You've Got Mail! But Is It HIPAA Compliant? Email and Encryption #FBF

Originally published April 28, 2021

We rely on email to communicate with one another. We tell ourselves that it's safe and secure. But email is virtual, so it must be safe. Electronic mail is like regular mail, and that's secure, right? Gmail account runs over HTTPS, and that "s" literally stands for "secure." Surely you can't be serious that I can't trust the confidentiality and security of my email.[1]

Unfortunately, the truth is that the vast majority of email is minimally encrypted and isn't secure at all. To learn more about encryption take a look at our What is Encryption, Types of Encryption, and Why You Need It article. Ray Tomlinson, Shiva Ayyadurai, and others created email at a time when everything was in the clear, at a time when passwords weren't even encrypted. This means that trusting email with private personal information leaves us vulnerable to identity theft. However, for medical offices, email violations of Protected Health Information (PHI) could mean penalties for email violations can cost $50,000 or more per incident!

Since trusting insecure email can be costly, let's talk about ways to share PHI securely while ensuring compliance with the Health Insurance Portability and Accountability Act of 2013 (HIPAA).

Why Isn't Email Encrypted?

Writing for PCMag, Neil J. Rubenking offers an entire piece on how most email providers do little to encrypt your email. He explains: "The point here is that your email provider's goals aren't centered on security and privacy. If you want to protect your emails from prying eyes, look to a third-party company that puts security first." Rubenking's point here is that it goes against the business interests of Google, Apple, etc. to secure our email. This data is a treasure trove of data that they can turn around and sell to advertisers.[2]

Tim Brooks of Hot-To Geek says, "While services like Gmail encrypt the connection between your computer and the server, any information you send to the server (including the contents of your messages) is not encrypted when it gets there. Any private conversations (or state secrets) you’re discussing will sit on Google’s servers in an unencrypted format." By the way, to underscore that Gmail is not secure itself, a significant selling point of the encrypting service Virtru is offering Gmail Encryption that is actually "Recommended by Google"!

Perhaps the biggest insecurities of emails come from the email providers themselves. The cost of these free services is that they often create a marketable profile, which they use to offer us personalized ads. These issues ignore that many of these email providers are under jurisdictions subject to data sharing with intelligence agencies[3] Brooks highlights, "This is why Gmail, Outlook, Yahoo, and most other free, mainstream email providers are not regarded as being truly secure."

A computer sending off an email--that is going out all over the world!

Figure 1. Once we send our email out to the world, it's out there—and completely unencrypted.

Can I Email PHI?

HIPAA follows the "Guidelines on Electronic Mail Security" from the National Institute of Standards and Technology (NIST SP 800-45 Version 2). Writing for NortonLifeLock, Alison Grace Johansen explains that encryption matters because government regulations demand it. "The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to implement security features that help protect a patient's sensitive health information online."

The U.S. Department of Health & Human Services clarifies, "The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control …, integrity …, and transmission security … require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI." This expectation means that we can only utilize email systems that we have correclty configured for transmitting PHI. The vast majority of email in use today does not have these encryption safeguards in place and is therefore not HIPAA compliant!

A seminal aspect of HIPAA is to ensure the integrity of PHI at rest: "To make your email HIPAA compliant you should ensure you have end-to-end encryption, which encrypts both messages in transit and stored messages." As mentioned earlier, emails on servers owned by Google and other email providers are left unencrypted, overtly violating this requirement.

But He Started It

HHS adds that a patient can opt to communicate via an unsecured email. In return, the health care provider can communicate back via this medium. However, "If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications." Here again, HHS is underscoring that email in itself is not a secure medium. If patients want to use this method of communication, they should be informed of the risks and make an informed decision. Failing this explicit patient consent is another HIPAA violation.

As Dr. David Craig highlights, "Since standard email is, nearly by definition, not compatible with many HIPAA regulations, you should avoid it by default whenever you need to communicate PHI to anybody who is not the exclusive subject of that PHI and who hasn’t consented specifically to its use." So, if we need to share data with anyone else, we've got to find another way …

Emailing on Internal (Even if They're Virtual) Networks

According to HIPAA Journal, "HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall." As such internal email that is sent with, received by, and facilitated through computers all on the same internal network is HIPAA compliant. So long as all computers involved, including the email server, are all on the same intranet, this exchange would be as HIPAA compliant as sharing a physical file in-house. And like a physical file, this internal email transmission can be entirely unencrypted.

Since being on the same network is one way to comply with HIPAA, "For many businesses, a Virtual Private Network (VPN) is one of the best and easiest ways to implement network security, protect data transmission, provide encryption and meet other HIPAA compliance requirements that secure electronic Protected Health Information (ePHI)." Through a secure VPN service, an external device becomes part of the internal network. Furthermore, tunneling through the internet via a VPN encrypts our data despite the network we might be using.

A VPN is better than encrypted email because unlike, "methods that can only encrypt a message body, a VPN can encrypt entire messages, including email header information such as senders, recipients, and subjects." That said, since a device using the VPN is on the other side of the firewall, we must harden this device to meet HIPAA compliance as these "devices can be a major vulnerability where hackers are concerned." And like encrypted email, VPNs also need to be encrypted using the 128, 192, or 256-bit Advanced Encryption Standard.

Secure Public Email

For anyone who needs to conduct business beyond our firewall and outside our VPNs, we need encrypted email. Microsoft Outlook has introduced a new Encrypt button, allowing users to encrypt emails easily. The catch is that we must be 1) a Microsoft 365 Subscriber 2) using the Outlook desktop app on 3) a Windows computer.

For all the rest of us, we need another option. PCMag, How-To Geek, and others recommend opting for email encryption services like Prevail, Tutanota, or even Swiss-based ProtonMail for encrypted email. Tutanota and ProtonMail have users utilize their specific email infrastructure. But Virtru and Preveil work with popular email providers like Gmail and Outlook. However, this added security comes at a cost: "The recipient of a Preveil message must install Preveil to read it, period." Meanwhile, Virtru makes recipients click a link in the email to open the message in a browser. And ProtonMail, as well as StartMail and Private-Mail, require users to set up a virtual key exchange to establish encryption.

Just the Fax, Ma'am (and another Alternative to Email)

All of that said, email is by no means our only option. A great way to remain compliant is to go old school and fax PHI. Faxes have no encryption, but because of their direct, peer-to-peer connection, they are considered secure. It's even possible to set up an eFax solution that HIPAA compliant to get the best of faxing and email.

Another email alternative would be a file sharing and cloud service. Box specifically advertises itself as "HIPAA-compliant cloud storage," saying: "All PHI stored in Box is secured in accordance with HIPAA, and Box signs Business Associate Agreements (BAAs) with all clients who plan to store PHI in the cloud." As such, while we can configure this service (and other cloud storage services like it) to be fully HIPAA compliant, it is not—if you'll forgive the pun—right out of the Box.

Take Away

So what the right solution for you depends on many factors. Perhaps one solution is an internal email with or without a VPN. Maybe you need to opt for a professional encrypted email provider. Fax, eFax, or (properly configured) cloud storage might be the answer. But whatever you do, don't blindly email PHI.


Leslie Nielsen from the movie Airplane saying, "And don't call me Shirley."
Figure 2. My favorite joke from Airplane! is a straight-faced Leslie Nielsen countering "I am serious. And don't call me Shirley." © Paramount Pictures

[2] Rubenking surveyed his colleagues and found that not a single one of his technologically savvy and security-conscious colleagues had installed an email security certificate to secure their email!

[3], which is why being located in famously neutral Switzerland is such a big selling point for Proton Mail, which also offers a secure VPN service.