9 HIPAA Compliant Email Providers to Check Out
If you work in a healthcare setting, you know the importance of complying with the Health Information Portability and Accountability Act (HIPAA). You’re also probably aware that all business communications — including email — are subject to HIPAA regulation. To that end, it’s imperative that you invest in a HIPAA compliant email service in order to protect both your organization and your patients’ privacy.
In this blog post, we’ll take a look at some of the leading HIPAA compliant email providers on the market today.
Note: If you’d like more background on what makes an email HIPAA compliant or why compliance is so important, check out our complete guide to HIPAA compliant email.
Who Needs a HIPAA Compliant Email Service?
The answer to that question is simple: Any organization that handles Protected Health Information (PHI) — that is, any “individually identifiable health information held or transmitted by a covered entity or its business associate.” This includes healthcare providers (covered entities) and any person organization that provides services on behalf of a healthcare provider (business associates).
Although a HIPAA compliant email service isn’t strictly necessary for internal communications, it’s a requirement for any external communications that go beyond your organization’s firewall. Given that most covered entities will work with a third-party business associate at some point in time, a HIPAA compliant email service is a smart investment for every healthcare organization.
What to Look for in a HIPAA Compliant Email Service
Perhaps the most important feature to look for in a HIPAA compliant email service is encryption. HIPAA’s policy regarding encryption has caused a great deal of confusion over the years because the regulation states that encryption is an “addressable safeguard.”
This vague descriptor has led some covered entities to believe that HIPAA’s encryption requirements are optional, which couldn’t be further from the case. Instead, “addressable safeguard” means that covered entities can use encryption to safeguard PHI, or an alternative that provides the same or a greater level of protection as encryption. In order to determine whether an alternative is acceptable, a covered entity must conduct a risk assessment and carefully document their process.
Given how much effort has to go into finding and validating a suitable encryption alternative, it really is easier for your organization to simply look for an email service that offers end-to-end encryption (E2EE) as standard. E2EE simply refers to any service that encrypts both messages in transit and stored messages.
The Office for Civil Rights — the branch of the U.S. Department of Health and Human Services responsible for enforcing HIPAA — specifies that all emails containing PHI must comply with National Institute of Standards and Technology (NIST) guidelines. For reference, NIST advises that HIPAA compliant email providers use some combination of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP and S/MIME.
Finally, in order for a third-party email provider to be HIPAA compliant, it must also agree to sign a Business Associate Agreement (BAA). Per HIPAA, covered entities are only permitted to work with business associates that assure the total protection of PHI. The BAA is, therefore, a written agreement that:
- Defines each party’s responsibilities related to PHI
- Details the permitted and required uses of PHI by business associates and subcontractors
- Stipulates that business associates and contractors will not use or disclose PHI beyond the parameters established by the BAA
- Ensures that business associates and subcontractors implement the appropriate safeguards for PHI
HIPAA Compliant Email Services at a Glance
| Name | Features | Cost | Free Trial |
|
Egress |
|
Prices range from $100/user/yr. to $112.50/user/yr. depending on the total number of users |
Yes |
|
Hushmail |
|
Prices range from $9.99/mo. for one user with 10 GB storage to $39.99/mo. for up to 10 users with 15 GB storage per user; Hushmail also charges a $9.99 setup fee |
No |
|
Identillect |
|
Prices range from $5.95/mo. to $10.95/mo. depending on plan; add-in options available at an additional cost |
Yes |
|
LuxSci |
|
Plans start at $50 per month |
Yes |
|
MailHippo |
|
Basic plan available for $4.95/user/mo.; Pro plan available for $7.95 user/mo. |
Yes |
|
NeoCertified |
|
Plans start at $59/user/yr. |
Yes |
|
Paubox |
|
Prices range from $29/user/mo. to $79/user/mo. depending on plan; certain plans come with $999 setup fee |
Yes |
|
ProtonMail |
|
Most basic version is free for personal use; prices range from 5 EUR/mo. to 30 EUR/mo. for paid versions, depending on plan |
Yes |
|
Virtru |
|
Pricing available upon request. |
Yes |
The Top 9 HIPAA Compliant Email Providers
Note: All of the email services shown below include a signed BAA.
1. Egress
Egress is a UK-based encrypted email service provider that leverages machine learning and E2EE to provide government and industry-certified security.
Egress’ HIPAA compliant email service — Egress Protect — uses AES-256 bit encryption to secure data at rest and in transit. Egress Protect provides users with full revocation capabilities, so that they can control how recipients use shared data, revoke access or change access permissions in real time. It also enables users to create custom email security policies and automatically enforce them. Egress Protect has earned multiple government and industry security certifications, including:
- ISO 27001
- FIP 140-2
- Common Criteria
- Commercial Product Assurance
- NATO
- Skyhigh CloudTru
These security measures mean that Egress Protect is not only HIPAA compliant, but also GDPR compliant. In addition to advanced security features, Egress Protect also offers single sign-on (SSO), enhanced mobility, Microsoft Outlook and Office 365 integration and Investigate 365 — a built-in analytics tool that monitors for email breaches.
Pricing for Egress Protect varies based on the total number of users and licenses:
- 2–4 users = $112.50 per user, per year
- 5–9 users = $106 per user, per year
- 10–25 users = $100 per user, per year
Organizations with over 25 users must contact Egress’ sales team for more information.
2. Hushmail
Hushmail, the popular Canada-based secure email service provider, offers HIPAA compliant email services through Hushmail for Healthcare.
Hushmail for Healthcare enables covered entities to securely send and receive messages containing PHI using OpenPGP for E2EE. Hushmail for Healthcare builds in additional layers of securing by requiring two-factor authentication (2FA) for account login and using a Qualys SSL Labs-approved Secure Socket Layer (SSL)/Transport Layer Security (TSL) connection.
Hushmail for Healthcare enables organizations to use their own domain names and provides unlimited email aliases for added privacy. Hushmail is mobile-friendly, so users can securely access their email account from any device, be it mobile or desktop.
Prospective Hushmail for Healthcare users have their choice of three pricing plans:
- One email account with up to two secure web forms and 10 GB storage for $9.99 per month
- Up to five email accounts with up to five secure web forms, 15 GB storage per account and electronic signatures for $19.99 per month
- Up to 10 email accounts with up to 10 secure web forms, 15 GB storage per account and electronic signatures for $39.99 per month
It’s also worth noting that Hushmail charges a $9.99 fee for setup.
3. Identillect
Designed with small and medium-sized business in mind, Identillect Delivery Trust is a great HIPAA compliant email service for smaller practices.
Delivery Trust secures emails at rest and in transit using AES 256-bit encryption and sends them over an SSL/TSL connection with RSA 2408-bit encryption. On top of that, senders maintain complete control over their emails; can restrict recipients’ ability to print, forward or download content and retract access at any time.
Delivery Trust also utilizes something called Ethereum Blockchain Technology — a decentralized private ledger system — to ensure email integrity and prevent man-in-the-middle attacks. Simply put, Ethereum Blockchain Technology restricts recipient access until every aspect of the email, including the encryption key, blockchain nodes, the sender’s IP address and email metadata, is verified. If any aspect of the email fails to verify, the sender and the organization administrator is automatically notified of the security issue.
Prices for Identillect Delivery Trust vary by plan:
- For $5.95 per month, users get Delivery Trust (Web Only), which enables them to securely send and access emails from any browser, restrict forwarding and printing and retract sent emails.
- For $8.95 per month, users get Delivery Trust, which includes all of the same features as Delivery Trust (Web Only), as well as secure emails and contact syncing with Outlook and an automated vCard password system.
- For $10.95 per month, users get Delivery Trust Business, which includes all of the same features as Delivery Trust, as well as custom branded emails and web portal, and enables administrators to dynamically assign licenses to users.
Delivery Trust also comes with multiple add-in options, including Gmail, Outlook and Office 365, available at an additional cost.
4. Luxsci
LuxSci’s HIPAA compliant email service is one of the most popular on the market today and is the service of choice for the likes of Aetna, Delta Dental, Beth Israel Lahey Health and more.
LuxSci’s trademark SecureLine encryption service provides adaptive E2EE for email using a combination of forced Simple Mail Transfer Protocol (SMTP) TLS, PGP and S/MIME certificates and Escrow. SecureLine also offers dynamic TLS negotiation and fallback, as well as opt-in, opt-out and data loss prevention (DLP) encryption.
Going beyond encryption, LuxSci offers access controls, login audit trails, real-time inbound email filtering, spam flood protect and tamper-proof archiving. LuxSci’s security is so robust that it’s compliant with the Health Information Trust Alliance’s (HITRUST) Common Security Framework (CSF).
If you’re interested in LuxSci’s HIPAA compliant email service, the company offers three pricing plans:
- The Shared plan, which allows for up to 50 users and 500 GB storage, is available for $1–10 per user with a $50 minimum.
- The Dedicated plan, which allows for up to 1,000 users and 10 TB storage, is available for $1–10 per user with an additional $60 server fee; the server fee provides users with access to their own dedicated server, cluster or unique custom deployment.
- Pricing for the Enterprise Custom plan, which allows an unlimited number of users and unlimited storage space, as well as account and server isolation, is available upon request.
5. MailHippo
MailHippo has earned a reputation for making sending secure, HIPAA compliant emails easy and affordable. There’s no setup required — you can use MailHippo with your existing email provider, which means all you have to do is sign up and go.
MailHippo uses AES 256-bit encryption and 2FA to provide E2EE. It also houses all of its servers in industry-best HIPAA, PCI DSS, VISA, SSAE 16 and SOC 2 compliant data centers, preventing unauthorized third parties from accessing PHI. The company maintains a detailed log of all access to messages sent using its platform, including the time, date, authorized user, their IP address and which records they accessed. MailHippo also comes with a free proprietary SendSafe address, so users can receive secure emails from anyone.
Starting at just $4.95 per user, per month, organizations can get the Basic plan, which allows for up to 5,000 messages per month and 5 GB storage and includes features such as message recall and branding. For $7.95 per user, per month, organizations can get the Pro plan, which allows for up to 10,000 messages per month and 10 GB storage and includes message recall, branding and message expiration.
6. NeoCertified
NeoCertified is known for providing secure email solutions for a number of different industries, including healthcare.
There are a few different ways to use NeoCertified’s HIPAA compliant email service:
- The first is through NeoCertified’s Outlook plugin integration, which enables end users to compose, send and receive secure messages through the Outlook application.
- The second is through Customer Connect, which leverages NeoCertified’s secure web portal to enable end users to compose and send messages via their organization’s website.
- Finally, NeoCertified offers an encrypted API integration for larger healthcare organizations, which enables end users to access Customer Connect through their organization’s business application.
Regardless which option you choose, all messages are protected by AES-256 encryption and compliant with both HIPAA and HITECH regulations.
NeoCertified offers three pricing plans — Non-Profit, Single User and Multiple Users — starting at $59 per user, per year.
7. Paubox
Paubox Email Suite is an all-in-one HIPAA compliant email encryption and security service. Like MailHippo, Paubox Email Suite is easy to use and requires virtually no setup because it integrates directly with your email client of choice; simply sign in, and Email Suite will automatically start encrypting emails.
Paubox Email Suite uses AES 256-bit encryption, blanket TLS email encryption, 2FA and opportunistic inbound encryption for E2EE. Email Suite also offers additional security features, such as phishing protection, virus scanning and spam filtering. Paubox Email Suite was rated the #1 email encryption software by G2 and, like LuxSci, is HITRUST CSF certified.
Paubox Email Suite comes in three pricing plans:
- For $29 per user, per month, organizations get the Standard plan, which includes all of Email Suite’s basic security features, as well as real-time analytics and email reports.
- For $59 per user, per month, organizations get the Plus plan, which includes all of the same features as the Standard plan, as well as inbound security, ExecProtect and DomainAge; the Plus plan also requires a $999 setup fee.
- For $79 per user, per month, organizations get the Premium plan, which includes all of the same features as the Plus plan, as well as email archiving and email DLP; the Premium plan also requires a $999 setup fee.
8. ProtonMail
Created by researchers at CERN in Switzerland — a country known for its strict privacy laws — ProtonMail provides robust, HIPAA compliant email security at no cost to you.
ProtonMail uses a combination of AES, RSA and OpenPGP cryptography to provide E2EE to messages at rest and in transit and sends emails over a Swiss SSL connection. Unlike other services on this list, ProtonMail does track or log personally identifiable information — everything is completely anonymous. It also offers optional expiration times on encrypted emails, so that emails are automatically deleted from the recipient’s inbox once they have expired.
It also leverages full disk encryption and storage in secure data centers, meaning ProtonMail owns all of its own server hardware and data is never sent to the cloud. In fact, ProtonMail’s primary data center is located in a nuclear bunker under 1,000 meters of granite, which goes to show that ProtonMail takes hardware-level security just as seriously as it does software-level.
ProtonMail is easy to set up and use, with an interface similar to Gmail’s.
Since ProtonMail is an open source software, the most basic version of the service is available for free for personal use. Healthcare organizations, on the other hand, will want to consider one of its paid plans:
- For 5 EUR per month, organizations get the Plus plan, which includes access for one user; the Plus plan comes with five addresses, 1,000 messages per day, 5 GB storage and one custom domain.
- For 8 EUR per user, per month, organizations get the Professional Plan, which includes access for up to 5,000 users; the Professional plan comes with five addresses per user, unlimited messages per day, 5 GB storage per user and two custom domains.
- For 30 EUR per month, organizations get the Visionary plan, which includes access for up to six users; the Visionary plan comes with 50 addresses, unlimited messages per day, 50 GB storages, 10 custom domains and ProtonVPN.
9. Virtru
Similar to a few other services on this list, Virtru is an E2EE encryption platform add-on for popular email clients such as Gmail and Outlook. Using open standard Trusted Data Format (TDF), Virtru establishes access controls so that only the sender and intended email recipient can decrypt messages; this prevents third parties— including Virtru — from accessing email content and attachments.
Virtru also establishes granular audit trails, offers email expiration functionality, watermarks confidential email attachments and enables senders to disable forwarding. Virtru users can configure DLP policies to scan messages and attachments for PHI and apply encryption and access control policies as needed. Virtru also enables secure sharing across distributed provider teams using attribute-based access controls (ABAC), and SIEM integration for advanced threat analysis.
Although Virtru does have a free plugin for personal use, it does not include a signed BAA and is therefore not HIPAA compliant. The paid version of Virtru’s HIPAA compliant encryption service does, however, include a signed BAA. Virtru does not make its pricing public, though it is available upon request.
Add an Extra Layer of Security with Intradyn
We hope this you find this list helpful in your search for the right HIPAA compliant email service for your organization.
Want to make sure your bases are totally covered? Add an extra layer of security with Intradyn. Our email, social media and text/SMS message archiving solutions make it easy for healthcare organizations to securely store PHI and other sensitive data in AES 256-bit encrypted archives. Best of all, you can reproduce communications on a moments’ notice using our advanced search capability, so you can easily respond to any potential audits or eDiscovery requests.
To learn more about Intradyn supports HIPAA compliance, talk to one of our experts today.
