HIPAA Compliant Email Encryption Review 2018
May 7, 2018
When you’re working with Protected Health Information (PHI), you know you must protect it. HIPAA law mandates that Covered Entities, Business Associates, and Business Associate Subcontractors protect the PHI at rest, storage, and transit. Technology has changed the way we do business today. Safeguarding PHI in every form is crucial. HIPAA compliant email encryption is another way to protect it and your organization.
Many email encryption services that have the power to protect your account. We published a few email encryption blogs in previous years, but we thought it best to update our recommendations. Today, we look at eight affordable vendors that provide HIPAA compliant email encryption for small to mid-size organizations. Each product similar features and price points. Most importantly, all of the vendors reviewed will sign the Business Associate Agreement required under HIPAA. Ultimately, your organization will choose the solution that best fits your needs. Check out AppRiver, Barracuda, Hushmail, Identillect, LuxSci, Protected Trust, RMail, and Virtru below (listed alphabetically).
AppRiver – HIPAA Compliant Email Encryption Service
AppRiver’s CipherPost Pro® email encryption includes mailbox-to-mailbox security. This keeps confidential information safe, therefore helping your business remain HIPAA compliant. CipherPost Pro is a cloud-based, secure communications platform that integrates into any existing email environment.
Setup of AppRiver
Once you sign up for CipherPost Pro on www.appriver.com, a member of the AppRiver team calls to help your administrator set up the product and quickly walk you through the platform. Your email administrator uses the admin portal to keep track of users. They maintain the ability to promote or revoke guest or registered users and add new domain administrators.
A special menu sidebar appears on the right side of the page as you compose messages. With this menu, you can enable message-tracking options, restrict external users from forwarding or replying to your message, and make your message require a second encryption key prior to opening.
Encryption and Security of AppRiver
CipherPost Pro uses AppRiver’s Secure Messaging Platform (SMP) for complete end-to-end security. When a user sends an email with CipherPost Pro, it establishes an HTTPS connection to the AppRiver cloud data center. This services stores emails securely in the cloud with 256-bit AES encryption. They only use SMTP (Simple Mail Transfer Protocol – the standard for email transmission) to send a notification emails to the recipients. It doesn’t contain any confidential data or file attachments.
Extra Benefits of AppRiver
Mobile features: you can create, read and reply to secure messages on iOS, Android, Windows Phone and BlackBerry devices. All of the features of CipherPost Pro email encryption, including real-time tracking, large file transfers, compliance services and many others, are available on your mobile device. CipherPost Pro minimizes device battery and bandwidth consumption. No need to worry about losing your phone! Administrators can quickly enable or disable access from the Secure Message Center (Webmail). So, no one can use a lost or stolen device to access your account.
CipherPost Pro knows that organizations of just about any size need to exchange signed documents. AppRiver CipherPost Pro® e-signature is a simple “click to acknowledge” process that is secure and easy to use. From patient charts to x-rays, you can obtain required signatures literally in seconds!
Cost of AppRiver
This HIPAA compliant email solution offers a 30-day free trial; their support team “holds your hand” as you set up an account. Users pay $7.95 per month with discounts for annual payments and a one-time setup fee of $25 for your domain. During the Trial period, you can review and select one of the available subscription options – monthly, yearly, and biennially. If you select the monthly subscription option, you receive a bill at the start of each month for the following month of service. The Yearly and Biennial options are pay-in-advance subscriptions that include prepayment discounts. AppRiver contacts clients 45 days prior to the end of the subscription period with the option for renewal.
RMail – HIPAA Compliant Email Encryption Service
RMail is a cloud-based, HIPAA compliant, secure email service that lets users encrypt email messages, keeping an audit trail along the way. And it does a lot more. RMail tracks your important emails so you know precisely when the recipient receives and opens them. Its Registered Email technology and Registered Receipt™ email record eliminate uncertainty around email delivery by providing proof of your correspondence, as well as proof of fact of encrypted delivery. Use RMail’s E-sign feature to get recipients’ electronic signatures and even transfer files as big as 1GB. New subscribers can continue utilizing their existing email addresses or they can create an RMail domain email address, which is free. RMail works with several kinds of email clients and platforms, including Outlook and Gmail for messaging flexibility.
RMail’s technical support includes a knowledge base, FAQs, downloads, and training videos, as well as the ability to open a support ticket via their website (for Personal and Professional plan holders) with promises of a response within 24 hours. Phone support is available for Enterprise plan holders only.
Setup of RMail
Getting started with RMail is promised to be easy to set up and intuitive to use. The RMail “add-in” installation can be performed from the RMail website, where you simply select the configuration that matches your current scenario (Gmail users would select “RMail for Gmail,” for example), etc. You can select to proceed with a free trial or go on to install the RMail software on your computer. After closing out your current email, you can install the software using a standard Installation Wizard approach. Once the installation completes and you reopen your email, the RMail add-in button is included when you compose a message. Contact email@example.com for setup help or call 866-468-3315 8 am to 10 pm ET – Monday through Friday for general questions.
Encryption and Security of RMail
RMail offers an automatic encryption mode. All encrypted messages are sent by TLS automatically when TLS is detected and supported by both sender and recipient mail servers. Otherwise, RMail encrypts and delivers messages and attachments directly into the recipient’s inbox (ay 256-bit encryption). There is no need to retrieve it from an outside server or website. With options for secure end-to-end delivery, you can be sure that your email message will only be read by its intended recipient(s). There are several delivery configurations available.
Extra Benefits of RMail
Only RMail provides true direct delivery of your encrypted message and attachments into your recipient’s inbox. Recipients won’t need to register for an account, open a web browser, or otherwise leave their inbox to access messages. In addition to encrypting emails, RMail includes a click-to-sign feature and can also track emails and access information about email delivery and receipt. RMail integrates with Gmail and Outlook.
Cost of RMail
RMail offers a free service level for those that only need to encrypt occasionally. This free service level works with any email address and lets you send 5 messages per month, with no credit card required. For business users, this HIPAA compliant email encryption service is available on a per user per month basis, and plans are tiered based on the number of users and the number of messages sent monthly. Their Standard professional plan includes 1 to 10 users and costs $14.99/user/month. Also available is their Personal plan (1 user) and Enterprise plan (100+ users). RMail requires no setup fee.
Barracuda – HIPAA Compliant Email Encryption Service
Barracuda is a 100% cloud-based email security and archiving option. Their email security service combines several layers of protection for incoming and outgoing emails to protect against attacks. Barracuda focuses on security because email is one of the main sources of breaches and data leaks. Therefore, they stop email-borne threats before they hit your server, protecting against targeted attacks, and protecting critical data from escaping your business. In addition, they offer to archive for retention and compliance.
Setup of Barracuda
You can access this HIPAA compliant email encryption service through their web portal “cloud control.” Through that portal, users can manage security options, message log, archiver, and more. It is fully cloud based, and requires no hardware or software installation. Setup takes less than 30 minutes. Check out the free trial or view a demo.
Encryption and Security of Barracuda
Barracuda complies with all portions of HIPAA and HITECH that apply to their services (e.g. transmission security, audit controls, etc.). The Barracuda Message Center utilizes Advanced Encryption Service with a 256-bit cipher, commonly known as AES-256. The first time a recipient receives an email, Barracuda generates a unique key. Encrypted emails use the recipients key using Transport Layer Security (TLS) encryption.
Extra Benefits of Barracuda
Barracuda has many features that come with their email service. They offer advanced threat protection, which automatically scans email attachments in real-time for potential threats. Included in the email service are link, malware, phishing, typosquatting, spam, and virus protections.
Outbound filtering prevents outbound attacks originating from inside the network. The data leak prevention feature detects emails with sensitive information and blocks or automatically encrypts them. Email spooling ensures delivery even during server failures and loss of connectivity. As the objective of an attack is often to disable the network, Barracuda’s Denial of Service Attack Prevention helps stop spammers before they overload the server.
Cost of Barracuda
Barracuda’s cloud-based email security service is $4.50/user/month with a minimum of 10 users. There is not a setup fee.
Hushmail – HIPAA Compliant Email Encryption Service
Hush Communications created Hushmail in May 1999 and is recognized as a leader in email encryption services. Hushmail provides Healthcare Email Encryption to assure HIPAA compliance for their clients. You receive your Business Associate Agreement in one of the first emails you’ll receive when signing up.
Setup of Hushmail
There is no installation needed. Their email services can be used with your current email domain. A Hushmail subdomain can be issued if you do not own a domain. Your other email addresses can be forwarded to your Hushmail account to provide a central location.
Encryption and Security of Hushmail
Open PGP Encryption is automatic when sending messages between Hushmail users and for sending to other email addresses. You can manage emails with a checkbox located on the compose screen of the webmail portal or the Hushmail app on your iPhone. All connections between users and the Hushmail servers are sent securely through SSL/TLS transmission. Advertising on the company’s website states that the SSL/TLS connection is rated A+ by Qualys SSL Labs. Two-factor authentication is available (and highly recommended) for users to add an extra layer of security when logging in.
Extra Benefits of Hushmail
This HIPAA compliant email encryption service automatically creates a separate archive account that keeps a record of all emails sent or received by all users in your business’s domain; this is essential in case of an audit. Hushmail gives you the ability to create unlimited email aliases to send emails from an address other than your real one for comfort and security. Each user receives 10GB of storage for their emails and corresponding attachments.
Secure web forms are included with the Hushmail for Healthcare package. Users are able to securely receive confidential information collected on their website, which can come in handy especially for medical practices and insurance agencies.
Cost of Hushmail
The rate for Hushmail for Healthcare Email Encryption is $9.99/month/user with a one-time $9.99 setup fee.
Identillect – HIPAA Compliant Email Encryption Service
Identillect Technologies brings Delivery Trust, an easy-to-use email encryption service for organizations of all sizes. Their product has patented, state-of-the-art encryption technology with the click of a button, ensuring their safety while in transit. Delivery Trust advertises that users gain the ability to send secure emails instantly to any recipient, anywhere! And this product delivers. By signing up you can go through an interactive demo of their offerings.
Setup of Identillect
Delivery Trust can be purchased as a web portal for users to send emails or as a plugin on Gmail, Microsoft Outlook, or Outlook 365. This comes in the form of a Chrome extension (Gmail) and add-on for Outlook. Identillect is utilizing your current email address so there is no need to adopt a new email address. The company provides tutorials for beginning users to optimize the experience, including videos and then trying the feature out yourself.
Encryption and Security of Identillect
This HIPAA compliant email encryption service brings beefed up security with all registered users having a randomly generated AES 256-bit key assigned to them. All emails that registered users send are encrypted under their assigned AES key and sent securely over SSL/TLS with RSA 2048-bit encryption. When the recipient is an unregistered user, they do not need to install Delivery Trust to decrypt the message. They will receive an email notification to click on a link. This takes the user to the Delivery Trust Web Portal to answer any authentication questions posed, then the email will be decrypted by Delivery Trust to view securely.
Extra Benefits of Identillect
There is also a Delivery Trust Business package which sets an organization up to use Identillect for all their needs. A business administrator can create an Enterprise Policy that dictates how its users can operate. This includes specifying preferences around authentication questions to use, security controls (e.g. disable printing, forwarding of email, retracting emails, etc.), whether users can permanently delete emails, and set retention policies. There is a complete log providing any action taken with an email (e.g. location, IP address, when it was opened and by whom, and any other action can be tracked like forwarding, etc.)
The Secure Scan feature automatically prompts users to encrypt messages containing any sensitive data. There is a modifiable dictionary for certain keywords to detect, and it also recognizes number sequences (like SSN and CC numbers).
Other features include options to receive discreet read receipt for sent emails and two-factor authentication with their web portal. You’ll have the capability to send messages up to 1GB in size.
Identillect also offers a HIPAA compliant eSign solution. Most other eSign solutions deliver the finalized document in an unencrypted PDF attachment, making them non-compliant when containing any client PHI (which by their nature, they do).
Cost of Identillect
Identillect sells its licenses per email address ranging from $5.95 to $10.95 per month based on features or plugins chosen. We only services cost $5.95/user/month; $7.95/user/month for the Gmail and Outlook 365 plugin; $8.95/user/month for web services and Microsoft Outlook integration; and $10.95 for Delivery Trust Business featuring all services offered through Identillect. If you purchase an annual subscription using the coupon code HIPAA, Identillect will take 10% off your order.
LuxSci – HIPAA Compliant Email Encryption Service
You access this HIPAA compliant email encryption service through a web portal. The user does not have to create a new email account for LuxSci. Setup is simple: access LuxSci’s website and sign in to access the web portal.
Encryption of LuxSci
LuxSci encrypts, sends bulk emails over SMTP, and compiles email reports, but also offers enterprise services to any size company. It even offers a service that transfers your existing emails and data into the LuxSci server if you choose to switch to using their host service.
Emails sent through LuxSci are automatically encrypted with their end-to-end encryption service. LuxSci is committed to safeguarding ePHI. They use SSL and TLS to connect to their servers, ensuring messages cannot be modified in transit. Users are able to send secure messages to anyone with a valid email. The recipient does not need to have LuxSci, TLS or PGP support in order to receive or reply to an email.
Security of LuxSci
They also offer multiple security options: SMTP TLS, PGP, S/MIME or Escrow are available for the users as well as optional VPN access for extra security. HIPAA compliant accounts with LuxSci have a default 20-minute idle period. The system automatically logs off after 20 minutes of inactivity. An administrator can increase the inactivity period to a maximum of 3 hours.
This HIPAA compliant email encryption service also offers comprehensive security auditing for all accounts. They automatically back up your data daily. Daily backups stay on site for 2 days while weekly backups stay off-site for 4 weeks before being destroyed. Users can ask for free restored backups once/month. LuxSci also offers a “Maximal Security” setting. This includes a 20-minute maximum timeout, forcing appropriate encryption, password strength requirements, and forced secure logins. Users may choose to lock this setting so it cannot change.
In compliance with HIPAA, LuxSci provides an email encryption system designed to transfer ePHI securely. They use SMTP TLS enabled mail servers to securely pass emails between themselves. They also use Escrow to require that a recipient actively verify his or her identity before he or she can access a message at a secure web portal. And they use PKI to internally encrypt email messages before sending them to the recipients.
Extra Benefits of LuxSci
LuxSci has many highly technical features and add-ons. Users must log in with a username and password to access the encryption services. HIPAA compliant accounts are required to have a high level of password strength and complexity. Automatic auditing of password changes and password resets are done for HIPAA accounts through LuxSci.
When looking for a program that provides secure HIPAA compliant email encryption with many options and features, LuxSci is a great choice. They have made SMTP integration easy so that you can add LuxSci to your existing desktop client. Additionally, LuxSci adds a plug-in to online mail host accounts such as Gmail or Yahoo Mail to ensure HIPAA compliance through this third-party overlay option and allowing you to keep your domain name.
LuxSci provides HIPAA training for their staff. So, your information is safe on their servers. Additionally, LuxSci offers email archive with unlimited storage capacity for backup and auditing purposes. It also integrates productivity tools such as calendars, workspaces, tasks, file sharing, and address books.
Cost of LuxSci
LuxSci has two options for purchase: Business Class and Enterprise Class. Business Class is $10.00/month, 50GB disk space, and $0.75/GB extra disk space. Enterprise Class is $20.00/month, 25GB disk space, and $1.00/GB extra disk space. Those per month numbers are the minimum monthly charges for that class. The email accounts cost $4.00 – $10.00 each per month depending on the options. Users pay a one-time charge of $100.00 to receive their HIPAA and Omnibus Final Rule compliant versions. Request a free trial.
Protected Trust – HIPAA Compliant Email Encryption Service
Protected Trust provides users with an easy, simple, and secure way to send and receive emails containing PHI. Protected Trust allows users to attach files to emails including things like x-rays, referrals, etc. up to 5GB per message. You can send emails with protected trust through Microsoft Outlook, your EMR, or their web portal. Protected Trust is a privacy, data and security company, that specializes in services and solutions that help companies manage the risk and exposure to their data.
Protected Trust offers 24/7 support to all customers. They operate their own server centers and all employees are HIPAA compliant. Not only do they often do penetration testing, they also do voluntary audits and work with high-security government organizations. Despite never experiencing a data breach, they do have breach insurance for extra protection. Protected Trust complies with major government regulations such as HIPAA, HITECH, GLBA, SOX, and more.
Setup of Protected Trust
An account with Protected Trust can be set up in as little as 10 minutes, and it takes no training to do so. This HIPAA compliant email encryption service can either be accessed through the web portal on their website, through any web browser, or can be integrated with your Microsoft Outlook email. In order to set this up, it is as simple as opening an account with Protected Trust and accessing your account with your login information. The web-based portal is a nice feature because it can be accessed anywhere including mobile devices. Users can also keep their current email. There are also mobile apps for iPhone and iPad. Try their free trial.
Encryption and Security of Protected Trust
Protected Trust uses end-to-end AES-256 bit encryption in addition to a dual-factor authentication for encrypted messages. It stores and encrypts messages at rest. In addition, Protected Trust also has read receipts so the user knows when the recipient has opened and read their email. Users are also able to revoke emails both before and after the message has been opened. Protected Trust also allows the sender to set an expiration time on the email so, after a specified amount of time, the recipient will no longer have access to the email or its contents.
Interesting features offered by Protected Trust offers are the verification options. When sending an encrypted email to someone not registered with Protected Trust, the user can require verification in 3 different forms. First, establish a secret code. The recipient must enter the secret code in order to open the email. Secondly, set up phone verification. The recipient can either receive a phone call or an email with a randomly generated key code to enter for access to the email. Lastly, recipients can set up a free guest account. One time verification grants the recipient with access to future emails.
Extra Benefits of Protected Trust
The package comes with unlimited secure messaging and unlimited free guest accounts as well. While the email encryption accounts have a 10-year message retention, the guest accounts only have 30-days message retention. Additionally, Protected Trust has a proof of delivery log. They also offer an email archiving service; however, it is separate from the email encryption service.
Cost of Protected Trust
The cost is $36.00 per month with a minimum of 3 users. Additional users are $12.00 each. They can also set up a single user license at $15.00 per month if the user only needs one account for their office. There is no setup fee.
Virtru – HIPAA Compliant Email Encryption Service
Virtru Data Protection for healthcare organizations is suitable for everything from small organizations to large enterprises and allows you to easily share HIPAA compliant emails and attachments with anyone, right from your existing inbox.
Setup of Virtru
Virtru supports a number of platforms, including G Suite, Office 365 and Outlook. It offers a web browser extension, as well as applications for your iOS and Android devices. Virtru does not require you to create a new account or password, so integration is virtually seamless.
Encryption and Security of Virtru
The company guarantees end-to-end encryption, with only you and your intended recipient able to decrypt the message. No third-parties (including Virtru) ever have access to any of your content. When sending emails, all it takes is one click to encrypt the message by Virtru, and preferences can be set with each email. Virtru features include the ability for users and admins to revoke a message at any time (even after it’s been opened), see and control where messages are forwarded, and set expiration dates for messages.
This HIPAA compliant email service is also very easy for recipients to use. Recipients don’t need to have Virtru to access the secure message. They first need to quickly verify that they are the intended recipient, and the message will effortlessly decrypt in Virtru’s Secure Reader. See how easy it is for recipients with their video tutorial. For an extra layer of security, Virtru uses an “ephemeral key exchange” to create a new key each time users log in to their email accounts.
Extra Benefits of Virtru
The Administrative Dashboard has an easy-to-use web interface for managing your organization’s users and seeing where encrypted messages are being sent. Virtru’s Data Loss Prevention (DLP) scans each email to find certain text patterns, keywords, and recipients with sensitive information that may need to be encrypted. DLP can detect Credit Card/Social Security Numbers, keywords (e.g. password, HIPAA, account number, proprietary, etc.), and custom rules can be constructed. Users can set the DLP feature to scan an email and send a warning, or to automatically send the email encrypted.
Virtru Data Protection meets HIPAA compliance requirements, along with many other federal regulations.
*It’s important to note that Virtru for Personal Use (the free plug-in), does not include a BAA, and does not enable HIPAA compliance.
Cost of Virtru
For pricing information or to see how this HIPAA compliant email encryption service can work with your organization to meet your compliance requirements, please contact a sales representative.
Total HIPAA sees these eight solutions as a great fit price and features wise for small and mid-size businesses. All of the recommended services sign Business Associate Agreements with their client for HIPAA compliance. We encourage you to check out the free trials for each and determine which will best work for you and your organization.
There are excellent providers for larger organizations that require a significant number of users use email encryption. Zixmail is a practical solution; check it out in our previous review.
Sign up for Our Blog
April 15, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits… Read More ›Read More
March 18, 2019
What is Protected Health Information? The Health Insurance Portability and Accountability Act (HIPAA) is a 1996 law that regulates privacy standards in the healthcare sector. In the early 1990s, it… Read More ›Read More
March 5, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently talked with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss HIPAA enforcement projections for agents and brokers… Read More ›Read More