HIPAA Compliant Email Encryption Services – Our Recommendations
May 1, 2019
HIPAA requires all Covered Entities to protect PHI (Protected Health Information) at rest, in storage, and in transit. There is a common misconception that email is a secure way to send and receive PHI. Implementing HIPAA compliant email encryption practices is a requirement for protecting PHI. End-to-end encryption configures the data so that only the sender and intended recipient can read the email’s content. Encryption works by assigning a unique “key” for unlocking the contents of the email that only the intended recipient gets.
In this blog, we review eight email encryption vendors (Barracuda, Egress, Hushmail, Indentillect, LuxSci, Protected Trust, Rmail, & Virtru) who provide HIPAA compliant email encryption services that will keep your information safe when in transit. All of these products offer similar features and price points. These companies are equipped to handle all of your HIPAA compliant email encryption needs, and they also provide the services at a reasonable price that even small and medium-sized businesses can afford.
Most importantly, all of these vendors will sign a Business Associate Agreement, which is required by HIPAA. Ultimately your organization will have to decide which provider offers the solution that best fits your needs. We have listed them in alphabetical order and divided each company’s description into four sections: setup, encryption and security, additional features, and cost.
Scroll to the end of the article to see a side-by-side chart comparison of all the recommended services.
Barracuda – HIPAA Compliant Email Encryption Service
You can access this HIPAA compliant email encryption service through their web portal called “cloud control.” Through cloud control, users can manage security options and access their message log and archive. It is entirely cloud-based and requires no hardware or software installation. Setup takes less than 30 minutes. This service works with Office 365, Microsoft Exchange, and other SMTP mail servers.
Barracuda: Encryption and Security
Barracuda complies with all portions of HIPAA and HITECH that apply to their services (for example, transmission security, audit controls, etc.). The Barracuda Message Center utilizes Advanced Encryption Service with a 256-bit cipher. The first time a recipient receives an email, Barracuda generates a unique key. Encrypted emails use the recipients key using Transport Layer Security (TLS) encryption
Barracuda: Additional Features
Barracuda’s service offers many additional features. Advanced threat protection automatically scans email attachments in real-time for potential threats. Specifically, it looks for malicious links, malware, phishing, typosquatting, spam, and virus protection. They also offer an archiving feature for secure storage of important messages.
Outbound filtering prevents users from sharing cyberattacks originating from inside the network. The data leak prevention feature detects emails with sensitive information and blocks or automatically encrypts them. Email spooling ensures delivery even during server failures and loss of connectivity. Additionally, Barracuda’s Denial of Service Attack Prevention helps stop spammers from overloading the server.
Barracuda’s services cost $4.73/per user/per month. They require a minimum of ten users. There is not setup free and the company offers a free trial.
Egress – HIPAA Compliant Email Encryption Service
Single users and small businesses can quickly and easily set up Egress’ service on their own. This page on their website contains a download link for users who wish to install a desktop plug-in version of their product, which integrates with Outlook and Gmail. Customers may also use this service from their web browser, no download necessary. This will add a plug-in link for Outlook. IT admins can also download Microsoft Installer (MSI) files for deploying Egress across their organization.
Egress: Encryption and Security
Egress appoints a Technical Account Manager for mid-size (or larger) businesses that can help with specific security needs, like HIPAA compliance. Clients can discuss requirements and implement Egress in cloud-hosted, fully on-premise, or hybrid setups according to exact specifications
Egress secures data at rest and in transit using AES-256 bit encryption, providing end-to-end, message-level encryption. Users can also enable extra controls, like forced multi-factor authentication. When you send an encrypted email with Egress, you can revoke recipient access or prevent recipient actions, such as downloading or copy/paste.
Multi-factor authentication can be enabled, and customizable policy controls allow further security enhancements for when sensitive data is being shared. Users can also send large files securely, bypassing file size restrictions. Automated Data Loss Protection (DLP) policies can recommend or force encryption based on keywords found within the email or attachments.
Egress: Additional Features
Egress software integrates with Outlook and Gmail, and also allows users to encrypt their emails from Apple and Android mobile devices as well as Apple computers and PCs. The Outlook feature works as an add-in that becomes part of the Outlook window. User must access the Gmail service via the Google Chrome internet browser. If users check email through the Apple Mail application on their Mac, they can download an Egress app from the Apple App store.
There is no setup fee for Egress users. The cost of their product depends on the number of users. For example, a single user pays $100/year (about $8.30 monthly) for their services. The more users a company has, the cheaper the price per user becomes. In addition to the user cost, there is also an infrastructure charge for clients with less than 25 users. (Contact a sales representative with inquiries about the cost of this charge for your business). Egress offers a wide variety of services. If organizations choose to utilize more than just email encryption, the price will increase.
Notably, Egress is free for third party users, meaning recipients can access encrypted emails whether or not they use the service. So, if an employee using Egress sends an encrypted email to a client, they will still receive the data securely so no information is compromised. Third parties in this scenario can read, reply to, and initiate secure emails to keep PHI, PII, and other sensitive information protected. Egress also offers a free trial for users who would like to sample their services.
Hushmail – HIPAA Compliant Email Encryption Service
There is no installation needed. Their email services can be used with your current email domain. A Hushmail subdomain can be issued if you do not own a domain. Your other email addresses can be forwarded to your Hushmail account to provide a central location. You receive your Business Associate Agreement in one of the first emails you’ll receive when signing up.
Hushmail: Encryption and Security
Hushmail automatically creates a separate archive account that keeps a record of all emails sent or received by all users in your business’s domain. This feature is extremely helpful if your organization is audited. Hushmail gives you the ability to create unlimited email aliases to send emails from an address other than your real one. Each user receives 10GB of storage for their emails and corresponding attachments.
You also have the option to purchase Hushmail’s healthcare package. Users are able to securely receive confidential information collected on their website, which can come in handy especially for medical practices and insurance agencies.
Hushmail’s healthcare package costs vary depending on the number of users. Therefore, companies with more users pay a lower per-account price. One user costs $9.99/month with a 10GB storage capacity and up to five users cost $19.99/month with a 15GB storage capacity. The price and GB storage increases with the number of users. Companies with 100+ employees must contact Hushmail for a custom quote.
Identillect – HIPAA Compliant Email Encryption Service
Note: Indentillect’s HIPAA compliant email encryption service is called “Delivery Trust.” We use “Delivery Trust” or “Identillect” throughout this blog post; both refer to the same company and service.
When you sign up for Delivery Trust, you can go through an interactive demo of the program. This program can be used as a web portal a plugin on Gmail or Outlook 365. The company provides tutorials for new users to optimize the experience, including videos.
Identillect: Encryption and Security
This HIPAA compliant email encryption service secures your data with randomly generated AES 256-bit encryption. All emails are encrypted under their assigned AES key and sent securely over SSL/TLS with RSA 2048-bit encryption. Recipients can view the contents of the email even if they have not installed Delivery Trust; They receive an email notification and click on a link. This takes the user to the Delivery Trust Web Portal to answer any authentication questions posed. Then the email will be decrypted by Delivery Trust to view securely.
Identillect: Additional Features
Delivery Trust offers a business package which provides security features for an entire enterprise. With this package, users can appoint a business administrator to create policies for the company account. This includes specifying preferences around authentication questions, security controls (for example, disable printing, forwarding of an email, retracting emails, etc.), preventing employees from permanently deleting emails, and setting retention policies.
Delivery Trust automatically creates a log which records all user actions. It records user location, IP address, and when it was opened and by whom.
The Secure Scan feature automatically prompts users to encrypt messages containing any sensitive data. There is a modifiable dictionary for certain keywords to detect, and it also recognizes number sequences (like SSN and CC numbers).
Other features include options to receive discreet read receipt for sent emails and two-factor authentication with their web portal. You’ll have the capability to send messages up to 1GB in size. Identillect also offers a HIPAA compliant eSign solution.
Identillect’s Delivery Trust costs $5.95 to $10/user/month depending on the plan. The individual plan is $5.95/user/month and the business plan is (best for multiple users) is $7.95/user/month. The latter is the most popular option. For some additional cost, you can add the secure e-sign feature to your account. This starts at $10/user/month. If you purchase an annual subscription using the coupon code HIPAA, Identillect will take 10% off your order. Users can try a demo of their services here.
LuxSci – HIPAA Compliant Email Encryption Service
You access this HIPAA compliant email encryption service through a web portal. The user does not have to create a new email account for LuxSci. Setup is simple: access LuxSci’s website and sign-in to access the web portal.
LuxSci: Encryption and Security
LuxSci encrypts, sends bulk emails over SMTP, and compiles email reports for any size company. They offer a service that transfers your existing emails and data into the LuxSci server if you switch to using their host service.
Emails sent through LuxSci are automatically encrypted end-to-end. They use SSL/TLS encryption to connect to their servers, ensuring messages cannot be modified in transit. Users can send secure messages to anyone with a valid email. The recipient does not need to have LuxSci to receive or reply to a LuxSci encrypted email.
In compliance with HIPAA, LuxSci provides an email encryption system designed to transfer ePHI securely. They use SMTP TLS enabled mail servers to securely pass emails between themselves. They also use Escrow that requires recipients to actively verify their identity before they can access a message at a secure web portal. Additionally, LuxSci uses PKI to internally encrypt email messages before sending them to the recipients.
LuxSci’s security options include SMTP, TLS, PGP, S/MIME, or Escrow. They also offer an optional VPN access for extra security.
LuxSci: Additional Features
When looking for a program that provides secure HIPAA compliant email encryption with many options and features, LuxSci is a great choice. They have made SMTP integration easy so that you can add LuxSci to your existing desktop client. Additionally, LuxSci adds a plug-in to online mail host accounts such as Gmail or Yahoo Mail to ensure HIPAA compliance through this third-party overlay option, allowing you to keep your domain name.
LuxSci provides HIPAA training for their staff, therefore everyone at the company understands the need to protect PHI send via their service. Additionally, LuxSci offers email archive with unlimited storage capacity for backup and auditing purposes. It also integrates productivity tools such as calendars, workspaces, tasks, file sharing, and address books.
HIPAA compliant accounts are required to have a high level of password strength and complexity. Automatic auditing of password changes and password resets are done for HIPAA accounts through LuxSci. They also offer a special 20-minute timeout period for their HIPAA compliant customers. The system automatically logs the user out after 20 minutes of inactivity. An administrator can increase the inactivity period up to a maximum of 3 hours.
LuxSci providers customers with comprehensive security auditing for all accounts. They automatically back up your data daily. Daily backups stay on site for 2 days while weekly backups stay off-site for 4 weeks before being destroyed. Users can ask for free restored backups once/month.
LuxSci also offers a “Maximal Security” setting. This includes a 20-minute maximum timeout, forcing appropriate encryption, password strength requirements, and forced secure logins. Users may choose to lock this setting so it cannot change.
LuxSci offers three plans to best serve a variety of clients: small, custom, and enterprise custom. Factors like the number of users and servers help determine which plan best fits your business needs. The small plan works for up to 50 users and costs just $50/month. LuxSci’s custom plan hosts up to 250 users and costs $250/month. Lastly, their custom enterprise plan (which is for large companies) hosts an unlimited number of users and costs $1,000/month. All three plans are equipped to handle the needs of HIPAA compliant clients. Also, you may request a free trial here.
Protected Trust – HIPAA Compliant Email Encryption Service
Protected Trust: Setup
Users can easily set up an account with Protected Trust in as little as 10 minutes. This HIPAA compliant email encryption service can either be accessed through their web portal, using any web browser, or the user’s Microsoft Outlook email application. Setting this up is as simple as opening an account with Protected Trust and accessing your account with your login information. The web-based portal is a nice feature because it can be accessed anywhere, including mobile devices. There are also mobile apps for iPhone and iPad.
Protected Trust: Encryption and Security
Protected Trust uses end-to-end AES-256 bit encryption and two-factor authentication for encrypted messages. It stores and encrypts messages at rest. Users may utilize this HIPAA compliant email encryption service through Microsoft Outlook or their company’s electronic medical record (EMR) system. Users can send up to 5GB of data per message with this service.
Protected Trust also offers a read receipt feature so the user knows when the recipient has opened and read their email. Users are also able to revoke emails both before and after the message has been opened. Protected Trust also allows the sender to set an expiration time on the email so, after a specified amount of time, the recipient will no longer have access to the email or its contents.
Protected Trust: Additional Features
The service comes with unlimited secure messaging and unlimited free guest accounts. While the email encryption accounts have 10-year message retention, the guest accounts only have 30-days message retention. Additionally, Protected Trust has proof of delivery log. They also offer an email archiving service; however, it is separate from the email encryption service.
Protected Trust offers 24/7 support to all customers, and they operate their own service centers. All of their employees are trained on HIPAA compliance, so they understand the importance of protecting the sensitive information they help users transmit. They often perform penetration testing and conduct voluntary audits in their own organization. Though they have never experienced a data breach, they have breach insurance for added protection. Their services are designed to comply with major government regulations, including HIPAA, HITECH, GLBA, SOX, and more.
When sending an encrypted email to someone not registered with Protected Trust, the user can require verification in 3 different forms. First, establish a secret code. The recipient must enter the secret code in order to open the email. Secondly, set up phone verification. The recipient can either receive a phone call or an email with a randomly generated key code to enter for access to the email. Lastly, recipients can set up a free guest account. One time verification grants the recipient with access to future emails.
Protected Trust: Cost
Protected Trust costs $36/month for a minimum of three users. Additional users are $12/month each. The company will set up a single user license for $15/month if their client only needs one account for the entire company. There is no setup fee. Additionally, Protected Trust offers a free trial for new users.
RMail – HIPAA Compliant Email Encryption Service
Note: RMail is the email encryption service of the company RPost.
RMail promises an easy to set up and intuitive use. The RMail “add-in” installation can be performed from the RMail website. Simply select the configuration that matches your current scenario. For example, Gmail users would select “RMail for Gmail.” After closing out your current email, you can install the software using a standard Installation Wizard approach. Once the installation completes and you reopen your email, the RMail add-in button is included when you compose a message. Contact email@example.com for setup help or call 866-468-3315 8 am to 10 pm ET Monday through Friday.
RMail: Encryption and Security
RMail provides true direct delivery of your encrypted message and attachments into your recipient’s inbox without requiring any extra links. That means recipients won’t need to register for an account, open a web browser, or otherwise leave their inbox to access messages. RMail offers an automatic encryption mode. All encrypted messages are sent by TLS automatically when TLS is detected and supported by both sender and recipient mail servers. Otherwise, RMail encrypts and delivers messages and attachments directly into the recipient’s inbox (at 256-bit encryption). There is no need to retrieve it from an outside server or website. With options for secure end-to-end delivery, you can be sure that your email message will only be read by its intended recipient(s). There are several delivery configurations available.
RMail: Additional Features
This service also does much more than email encryption. RMail tracks your important emails so you know precisely when the recipient receives and opens them. Its Registered Email technology and Registered Receipt™ email record eliminates uncertainty around email delivery by providing proof of correspondence, as well as proof of encrypted delivery. Use RMail’s E-sign feature to get recipients’ electronic signatures and securely transfer files as big as 1GB. New subscribers can continue utilizing their existing email addresses or create an RMail domain address for free. RMail also includes a click-to-sign feature and can also track emails and access information about email delivery and receipt. RMail works with several kinds of email clients and platforms, including Outlook and Gmail for messaging flexibility. They also offer a feature that allows users to keep an audit trail of the emails they send and receive.
RMail’s technical support includes a knowledge base, FAQs, downloads, and training videos, as well as the ability to open a support ticket via their website with promises of a response within 24 hours. Notably, this feature is only available to Personal and Professional plan holders. Phone support is available for Enterprise plan holders only.
RMail offers a free service level for those that only need to encrypt occasionally. The free service works with any email address and lets you send five encrypted emails per month, with no credit card required. For business users, this HIPAA compliant email encryption service is available on a per user per month basis. Plans are tiered based on the number of users and the number of messages sent monthly. Their standard professional plan includes one to ten users and costs $14.99/user/month. Also available is their Personal plan (one user) and Enterprise plan (100+ users). For the enterprise plan, you will need to request a quote. Also, there is no setup fee.
Note: This service is more expensive than some other email encryption providers but they offer a great deal. Your $14.99/user/month subscription also includes the features we mentioned: secure file sharing (up to 1GB), time-stamped proof of delivery, and e-signature. You can try Rmail for free here.
Virtru – HIPAA Compliant Email Encryption Service
Note: Virtru for Personal Use (the free plug-in), does not include a BAA, and therefore is not HIPAA compliant. You must purchase the paid version or Virtru to use their HIPAA compliant email encryption service.
Virtru Data Protection for healthcare organizations is suitable for everything from small organizations to large enterprises. It allows users to easily share HIPAA compliant emails and attachments with anyone, right from their existing inbox. Users can download the Virtru extension via their web browser or integrate Virtru into their Outlook or Gmail application.
Virtru: Encryption and Security
Virtru supports a number of platforms, including G Suite and Microsoft 365. It offers a web browser extension, as well as applications for your iOS and Android devices. This service does not require users to create a new account or password, so integration is fairly seamless.
Virtru: Additional Features
Virtru guarantees end-to-end encryption, with only the sender and intended recipient able to decrypt the message. Therefore, no third-parties (including Virtru) have access to any email content. It only takes one click in your usual browser to send an email with Virtru, and preferences can be set with each email. Virtru also allows admins to revoke a message at any time (even after it’s been opened), to see and control where messages are forwarded, and to set expiration dates for messages.
Virtru is extremely easy to use. Recipients don’t need to have Virtru to access the secure message. They first need to quickly verify that they are the intended recipient, and the message will effortlessly decrypt in Virtru’s Secure Reader. See how easy it is for recipients with their video tutorial. For an extra layer of security, Virtru uses an “ephemeral key exchange” to create a new key each time users log in to their email accounts.
Cost of Virtru
Virtu does not make its pricing public. You must contact a sales representative for customized pricing information.
Compare HIPAA Compliant Email Encryption Services:
|Company Name||Additional Features||Cost||Free Trial||Setup Fee|
|Barracuda||Threat protection scanning, archiving, automatic encryption, Denial of Service Attack prevention||Starting cost $4.73/user/month (minimum 10 users) increases with added features||Yes||No|
|Egress||Multi-factor authentication, secure large file sharing, Automated DataLoss Protection (DLP), controls over email recipient actions (like preventing copy/paste)||Varies based on the size of the company, on average, it costs $100/user/year ($8.30 monthly)||Yes||No, but the organization does charge an “Infrastructure Cost” fee|
|Hushmail||Archiving, the ability to create unlimited email aliases, email record management(for audits), integration with a website for accessing EMRs and other special features for healthcare industry clients||$9.99/user/month for one user with 10GB storage,$19.99/month for up to five users and 15GB storage||No, only for personal use users (not those who need the HIPAA compliant solution)||Yes, $9.99|
|Indentillect||Optional business admin account for implementing additional security controls, automatic encryption, eSigning, recipient multi-factor authentication||$5.95-10/user/month depending on the plan||Yes||No|
|LuxSci||Automatic timeout, optional business admin controls, secure productivity tools (calendars, workspaces, file sharing, and address books), HIPAA trained staff||$10/month for up to 50 users with 50GB storage,$67.50/month for unlimited users and storage (also dependant upon the number of client’s servers)||Yes||No|
|Protected Trust||10 minutes setup, works with EMR systems, mobile apps, multi-factor authentication for both users and email recipients, email expiration controls, 10year message retention, 24/7 customer support, free guest accounts||$36/month for a minimum of three users and (additionally, $12/user/month for each user over 3), single user licenses cost $15/month||Yes||No|
|Rmail||Time-stamped proof of delivery, eSigning, time-stamped proof of opening, secure large file transfer, audit trail for sending and receiving emails, training videos, phone support (for users with premium accounts)||$14.99/user/month for one to ten users, larger companies receive custom quotes||Yes||No|
|Virtru||Mobile and web browser options, message revocation option, video tutorials, controls allow the sender to see where messages are forwarded, the option to set expiration dates for messages||Virtru does not disclose its pricing online – contact a sales rep for a custom quote||Yes||No|
In conclusion, Total HIPAA sees these eight solutions as a great fit price and features wise for small and mid-size businesses.
Most importantly, all of the recommended services sign Business Associate Agreements with their client for HIPAA compliance. Barracuda, Egress, Hushmail, Indentillect, LuxSci, Protected Trust, Rmail, and Virtru all have extensive experience working with HIPAA compliant clients. Therefore, they will be able to service all your HIPAA compliant email encryption needs.
We encourage you to check out the free trials for each and determine which will best work for you and your organization.
Sign up for Our Blog
June 12, 2019
This week, the Vermont Supreme Court issued a landmark ruling, regarding HIPAA lawsuits, that could potentially change the way individuals hold their healthcare providers accountable for breaches of PHI (Protected… Read More ›Read More