Is Regular Email HIPAA-Compliant? What Makes MailHippo Secure?

No, without HIPAA-compliant email encryption protocols, regular email alone is not secure enough. Here’s why:

Let’s think of an email as an envelope. The outside of the envelope specifies the delivery details, including to whom and how it shall be sent. The inside of the envelope contains the sensitive content, such as electronic patient health information (ePHI), for example, medical forms subject to HIPAA compliance.

Email envelope and message content.
Caution

The content of a typical internet email message resides on two or more unsecured servers during its journey from sender to recipient.

Let’s explore all the steps involved in how an email message is transmitted to see why, without HIPAA email encryption, regular email is not HIPAA-compliant.

Email client.

The sender uses an email client (such as Microsoft Outlook or a mail app on their smartphone) to create a message. Pressing the SEND button transmits the email and content to a receiving server (typically the sender’s email provider).

Client sending email to senders email server.

During this sending process, the email envelope and its content are sent as plain text via SSL (a secure connection) to Server A (your email provider). That email sits on Server A in plain text without any HIPAA-compliant email encryption for a period of time.

Un encrypted email sitting on senders email server.

At some point, typically after a few minutes, Server A will transmit the plain text email to Server B (the recipient’s email provider). One of the key reasons regular email is not HIPAA-compliant is that this transmission is done via SMTP, a non-secure plain text email protocol.

Senders email server sending sensitive email over insecure internet channel.
Un encrypted email message stored on insecure server.

The email then sits unencrypted on Server B (at the recipient’s email provider) for a period of time. At some point, the recipient will open their email client and the email will be downloaded from Server B via SSL (a secure channel) to the recipient’s email client. At that point, it will be opened and read by the recipient.

Recipients downloads email message from hosting providers mail server.
Caution

To sum this up… the email and its contents sat on at least two servers (possibly more) in plain text, unprotected. Essentially, this email is not HIPAA-compliant because the message was also sent over the internet via an insecure channel multiple times without proper HIPAA email encryption.

Bottom line: Once you send an email, you never know what servers will be handing off the message and via what protocols and channels it will be sent. That’s why internet email is NOT secure enough to satisfy HIPAA requirements, and sending ePHI over conventional email is a dangerous game.

Here’s where MailHippo comes into the picture, to address these security deficiencies and allow you to send HIPAA-compliant emails.

The MailHippo platform secures the message by extracting the content (the sensitive part inside the envelope) and securing it with HIPAA-compliant email encryption before the email is ever sent.

Before sending MailHippo encrypts the email message contents.

In order to make sure your email is HIPAA-compliant, MailHippo stores the message body and attachments (the content) as encrypted records in our web portal. The outbound message we send is merely a pointer back to the message content residing on our secure platform.

Thumbs Up!

In short, the sensitive content of the email message is never sent via email over the internet… only the message envelope is.

What about email encryption?

MailHippo encrypts email messages in two ways:

1

First, we use encryption during the transmission of messages from and to the MailHippo secure platform. All communications with the MailHippo web portal employ SSL TLS 1.2 or higher level of encryption

2

To further make sure your email is HIPAA-compliant, all records are also stored encrypted on the MailHippo platform. MailHippo’s HIPAA email encryption security protocol involves the message body and all attachments being encrypted using AES 256-bit algorithms.

Finally, MailHippo goes a step further by encrypting the key ring that stores the keys necessary to decrypt these records.

Thumbs Up!

This means all email messages are encrypted both in transit AND at rest!

Hopefully, this sheds some light on just how insecure standalone internet email can be, as well as how the MailHippo platform secures email messages in transit and at rest – and why MailHippo is the go-to HIPAA-compliant email choice for medical professionals and other covered entities subject to HIPAA.

Have more questions? We’re here to help. Click here to reach out to our MailHippo team and learn how our email platform is HIPAA-compliant. We’re standing by to answer any questions you may have!