed: our customers don’t just choose a great product — they choose a great partner. At LuxSci, we build long-term, trusted relationships with our customers, anchored in product reliability, industry-leading email deliverability and performance, and the best customer support in the business.

Why G2 Matters

G2 is a globally trusted peer‑review platform that aggregates verified user feedback and real‑world usage data to rank software and service providers. G2’s seasonal reports like the Winter 2026 editions shine a spotlight on latest tools and vendors that deliver consistent value and satisfaction to real customers.

Earning 20 badges this quarter signals a strong vote of confidence from our customers and community, helping affirm that LuxSci is a leading, highly adopted secure email solutions provider.

What We Earned in Winter 2026

Among the 20 badges awarded to LuxSci across Email Security, Email Encryption, Email Gateway and HIPAA Compliant Messaging are:

Grid Leader
Highest User
Best Support
Best Estimated ROI

This broad range of accolades spanning leadership, adoption, support and return on investment underscores the reliability of our solutions and the trust our customers place in us.

Awards Reflect Our Commitment to Customer Success

Reliable. Winning Grid Leader and Highest User Adoption demonstrates that thousands of users are depending on LuxSci, securely delivering emails to today’s most popular platforms, including Gmail, Apple Mail, Yahoo Mail and AOL, to name a few.

Proven. With Best Estimated ROI, customers are saying that LuxSci delivers tangible results, whether in secure email delivery, regulatory compliance, or operational efficiency.

Long‑Term Trust. Best Support is perhaps the most telling because for us, success isn’t just about features, it’s about being there for our customers every step of the way.

Thank you to all of our customers. We remain committed to your success — today and in the future.

Want to learn more about LuxSci? Reach out and connect with us today!

Is the Email Encrypted? How to Tell if an Email is Transmitted Using TLS

January 9, 2024
LuxSci

SMTP TLS encryption is popular because it provides adequate data protection without creating a complicated user experience for email recipients. Sometimes, though, the experience is too seamless, and recipients may wonder if the message was protected at all.

Luckily, there is a way to tell if an email was encrypted using TLS. To see if a message was sent securely, we can look at the raw headers of the email. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will explain what to look for when decoding the message headers and how to tell if the email was transmitted using TLS encryption.

An Example Email Message

First, we must understand how an email message typically travels through several machines on its way from the sender to the recipient. Roughly speaking:

The sender’s computer talks to the sender’s email or WebMail server to upload the message.
The sender’s email or WebMail server then talks to the recipient’s inbound email server and transmits the message to them.
Finally, the recipient downloads the message from their email server.

It is step 2 that people are most concerned about when trying to understand if their email message is transmitted securely. They usually assume or check that everything is secure and OK at the two ends. Indeed, most users who need to can take steps to ensure that they are using SSL-enabled WebMail or POP/IMAP/SMTP/Exchange services so that steps 1 and 3 are secure. The intermediate step, where the email is transmitted between two different providers, is where messages may be sent insecurely.

To determine if the message was transmitted securely between the sender’s and recipient’s servers (over TLS), we need to extract the “Received” header lines from the received email message. If you look at the source of the email message, the lines at the top start with “Received.” Let’s look at an example message from a Hotmail user below. The email addresses, IPs, and other information are obviously fake.

LuxSci:

The Outlook email was sent to a LuxSci user. The Received headers appear in reverse chronological order, starting with the server that touched the message last. Therefore, in this example, we see the LuxSci servers first.

Received: from abc.luxsci.com ([1.1.1.1])
	by def.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfLgH003867
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 10:41:21 -0400
Received: from abc.luxsci.com (localhost.localdomain [127.0.0.1])
	by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfK0Z030182
	for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 09:41:20 -0500
Received: (from mail@localhost)
	by abc.luxsci.com (8.14.4/8.13.8/Submit) id r7JEfKXD030178
	for user-xyz@def.luxsci.com; Mon, 19 Aug 2019 09:41:20 -0500

Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [2.2.2.2])
	by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfIkK030002
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <someone@luxsci.net>; Mon, 19 Aug 2019 09:41:19 -0500

Proofpoint:

LuxSci uses an email filtering service, Proofpoint. Messages reach Proofpoint’s servers before being delivered to LuxSci. Here’s what their servers report about the email transmission:

Received: from unknown [65.54.190.216] (EHLO bay0-omc4-s14.bay0.hotmail.com)
	by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
        (envelope-from <someone@hotmail.com>);
	Mon, 19 Aug 2019 08:41:18 -0600 (MDT)

Outlook:

And finally, here’s what we see from Oultook’s server.

Received: from BAY403-EAS373 ([65.54.190.199]) by bay0-omc4-s14.bay0.outlook.com
       with Microsoft SMTPSVC(6.0.3790.4675); 
       Mon, 19 Aug 2019 07:41:19 -0700

How to Use Received Message Headers to Tell if the Email is Encrypted

The message headers contain information that can help us determine if an email is encrypted. Here are a few helpful notes to help you decode the text:

We said this above, but the message headers appear in reverse chronological order. The first one listed shows the last server that touched the message; the last one is the first server that touched it (typically the sending server).
Each Received line documents what a server did and when.
There are three sets of servers involved in this example: one machine at Hotmail, one machine at Proofpoint, where our Premium Email Filtering takes place, and some machines at LuxSci, where final acceptance of the message and subsequent delivery happened.

Presumably, the processing of email within each provider is secure. The place to be concerned about is the hand-offs between Hotmail and Proofpoint and between Proofpoint and LuxSci, as these are the big hops across the internet between providers.

In the line where LuxSci accepts the message from Proofpoint, we see:

(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)

This section, typical of most email servers running “sendmail” with TLS support, indicates that the message was encrypted during transport with TLS using 256-bit AES encryption. (“Verify=not” means that LuxSci did not ask Proofpoint for a second SSL client certificate to verify itself, as that is not usually needed or required for SMTP TLS to work correctly). Also, “TLSv1/SSLv3” is a tag that means that “Some version of SSL or TLS was used;” it does not mean that it was SSL v3 or TLS v1.0. It could have been TLS v1.2 or TLS v1.3.

So, the hop between Proofpoint and LuxSci was locked down and secure. What about the hop between Hotmail and Proofpoint? The Proofpoint server’s Received line makes no note of security at all! This means that the email message was probably not encrypted during this step.

Hotmail either did not support opportunistic TLS encryption for outbound emails, or Proofpoint did not support receipt of messages over TLS, and thus, TLS could not be used. With additional context, you can know which server supports TLS and which does not.

In this case, we know that Proofpoint supports inbound TLS encryption. In fact, from another example message where LuxSci sent a message to Proofpoint, we see the Received line:

Received: from unknown [44.44.44.44] (EHLO wgh.luxsci.com)
	by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	with ESMTP id b-022.p01c11m003.ppe-hosted.com
        (envelope-from <from@domain.com>);
	Mon, 02 Feb 2009 19:28:27 -0700 (MST)

The red text makes it clear that the message was indeed encrypted. Based on the additional context, we can deduce that the Hotmail sending server did not securely transmit the email using TLS.

How To Tell if an Email is Encrypted With TLS

When analyzing your message headers, consider the following items to determine if the email is encrypted:
1. The receiving server will log what kind of encryption, if any, was used in receiving the message in the headers.
2. Different email servers use different formats and syntax to display the encryption used. Look for keywords like “SSL,” “TLS,” and “Encryption,” which will signify this information.
3. Not all servers will record the use of encryption. While LuxSci has always logged encryption use, not every email service provider does. It is possible to use TLS encryption and not log it. Sometimes, there is no way to tell from the headers if a message is encrypted if it is not logged.
4. Messages passed between servers at the same provider do not necessarily need TLS encryption to be secure. For example, LuxSci has back-channel private network connections between many servers so that information can be securely passed between them without SMTP TLS. So, the lack of TLS usage between two servers does not mean the transmission between them was “insecure.” You may also see multiple received lines listing the same server: the server passes the message between different processes within itself. This communication also does not need to be TLS encrypted.
5. If you are a LuxSci customer, you can view online email delivery reports to see if TLS was used for any particular message. We record the kind of encryption in the delivery reports, so it’s easy to see which emails were encrypted.

How can you Ensure Emails Are Securely Transmitted?

With some servers not recording TLS in message headers, how can you determine if a message was transmitted securely from sender to recipient?

To answer this question accurately, you must understand the properties, servers, and networks involved. It may be easy to determine that the message was transmitted securely if included in the header information. However, the absence of information does not necessarily mean the message was insecurely transmitted. You can only know this if you know what each system’s servers record.

In our example of a message from Hotmail to LuxSci, you need to know that:

Proofpoint and LuxSci will always log the use of TLS in the headers. We can infer that the Hotmail to Proofpoint transmission was not secure as nothing was recorded there.
The transmission of messages within LuxSci’s infrastructure is secure due to private back channel transmissions. So, even though there is no mention of TLS in every Received line after LuxSci accepts the message from Proofpoint (in this example), transferring the messages between servers in LuxSci is as secure as using TLS. Also, the same server can add multiple received lines as it talks to itself. Generally, these hand-offs on the same server will not use TLS, as there is no need. In the LuxSci example, we see this as “abc.luxsci.com” adds several headers.
We don’t know anything about Hotmail’s email servers, so we don’t know how secure the initial transmissions within their network are. However, since we know they did not securely transmit the message to Proofpoint, we are not confident that the transmissions and processing within Hotmail (which may have gone unrecorded) were secure.

Was the email message sent and received using encryption?

We skipped steps 1 and 3 and focused on step 2 – the transmission between servers. Steps 1 and 3 are equally, if not more, necessary. Why? Because eavesdropping on the internet between ISPs is less of a problem than eavesdropping near the sender and recipient (i.e., in their workplace or local wireless hotspot). So, it’s essential to ensure messages are sent securely and received securely. This means:

Sending: Use SMTP over SSL or TLS when sending messages from an email client or use WebMail over a secure connection (HTTPS).
Receiving: Ensure your POP or IMAP connection is secured via SSL or TLS. If using WebMail to read your email, be sure it is over a secure connection (HTTPS).
WebMail: There is generally no record in the email headers to indicate if a message sent using WebMail was transmitted from the end-user to WebMail over a secure connection (SSL/HTTPS).

You can typically control one side and ensure it is secure; you can’t control the other without taking extra steps. So, what can you do to ensure your message is secure even if it might not be transmitted with encryption or if the recipient tries to access it insecurely?

You could use end-to-end email encryption (like PGP or S/MIME, which are included in SecureLine) or a secure web portal that doesn’t require the recipient to install or set up anything to get your secure email message. These methods meet HIPAA and other regulatory compliance requirements for secure data transmission and provide complete confidence that the message will be sent and received securely.

LuxSci’s SecureLine offers flexible encryption options, including TLS, secure web portal, PGP, and S/MIME. Its dynamic capabilities can determine what types of encryption the recipient’s server supports to ensure your emails are always sent securely. Contact our team today to learn more about how to secure your emails.

What is HIPAA Compliant Hosting?

December 16, 2024
Erik Kangas

HIPAA compliant hosting provides infrastructure for storing protected health information while meeting HIPAA Security Rule requirements. These hosting environments include physical, technical, and administrative safeguards such as encryption, access controls, audit logging, and disaster recovery. Healthcare organizations use HIPAA compliant hosting to maintain patient data security and regulatory compliance when storing electronic protected health information.

Core Requirements for HIPAA Compliant Hosting

HIPAA compliant hosting environments incorporate security measures to protect electronic health information. Data encryption safeguards information both during storage and transmission between systems. Access control systems limit data viewing to authorized personnel through user authentication and permission settings. Hosting providers maintain comprehensive audit logs that track all system access and modifications to protected information. Physical security measures protect server equipment through restricted facility access, surveillance systems, and environmental controls. These protections work to create a secure foundation for healthcare data storage and processing.

Infrastructure and Data Center Standards

HIPAA compliant hosting facilities maintain physical security standards more so than typical data centers. Providers implement layered facility access restrictions including biometric verification, security personnel, and monitored entry points. Environmental controls regulate temperature, humidity, and fire suppression to prevent data loss from environmental factors. Redundant power systems with backup generators ensure continuous operation during outages. Network infrastructure includes firewall protection, intrusion detection systems, and secure connectivity options. These facilities undergo regular security assessments and maintain documentation of all physical security measures to demonstrate compliance with HIPAA requirements.

Business Associate Agreements for Hosting

Healthcare organizations must establish Business Associate Agreements (BAAs) with their hosting providers before storing protected health information. These legally binding contracts define provider responsibilities for maintaining HIPAA compliance and protecting patient data. BAAs outline security incident response procedures, breach notification requirements, and liability terms. The agreement establishes permitted uses of health information and prohibits unauthorized disclosure. Reputable HIPAA compliant hosting providers offer standard BAAs that meet regulatory requirements without extensive negotiation. Organizations maintain copies of these agreements as part of their compliance documentation for potential regulatory audits.

Encryption and Data Protection Methods

HIPAA compliant hosting employs multiple encryption methods to protect health information throughout its lifecycle. Providers implement full-disk encryption for data storage to prevent unauthorized access even if physical drives are compromised. Transport Layer Security (TLS) protocols encrypt data during transmission between systems. Virtual Private Network (VPN) technology creates secure connections for remote access to hosted systems. Database-level encryption provides additional protection for sensitive information fields. Hosting providers maintain encryption key management systems with strict access controls. These encryption approaches protect data against various threat vectors while maintaining system performance.

Disaster Recovery and Business Continuity

HIPAA compliant hosting includes disaster recovery capabilities to prevent data loss during system failures or natural disasters. Providers maintain geographically dispersed backup systems that replicate data according to defined recovery point objectives. Regular backup verification processes ensure data integrity and restorability. Documented business continuity plans outline recovery procedures and responsible personnel. Hosting environments include redundant system components to eliminate single points of failure. Annual disaster recovery testing validates these systems under simulated emergency conditions. These measures fulfill the HIPAA contingency planning requirements while providing healthcare organizations with continuous access to patient information.

Compliance Monitoring and Documentation

HIPAA compliant hosting providers maintain documentation of their security measures and compliance activities. Regular risk assessments identify potential vulnerabilities in hosted systems and infrastructure. Security teams conduct penetration testing to validate protection effectiveness. Compliance certification reports from independent auditors demonstrate adherence to HIPAA standards and other frameworks like HITRUST or SOC 2. Providers maintain records of staff training on security procedures and HIPAA requirements. These documentation practices help healthcare organizations demonstrate due diligence in selecting appropriate hosting environments for protected health information.

LuxSci Enhances API Authentication for Easier, More Flexible Integrations with EHRs, CDPs and RCM Platforms

April 7, 2025
Erik Kangas

Today, we’re pleased to announce that LuxSci just made it even easier to leverage its powerful high volume email API with the healthcare platforms you rely on most. Whether you’re connecting with an EHR system, Customer Data Platform (CDP), Revenue Capital Management (RCM) platform—or even your contact center or unified communications suite—the new LuxSci API authentication options unlock the flexibility you need to scale and move fast.

In healthcare, connected patient journeys anchored in secure, personalized communications are driving increased engagement and better outcomes for patients and companies—all at a lower cost. From sending secure high-volume transactional emails to targeted marketing and educational communications, your systems and platforms need to talk to each other without friction to achieve the best results. LuxSci’s new API updates make that possible, securely.

What’s New in This Update

Support for OAuth 2.0, API Key, and Basic authentication methods.
Published API YAML specs and SwaggerHub integration for instant testing.
Enhanced multi-factor authentication (MFA) protection with one-time-use codes.

Overview of the LuxSci API

The LuxSci API is built with healthcare IT, security and developer teams in mind. It’s RESTful, secure, and designed for high volume email workflows.

Using industry standards like HTTPS, JSON, and TLS 1.2+, LuxSci’s API delivers fast and reliable integration and communication. Whether you’re sending appointment reminders, test results, preventative care communications, explanation of benefits (EoBs), or new product offers, your messages go out quickly and securely, with best-in-class email deliverability rates of 98% or more.

Designed for Compliance and Performance

LuxSci is HIPAA-compliant and HITRUST Certified, ensuring your healthcare communications stay within the bounds of regulatory compliance, keeping patient and company data secure—even as your email sending volume scales into the millions.

Authentication Gets a Major Upgrade

With the latest API release, LuxSci now supports three industry-standard authentication methods—alongside its proprietary LuxSci Secure option.

Let’s break them down:

OAuth 2.0 – The modern standard. Secure, flexible, and ideal for enterprise-scale integrations.
API Key – Simple and efficient. Ideal for server-to-server use when convenience matters most.
Basic Authentication – Straightforward and widely supported. Great for internal systems and quick testing.

Still Available and Highly Recommended: LuxSci Secure Authentication

For those who want the tightest possible control over API sessions—including HMAC signatures and session revocation—LuxSci Secure authentication remains the best option for customers.

Now, let’s take a closer look at how each of the new authentication methods work:

OAuth 2.0: A Standards-Based Approach

OAuth 2.0 gives you a robust framework to handle both account-level and user-level integrations.

Account-Level Authentication (Client Credentials Flow)

Perfect for system-level access—including EHR, CDP or RCM platform integrations where user context isn’t needed.

User-Level Authentication (Resource Owner Password Credentials Flow)

This method allows API access on behalf of individual users—great for patient portals or provider tools.

Security, Flexibility, and Simplicity Combined

Tokens expire after a default of 15 minutes, ensuring sessions aren’t left open indefinitely. Bonus: No message body signing is required, making integration quick and painless.

API Key: Simple and Straightforward

API Key authentication is as easy as including your credentials in a custom header. No session to manage, no extra handshake steps.

How It Works:

You send the HTTP header

X-API-Key: client_id:client_secret

With each request. That’s it.

Ideal Use Cases

Server-to-server automation
Internal dashboards
Data exports from analytics platforms

Basic Authentication: Familiar and Easy

Basic Auth is a time-tested option. Just Base64 encode your API credentials, include them in an HTTP header, and go.

While not as bulletproof as OAuth or LuxSci Secure, API Key and Basic Auth work fine for less sensitive data or development environments.

Easy Access to YAML Specs and SwaggerHub for API Testing

LuxSci has also published detailed YAML API specifications, making it easier for developers and IT teams to access testing interfaces.

You can find more information on our LuxSci API page.

Improved MFA and Easier Access to Testing Tools

As part of today’s announcement, LuxSci also rolled out new, smarter Multi-Factor Authentication (MFA) for enhanced web interface login protection.

LuxSci now ensures that each MFA code can be used only once. So, even if a hacker captures your password and MFA code, they are useless for conducting new login sessions. This update helps protect against automated phishing, spoofing, and fake login pages.

Why Healthcare Leaders Trust LuxSci

Best-In-Class Email Deliverability Rates of 98%

We don’t just send your emails—we get them delivered. Our 98%+ deliverability rate is among the highest in the industry, especially for sensitive healthcare data and communications.

HIPAA Compliance and HITRUST Certification

LuxSci checks every box when it comes to data privacy and protection. Trust your messages are safe, every step of the way.

Secure Communication at Scale

From a few thousand appointment reminders to millions of outbound secure emails—LuxSci scales with your business. Today, we work with some of the largest players in the healthcare industry, including Athenahealth, 1800 Contacts, US Healthconnect, Lucerna Health and Eurofins.

FAQs

Q1: What’s the most secure authentication method to use with LuxSci?

A: LuxSci Secure authentication offers the highest security with message signing and session revocation. For more information, visit our API Mechanics page.

Q2: Can I use OAuth 2.0 with user-level access?

A: Yes! Use the Resource Owner Password Credentials Flow (ROPC) to authenticate individual users.

Q3: Where can I find the SwaggerHub API testing tools?

A: LuxSci has published YAML specifications for SwaggerHub. Visit the LuxSci API page for more information.