How Email Works

By default, whenever you send or receive email you must connect through the Internet to an email service provider/email server. The reality is most email service providers do not implement any security measures, whatsoever. This means everything you send to or receive from your email service provider is unsecure, including your username, password, email messages, attachments, who you are sending to, and who you are receiving from. (see the diagram below)

HIPAA email encryption chart1

It gets worse! Most email service providers connect to other email service providers without any encryption. If the other party is not using a secure email service, their emails can also be compromised. So, the emails you send and receive through the internet are wide open, unsecure, and can be easily intercepted by thieves. This is one of the main causes for identity theft, spam, and security breaches. (see the diagram below)

HIPAA compliant email encryption chart2

HIPAA Email Encryption

Unlike other email service providers, Email Pros encrypts all connections between our servers and your computers and mobile devices. We also encrypt our webmail interface so you can securely access your email anywhere using a web browser. Any sensitive information you send to or receive from our email service is 100% secure. Just imagine your organization in a completely secure, private Email Cloud. (see the diagram below)

HIPAA email encryption chart3

All email communications within your organization and between other Email Pros customers are 100% secure. The user experience for sending and receiving email is seamless and does not require any additional steps to encrypt or decrypt messages; all security is handled by our servers. In other words, you can use email as you normally do, in a completely secure environment. When you refer other healthcare organizations to sign up with us, all communications between your organization and theirs will also be 100% secure. Plus, you can earn credits for your referrals! (see the diagram below)

HIPAA compliant email encryption chart4

HIPAA requires that all "Covered Entities" or healthcare professionals must use encryption to transmit data over the internet amongst each other. Covered entities must use a HIPAA Compliant Email Service Provider (like Email Pros) or run their own HIPAA Compliant Email Server that supports Transport Layer Security (TLS) for data "in transit" at all endpoints. This ensures that both email servers transmit data back and forth securely over an encrypted connection. The user experience between the sender and the recipient is seamless: all security is handled by both email servers, and does not require any additional steps to encrypt or decrypt those messages. In other words, you can use email as you normally do within this secure network. (see the diagram below)

HIPAA email encryption chart5

Patients are not covered entities, so they are not required to use a HIPAA Compliant Email Service Provider to communicate with covered entities. Patients are allowed to use any email service they want, even if it's their personal (unsecured) email address. Covered entities cannot legally force patients to use secure email to communicate with them. However, HIPAA requires that all covered entities must receive incoming emails securely. We cover that by protecting all incoming emails as soon as they arrive at our servers and delivering those messages to you securely. (see the diagram below)

HIPAA compliant email encryption chart6

HIPAA requires that all outgoing emails sent from a covered entity to another covered entity or a patient must be sent using encryption, but HIPAA does not specify what type of encryption is required. There are two types of encryption: "encryption in transit" and "encryption at rest". When an email is sent from our servers using TLS, this is called encryption in transit. Once your email is delivered to your recipient, they are responsible for the security of that message. However, using TLS only protects the data being transmitted from one server to another – it does not protect your email after it gets delivered. Meaning your email is sitting on a server or computer somewhere without any protection, and anyone can open it to view its contents. Some argue that using TLS alone is an acceptable form of encryption for HIPAA compliance, while others insist that all emails must be encrypted at rest to be HIPAA compliant. Fortunately, we've got you covered on both fronts.

We offer Message Encryption, which encodes (encrypts) your emails in such a way that they can only be read by obtaining a "decrypt key" to open them. To send an encrypted message, you simply type the phrase "encrypt/" in the subject box and our systems do the rest. Your message, including any small attachments, is converted into an encrypted PDF file. Each encrypted PDF file is protected by requiring a unique decrypt key from our Secure Portal in order to open it. This enhances security as one decrypt key cannot open any other encrypted PDF file. The recipient must register their email address for a free account (one-time only) and set a "master password" with our system in order to obtain all future decrypt keys. Once an encrypted PDF file is opened, the recipient can access the protected information and also has the option to use a "reply" button which allows them to send a secure reply and up to 5MB attachments back to you. Only the recipient knows his or her registered master password to obtain decrypt keys from us, which ensures that the intended recipient is the only person who can open up that message.

We also offer the ability to send secure attachments of any size to anyone using Secure File Link. Sending large attachments via email often results in bounce messages (returned email) because of file size limitations. Secure File Link allows you to send files from our secure cloud, up to 2GB in size, bypassing all external mail servers' file size restrictions. You simply upload your file to our server, then send a secure link to the recipient. You can set a time expiration on that link to make the file no longer accessible after a specific day and/or time. You can also password protect the link and discreetly communicate the password to the recipient (by means other than providing the password within that email). This makes it extremely easy for the recipient to securely receive files from you. (see the diagram below)

HIPAA email encryption chart7

Finally, our service includes a Data Loss Prevention (DLP) system, which sits at the edge of our network. Our DLP system automatically scans all outgoing emails (sent outside of our secure network), including attachments, for sensitive information such as social security numbers, credit card numbers, and other policies we have in place. This system runs in the background and if it detects that you are sending sensitive information that matches one of our policies, it will quarantine the email and send a warning message back to you with options to: send the email as-is or send it out encrypted. You no longer have to worry about employees leaking sensitive information through email again!

Your ISP's Email Is Not Secure

Switch to HIPAA Compliant Email Today