Is Paubox HIPAA Compliant?

Paubox is a HIPAA compliant email service that enables covered entities and business associates to encrypt emails by default and that offers additional capabilities to help safeguard Protected Health Information against phishing, ransomware, and data loss.

One of the biggest challenges of HIPAA compliance is ensuring the confidentiality of Protected Health Information (PHI) when it is communicated electronically. PHI is communicated electronically millions of times every day by healthcare providers to health insurers, to other healthcare providers, and to patients. Most of these electronic communications are emails.

The volume of emails – and the way in which emails are sent and received – makes email an attractive target for cybercriminals. Not only can cybercriminals intercept emails in transit to access PHI without authorization, but they can also impersonate legitimate correspondents (“spoofing”) to phish for user credentials and access PHI at rest in healthcare databases.

HIPAA requires covered entities and business associates to implement safeguards to protect electronic PHI in transit and at rest. The standards most applicable to email suggest encryption is the expected approach, but there are several challenges with email encryption. These challenges include incompatible encryption standards and the inconvenience of encryption.

Incompatible Encryption Standards

There are several types of encryption standards. Most require the sender and the recipient to use a mail application that supports the same encryption standard (i.e., S/MIME). Although emails will still be delivered if the sender and recipient do not use the same standard, they may not be encrypted on delivery unless the standard has a failover (i.e., S/MIME > TLS).

Without knowing what encryption standard a recipient is using, it is impossible to guarantee an encrypted email will be delivered in encrypted format. Furthermore, some mail applications support multiple standards. For example, if you send emails from a Microsoft Outlook account, you have the choice of TLS, S/MIME, and IRM encryption depending on the type of license.

The Inconvenience of Encryption

The inconvenience of encryption affects both senders and recipients. In some cases, it can take three or four additional steps to encrypt each email and apply permissions to the email before sending it. If the recipient does not use the same mail application (i.e., Outlook > Google), it can take a further three to four steps – or require a passcode – before they can read the email.

Because of the inconvenience, some users may neglect to encrypt an email containing PHI. In other cases – where some emails are encrypted but others are not – users may simply forget to go through the encryption process. Similarly, when a recipient receives an email which requires them to go through multiple processes to read it, they may not bother or – in the case of older patients – they may not have the technical knowledge to access the email.

What is Paubox?

Paubox is a software vendor that offers a suite of email services that range from email encryption to inbox security and data loss prevention. Unlike most email encryption services, Paubox encrypts all emails by default using the latest version of TLS encryption. If an email is sent to a recipient whose email account does not support TLS encryption, the recipient receives an email asking them to click on a link to view the email (and reply if necessary) via a secure website.

Because emails are encrypted by default, no user interaction is required when sending an email. Additionally, if it is necessary to view an email via a secure website, accessing the email is a one-click process. This eliminates both the challenges of incompatible encryption standards and inconvenience, while ensuring the privacy and security of PHI included in email messages.

Beyond the standard email encryption service, Paubox offers a “Business Plus” package that includes features such as malware and ransomware protection, a robust spam filter, and Salesforce CRM integration. Additional add-ons include email archiving and HIPAA compliant forms, while businesses can also subscribe to an email marketing platform and an API for automating emails at scale.

Is Paubox HIPAA Compliant?

No software is HIPAA compliant “off the shelf”. Most software has to be configured to support HIPAA compliance before it can be used to create, receive, store, or transmit PHI, and – in most cases – users have to receive HIPAA training on how to use the software compliantly. Fortunately, it is not difficult to make Paubox HIPAA compliant, and most users will require minimal training.

To make Paubox HIPAA compliant, covered entities and business associates only have to follow the simple instructions for integrating the email service with an existing business email application. Thereafter, it is necessary to agree to the terms of the Paubox HIPAA compliant Business Associate Agreement and import user email addresses into the software.

With regards to workforce training, users only need to be told they are using Paubox in case a recipient raises concerns about the Paubox image at the base of each received email. This could be covered by a short message in the footer of the email, but it is still advisable to inform users of the change in case an issue occurs that requires technical assistance.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/