2018 HIPAA Compliant Email Encryption Review
May 7, 2018
When you’re working with Protected Health Information (PHI), you know you’ve got to protect it. HIPAA law mandates that Covered Entities, Business Associates, and Business Associate Subcontractors protect the PHI they store and come in contact with at rest, storage, and transit. Technology has changed the way we do business today – safeguarding PHI in every form is crucial. Email encryption is just another way to protect it and your organization.
There are many email encryption services that can ensure the security of your account. Total HIPAA has published a couple of blogs before about email encryption, but we thought it was time for an update. Today, we’re looking at eight vendors who are affordable, HIPAA compliant solutions for small to mid-size organizations. Each product is around the same price point with similar features like setting expiration dates, revoking messages sent, and preventing emails from being forwarded or printed. And most importantly, all of the vendors reviewed will sign the Business Associate Agreement required under HIPAA. Ultimately, your organization will want to see which solution fits your needs in securing email communications. Check out AppRiver, Barracuda, Hushmail, Identillect, LuxSci, Protected Trust, RMail, and Virtru below (listed alphabetically). We’ve added two new products since our previous blog – AppRiver and RMail.
AppRiver’s CipherPost Pro® email encryption includes mailbox-to-mailbox security, keeping confidential information safe while helping your business remain HIPAA compliant. CipherPost Pro is a cloud-based, secure communications platform that integrates into any existing email environment.
Once you sign up for CipherPost Pro on www.appriver.com, a member of the AppRiver team calls to help your administrator set up the product and quickly walk you through the platform. Your email administrator uses the admin portal to keep track of users, including the ability to promote or revoke guest or registered user rights, and add new domain administrators.
For users, a special menu sidebar appears on the right side of the page as you are composing your messages. With this menu, you can enable message-tracking options, restrict external users from forwarding or replying to your message, and make your message require a second encryption key to be read.
Encryption and Security
CipherPost Pro uses AppRiver’s Secure Messaging Platform (SMP) to provide complete end-to-end security. When a user sends an email with CipherPost Pro, it establishes an HTTPS connection to the AppRiver cloud data center. Each email is securely sent to the cloud servers where it is stored with 256-bit AES encryption. SMTP (Simple Mail Transfer Protocol is the standard for email transmission) is only used to send a notification email to the recipient, and it doesn’t contain any confidential data or file attachments.
CipherPost Pro’s mobile features are many, as you can create, read and reply to secure messages on iOS, Android, Windows Phone and BlackBerry platforms. All of the features of CipherPost Pro email encryption, including real-time tracking, large file transfers, compliance services and many others, are available on your mobile device. CipherPost Pro minimizes device battery and bandwidth consumption, and there’s no need to worry about losing your phone – administrators can quickly enable or disable access from the Secure Message Center (Webmail) so no one can use a lost or stolen device to access your account.
CipherPost Pro knows that organizations of just about any size need to exchange signed documents. AppRiver CipherPost Pro® e-signature is a simple “click to acknowledge” process that is secure and easy to use. From patient charts to x-rays, you can obtain required signatures literally in seconds!
CipherPost has a 30-day free trial and their support team “holds your hand” as you set up an account and get started. Users pay $7.95 per month with discounts for annual payments and a one-time setup fee of $25 for your domain. During the Trial period, you can review and select one of the available subscription options – monthly, yearly, and biennially. The Service is billed at the start of each month for the following month if the monthly subscription option is selected. The Yearly and Biennial options are pay-in-advance subscriptions that include prepayment discounts. Clients choosing either of these options will be contacted by AppRiver approximately 45 days prior to the end of the subscription period with the available options for continuing the Service.
Barracuda is a 100% cloud-based email security and archiving option. Their email security service combines several layers of protection for incoming and outgoing emails to protect against attacks. Barracuda is very focused on security because email is one of the main sources of breaches and data leaks. Therefore, they are dedicated to stopping email-borne threats before they hit your server, protecting against targeted attacks, and protecting critical data from escaping your business. In addition, they offer to archive for retention and compliance.
Barracuda email service can be accessed through the web portal “cloud control”. Through that portal, users can manage security options, message log, archiver, and more. It is a fully cloud-based service, requires no hardware or software installation, and is licensed as an ongoing service. Setup takes less than 30 minutes. Check out the free trial or view a demo.
Encryption and Security
Barracuda complies with all portions of HIPAA and HITECH that apply to their services (e.g. transmission security, audit controls, etc.). The Barracuda Message Center utilizes Advanced Encryption Service with a 256-bit cipher, commonly known as AES-256. The first time an email is received for a recipient, a unique key is generated. Emails (including attachments) are encrypted using the recipient’s key. Emails are sent securely using Transport Layer Security (TLS) encryption.
Barracuda has many features that come with their email service. They offer advanced threat protection, which automatically scans email attachments in real-time for potential threats. Included in the email service are link, malware, phishing, typosquatting, spam, and virus protections.
Outbound filtering is also offered to help prevent outbound attacks originating from inside the network. The data leak prevention feature allows emails with sensitive information to be detected and blocked or automatically encrypted. Email spooling ensures that emails can still be delivered even during server failures and loss of connectivity. As the objective of an attack is often to disable the network, Barracuda’s Denial of Service Attack Prevention helps stop spammers before they overload the server.
Barracuda’s cloud-based email security service is $4.50/user/month with a minimum of 10 users. There is not a setup fee.
Hush Communications created Hushmail in May 1999 and is recognized as a leader in email encryption services. Hushmail provides Healthcare Email Encryption to assure HIPAA compliance for their clients. You receive your Business Associate Agreement in one of the first emails you’ll receive when signing up.
There is no installation needed. Their email services can be used with your current email domain. A Hushmail subdomain can be issued if you do not own a domain. Your other email addresses can be forwarded to your Hushmail account to provide a central location.
Encryption and Security
Open PGP Encryption is automatic when sending messages between Hushmail users and for sending to other email addresses. You can manage emails with a checkbox located on the compose screen of the webmail portal or the Hushmail app on your iPhone. All connections between users and the Hushmail servers are sent securely through SSL/TLS transmission. Advertising on the company’s website states that the SSL/TLS connection is rated A+ by Qualys SSL Labs. Two-factor authentication is available (and highly recommended) for users to add an extra layer of security when logging in.
Hushmail automatically creates a separate archive account that keeps a record of all emails sent or received by all users in your business’s domain; this is essential in case of an audit. Hushmail gives you the ability to create unlimited email aliases to send emails from an address other than your real one for comfort and security. Each user receives 10GB of storage for their emails and corresponding attachments.
Secure web forms are included with the Hushmail for Healthcare package. Users are able to securely receive confidential information collected on their website, which can come in handy especially for medical practices and insurance agencies.
The rate for Hushmail for Healthcare Email Encryption is $9.99/month/user with a one-time $9.99 setup fee.
Identillect Technologies brings Delivery Trust, an easy-to-use email encryption service for organizations of all sizes. Their product has patented, state-of-the-art encryption technology with the click of a button, ensuring their safety while in transit. Delivery Trust advertises that users gain the ability to send secure emails instantly to any recipient, anywhere! And this product delivers. By signing up you can go through an interactive demo of their offerings.
Delivery Trust can be purchased as a web portal for users to send emails or as a plugin on Gmail, Microsoft Outlook, or Outlook 365. The Delivery Trust Gmail integration is simply a Chrome Extension in the Chrome Web Store. The Delivery Trust Office 365 integration is an Add-In for the Outlook Web App and is built using Outlook.com’s API. The Delivery Trust Outlook Plugin is a Microsoft Add-On and built on top of Microsoft Office’s Add-On framework. Identillect is utilizing your current email address so there is no need to adopt a new email address. The company provides tutorials for beginning users to optimize the experience, including videos and then trying the feature out yourself.
Encryption and Security
Identillect brings beefed up security with all registered users having a randomly generated AES 256-bit key assigned to them. All emails that registered users send are encrypted under their assigned AES key and sent securely over SSL/TLS with RSA 2048-bit encryption. When the recipient is an unregistered user, they do not need to install Delivery Trust to decrypt the message. They will receive an email notification to click on a link. This takes the user to the Delivery Trust Web Portal to answer any authentication questions posed, then the email will be decrypted by Delivery Trust to view securely.
There is also a Delivery Trust Business package which sets an organization up to use Identillect for all their needs. A business administrator can create an Enterprise Policy that dictates how its users can operate. This includes specifying preferences around authentication questions to use, security controls (e.g. disable printing, forwarding of email, retracting emails, etc.), whether users can permanently delete emails, and set retention policies. There is a complete log providing any action taken with an email (e.g. location, IP address, when it was opened and by whom, and any other action can be tracked like forwarding, etc.)
The Secure Scan feature automatically prompts users to encrypt messages containing any sensitive data. There is a modifiable dictionary for certain keywords to detect, and it also recognizes number sequences (like SSN and CC numbers).
Other features include options to receive discreet read receipt for sent emails and two-factor authentication with their web portal. You’ll have the capability to send messages up to 1GB in size.
Identillect also offers a HIPAA compliant eSign solution. Most other eSign solutions deliver the finalized document in an unencrypted PDF attachment, making them non-compliant when containing any client PHI (which by their nature, they do).
Identillect sells its licenses per email address ranging from $5.95 to $10.95 per month based on features or plugins chosen. It is $5.95/user/month if the web only services are purchased; $7.95/user/month for the Gmail and Outlook 365 plugin; $8.95/user/month for the web services and Microsoft Outlook integration; and $10.95 for Delivery Trust Business featuring all services offered through Identillect. If you purchase an annual subscription using the coupon code HIPAA, Identillect will take 10% off your order.
LuxSci can be accessed through their web portal. The user does not have to create a new email account for LuxSci. Setup is simple: access LuxSci’s website and sign in to access the web portal.
Encryption & Security
LuxSci encrypts, sends bulk emails over SMTP, and compiles email reports, but also offers enterprise services to any size company. It even offers a service that transfers your existing emails and data into the LuxSci server if you choose to switch to using their host service.
Emails sent through LuxSci are automatically encrypted with their end-to-end encryption service. LuxSci is committed to safeguarding ePHI. They use SSL and TLS to connect to their servers, ensuring messages cannot be modified in transit. Users are able to send secure messages to anyone with a valid email. The recipient does not need to have LuxSci, TLS or PGP support in order to receive or reply to an email.
They also offer multiple security options: SMTP TLS, PGP, S/MIME or Escrow are available for the users as well as optional VPN access for extra security. HIPAA compliant accounts with LuxSci have a default 20-minute idle period. The system automatically logs off after 20 minutes of inactivity. This can be increased to 3 hours maximum by an administrator.
LuxSci also offers comprehensive security auditing for all accounts. Data is automatically backed up. Daily backups are kept on site for 2 days while weekly backups are kept off-site for 4 weeks before being destroyed. Users can ask for free restored backups once/month. LuxSci also offers a “Maximal Security” setting. This includes a 20-minute maximum timeout, forcing appropriate encryption, password strength requirements, and forced secure logins. This setting can be made so it’s locked and cannot be changed.
In compliance with HIPAA, LuxSci provides an email encryption system designed to transfer ePHI securely. They do this by using SMTP TLS enabled mail servers to pass email between themselves in a secure manner even if the messages themselves are not internally encrypted. They also use Escrow to require that a recipient actively verify his or her identity before he or she can access a message at a secure web portal. And they use PKI to internally encrypt email messages before sending them to the recipients.
LuxSci has many highly technical features and add-ons. Users must log in with a username and password to access the encryption services. HIPAA compliant accounts are required to have a high level of password strength and complexity. Automatic auditing of password changes and password resets are done for HIPAA accounts through LuxSci.
When looking for a program that provides secure HIPAA compliant email encryption with many options and features, LuxSci is a great choice. They have made SMTP integration easy so that you can add LuxSci to your existing desktop client. Additionally, LuxSci adds a plug-in to online mail host accounts such as Gmail or Yahoo Mail to ensure HIPAA compliance through this third-party overlay option and allowing you to keep your domain name.
The company’s staff is HIPAA trained so they can ensure the privacy of your information while it’s store on their servers, passing through their servers, or on their backups. Additionally, LuxSci offers email archive with unlimited storage capacity for backup and auditing purposes. It also integrates productivity tools such as calendars, workspaces, tasks, file sharing, and address books.
LuxSci has two options for purchase: Business Class and Enterprise Class. Business Class is $10.00/month, 50GB disk space, and $0.75/GB extra disk space. Enterprise Class is $20.00/month, 25GB disk space, and $1.00/GB extra disk space. Those per month numbers are the minimum monthly charges for that class. The email accounts cost $4.00 – $10.00 each per month depending on the options. There is a one-time charge of $100.00 to receive their HIPAA compliant version and is updated to include provisions required by Omnibus Final Rule. Request a free trial.
Protected Trust provides users with an easy, simple, and secure way to send and receive emails containing PHI. Protected Trust allows users to attach files to emails including things like x-rays, referrals, etc. up to 5GB per message. Emails can be sent from an integration with Microsoft Outlook, your EMR, or the Protected Trust web portal. Protected Trust is a privacy, data and security company, that specializes in services and solutions that help companies manage the risk and exposure to their data.
As a US-based company, 24/7 support is offered to all customers. They operate their own server centers and all employees are HIPAA compliant. Not only do they often do penetration testing, they also do voluntary audits and work with high-security government organizations. Despite never experiencing a data breach, they do have breach insurance for extra protection. Protected Trust complies with major government regulations such as HIPAA, HITECH, GLBA, SOX, and more.
An account with Protected Trust can be set up in as little as 10 minutes, and it takes no training to do so. Protected Trust can either be accessed through the web portal on their website, through any web browser, or can be integrated with your Microsoft Outlook email. In order to set this up, it is as simple as opening an account with Protected Trust and accessing your account with your login information. The web-based portal is a nice feature because it can be accessed anywhere including mobile devices. Users can also keep their current email. There are also mobile apps for iPhone and iPad. Try their free trial.
Encryption and Security
Protected Trust uses end-to-end AES-256 bit encryption in addition to a dual-factor authentication for encrypted messages. Messages are stored and encrypted at rest. In addition, Protected Trust also has read receipts so the user knows when the recipient has opened and read their email. Users are also able to revoke emails both before and after the message has been opened. Protected Trust also allows the sender to set an expiration time on the email so, after a specified amount of time, the recipient will no longer have access to the email or its contents.
Interesting features offered by Protected Trust offers are the verification options. When sending an encrypted email to someone not registered with Protected Trust, the user can require verification in 3 different forms. First, a secret code can be established. The recipient must enter the secret code in order to open the email. Secondly, phone verification can be used. The recipient can either receive a phone call or an email with a randomly generated key code to enter for access to the email. Lastly, recipients can set up a free guest account. One time verification grants the recipient with access to future emails.
The package comes with unlimited secure messaging and unlimited free guest accounts as well. While the email encryption accounts have a 10-year message retention, the guest accounts only have 30-days message retention. Additionally, Protected Trust has a proof of delivery log. They also offer an email archiving service; however, it is separate from the email encryption service.
The cost is $36.00 per month with a minimum of 3 users. Additional users are $12.00 each. They can also set up a single user license at $15.00 per month if the user only needs one account for their office. There is no setup fee.
RMail is a cloud-based, HIPAA compliant, secure email service that lets users encrypt email messages, keeping an audit trail along the way. And it does a lot more. RMail tracks your important emails so you know precisely when they’re delivered and opened. It’s Registered Email technology and Registered Receipt™ email record eliminate uncertainty around email delivery by providing proof of your correspondence, as well as proof of fact of encrypted delivery. Use RMail’s E-sign feature to get recipients’ electronic signatures and even transfer files as big as 1GB. New subscribers can continue utilizing their existing email addresses or they can create an RMail domain email address, which is free. RMail works with several kinds of email clients and platforms, including Outlook and Gmail for messaging flexibility.
RMail’s technical support includes a knowledge base, FAQs, downloads, and training videos, as well as the ability to open a support ticket via their website (for Personal and Professional plan holders) with promises of a response within 24 hours. Phone support is available for Enterprise plan holders only.
Getting started with RMail is promised to be easy to set up and intuitive to use. The RMail “add-in” installation can be performed from the RMail website, where you simply select the configuration that matches your current scenario (Gmail users would select “RMail for Gmail,” for example), etc. You can select to proceed with a free trial or go on to install the RMail software on your computer. After closing out your current email, you can install the software using a standard Installation Wizard approach. Once the installation completes and you reopen your email, the RMail add-in button is included when you compose a message. Contact firstname.lastname@example.org for setup help or call 866-468-3315 8 am to 10 pm ET – Monday through Friday for general questions.
Encryption and Security
RMail has an automatic encryption mode such that all encrypted messages are can be configured to send by TLS automatically when TLS is detected and supported by both sender and recipient mail servers. Otherwise, RMail messages and any attachments are encrypted in a 256-bit AES-encrypted PDF wrapper and delivered directly into the recipient’s inbox. There is no need to retrieve it from an outside server or website. With options for secure end-to-end delivery, you can be sure that your email message will only be read by its intended recipient(s). There are several delivery configurations available.
Only RMail provides true direct delivery of your encrypted message and attachments into your recipient’s inbox. Recipients won’t need to register for an account, open a web browser, or otherwise leave their inbox to access messages. In addition to encrypting emails, RMail includes a click-to-sign feature and can also track emails and access information about email delivery and receipt. RMail can be integrated with Gmail and Outlook.
RMail offers a free service level for those that only need to encrypt occasionally. This free service level works with any email address and lets you send 5 messages per month, with no credit card required. For business users, RMail is available on a per user per month basis, and plans are tiered based on the number of users and the number of messages sent monthly. Their Standard professional plan includes 1 to 10 users and costs $14.99/user/month. Also available is their Personal plan (1 user) and Enterprise plan (100+ users). RMail requires no setup fee.
Virtru Data Protection for healthcare organizations is suitable for everything from small organizations to large enterprises and allows you to easily share HIPAA compliant emails and attachments with anyone, right from your existing inbox.
Virtru supports a number of platforms, including G Suite, Office 365 and Outlook. Virtru offers a web browser extension, as well as applications for your iOS and Android devices. Virtru does not require you to create a new account or password, so integration is virtually seamless.
Encryption and Security
The company guarantees end-to-end encryption, with only you and your intended recipient able to decrypt the message. No third-parties (including Virtru) ever have access to any of your content. When sending emails, all it takes is one click to encrypt the message by Virtru, and preferences can be set with each email. Virtru features include the ability for users and admins to revoke a message at any time (even after it’s been opened), see and control where messages are forwarded, and set expiration dates for messages.
Virtru is also very easy for recipients to use. Recipients don’t need to have Virtru to access the secure message. They first need to quickly verify that they are the intended recipient, and the message will effortlessly decrypt in Virtru’s Secure Reader. See how easy it is for recipients with their video tutorial. For an extra layer of security, Virtru uses what is called an ephemeral key exchange to create a new key each time users log in to their email accounts.
The Administrative Dashboard has an easy-to-use web interface for managing your organization’s users and seeing where encrypted messages are being sent. An interesting feature is Virtru’s Data Loss Prevention (DLP), a scanner for each email being sent to find certain text patterns, keywords, and recipients with sensitive information that may need to be encrypted. DLP can detect Credit Card/Social Security Numbers, keywords (e.g. password, HIPAA, account number, proprietary, etc.), and custom rules can be constructed. The DLP feature can be set to scan an email and warn the user, or to automatically send the email encrypted.
Virtru offers an Encrypted Search feature that enables the user to search any future Virtru emails sent (past messages are not searchable). It gives users the ability to search encrypted messages just like regular ones.
Virtru Data Protection meets HIPAA compliance requirements, along with many other federal regulations.
*It’s important to note that Virtru for Personal Use (the free plug-in), does not include a BAA, and does not enable HIPAA compliance.
For pricing information or to see how Virtru can work with your organization to meet your compliance requirements, please contact a sales representative.
Total HIPAA sees these eight solutions as a great fit price and features wise for small and mid-size businesses. AppRiver, Barracuda, Hushmail, Identillect, LuxSci, Protected Trust, RMail, and Virtru all sign a Business Associate Agreements with their clients which is required in order to meet HIPAA regulations. We encourage you to check out the free trials for each and determine which will best work for you and your organization.