Menu
Menu
Let’s think of an email as an envelope. The outside of the envelope specifies the delivery details, including to whom and how it shall be sent. The inside of the envelope contains the sensitive content, such as electronic patient health information (ePHI), for example, medical forms subject to HIPAA compliance.
The content of a typical internet email message resides on two or more unsecured servers during its journey from sender to recipient.
The sender uses an email client (such as Microsoft Outlook or a mail app on their smartphone) to create a message. Pressing the SEND button transmits the email and content to a receiving server (typically the sender’s email provider).
During this sending process, the email envelope and its content are sent as plain text via SSL (a secure connection) to Server A (your email provider). That email sits on Server A in plain text without any HIPAA-compliant email encryption for a period of time.
At some point, typically after a few minutes, Server A will transmit the plain text email to Server B (the recipient’s email provider). One of the key reasons regular email is not HIPAA-compliant is that this transmission is done via SMTP, a non-secure plain text email protocol.
The email then sits unencrypted on Server B (at the recipient’s email provider) for a period of time. At some point, the recipient will open their email client and the email will be downloaded from Server B via SSL (a secure channel) to the recipient’s email client. At that point, it will be opened and read by the recipient.
To sum this up… the email and its contents sat on at least two servers (possibly more) in plain text, unprotected. Essentially, this email is not HIPAA-compliant because the message was also sent over the internet via an insecure channel multiple times without proper HIPAA email encryption.
Bottom line: Once you send an email, you never know what servers will be handing off the message and via what protocols and channels it will be sent. That’s why internet email is NOT secure enough to satisfy HIPAA requirements, and sending ePHI over conventional email is a dangerous game.
The MailHippo platform secures the message by extracting the content (the sensitive part inside the envelope) and securing it with HIPAA-compliant email encryption before the email is ever sent.
In order to make sure your email is HIPAA-compliant, MailHippo stores the message body and attachments (the content) as encrypted records in our web portal. The outbound message we send is merely a pointer back to the message content residing on our secure platform.
In short, the sensitive content of the email message is never sent via email over the internet… only the message envelope is.
MailHippo encrypts email messages in two ways:
First, we use encryption during the transmission of messages from and to the MailHippo secure platform. All communications with the MailHippo web portal employ SSL TLS 1.2 or higher level of encryption
To further make sure your email is HIPAA-compliant, all records are also stored encrypted on the MailHippo platform. MailHippo’s HIPAA email encryption security protocol involves the message body and all attachments being encrypted using AES 256-bit algorithms.
Finally, MailHippo goes a step further by encrypting the key ring that stores the keys necessary to decrypt these records.
This means all email messages are encrypted both in transit AND at rest!
Hopefully, this sheds some light on just how insecure standalone internet email can be, as well as how the MailHippo platform secures email messages in transit and at rest – and why MailHippo is the go-to HIPAA-compliant email choice for medical professionals and other covered entities subject to HIPAA.
Have more questions? We’re here to help. Click here to reach out to our MailHippo team and learn how our email platform is HIPAA-compliant. We’re standing by to answer any questions you may have!
© 2025 MailHippo, Inc.
View our Privacy Policy or contact our Customer Service team.
