The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Paubox HIPAA Compliant?

Posted By on Jun 25, 2023

Paubox is HIPAA compliant and as an email encryption solution supports HIPAA compliance and can be used by Covered Entities and Business Associates to communicate Protected Health Information in emails without violating the standards of the HIPAA Privacy or Security Rules.

Contents

What is Paubox?

Paubox Inc. is a Californian provider of email encryption products with varying capabilities. At the entry level, Paubox works in the background to encrypt outbound emails to prevent Protected Health Information (PHI) from being impermissibly disclosed during the transit of emails.

Further up the product suite, Paubox offers an effective email filter for inbound emails, a HIPAA-compliant email archiving service, and an email marketing solution. There is also an email API product for automating HIPAA-compliant emails at a scale.

To substantiate the company’s commitment to security, Paubox is HITRUST CSF Certified. HITRUST is an acronym for the Health Information Trust Alliance, and being certified demonstrates that Paubox complies with the HITRUST Common Security Framework.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

What are the HIPAA Email Requirements?

When HIPAA was passed in 1996, email was not the force it is today. Web clients (i.e., Hotmail, Yahoo, etc.) had only just been launched and the first mobile device with email capabilities (the Blackberry 5810) was still six years away. Gmail was not launched until 2004.

Consequently, Congress’ instructions to the Secretary of the U.S. Department of Health and Human Services – to develop privacy and security standards for the protection of individually identifiable health information – did not factor in specific HIPAA email requirements.

Nonetheless, some standards are relevant to HIPAA compliance for email. These include a patient’s right to request how they receive communications containing PHI, the requirement to implement audit controls, and the implementation specifications relating to transmission security.

Privacy Rule Challenges to HIPAA Email Compliance

The first challenge to HIPAA email compliance is when a patient requests communications containing PHI are sent by email. Unencrypted emails are not HIPAA compliant because they can be intercepted in transit and tampered with, or read by unauthorized individuals in a “man-in-the-middle” attack, in a similar way to email filters reading the content of emails to identify spam.

Therefore, if a patient exercises their right to request communications by email – or initiates a conversation via email – Covered Entities should warn the patient that unencrypted email is an unsecured channel of communication; and, if the patient still wants to receive emails containing PHI, document the request and the warning that was provided.

A further Privacy Rule challenge to HIPAA email compliance is human error. There are numerous examples of Covered Entities inadvertently disclosing PHI via email; and while the HHS Breach Portal lists examples in which the PHI of more than 500 individuals has been disclosed via email, there are likely many thousands of smaller data breaches that do not make the list.

Security Rule Challenges to HIPAA Email Compliance

The Security Rule challenges to HIPAA email compliance can be summed up in two words – Technical Safeguards. Most standard email services lack the capabilities to (for example) record when PHI is included in an email, ensure the content of the email is not modified without authorization, and prevent PHI from being disclosed in man-in-the-middle attacks or by legitimate software such as spam filters.

Measures proposed by HHS could – if adopted – ultimately remove the technical burden of recording when PHI is included in an email (provided that the inclusion of PHI is permissible) and ensure the validity of attachments by confirming there has been no tampering. The challenge of preventing man-in-the-middle interceptions can easily be overcome with encryption.

It is important to be aware that encryption does not stop man-in-the-middle interceptions. It simply ensures the content of an email and any attachments are not disclosed because the encryption has made the content and/or attachment unreadable, indecipherable, and unusable. Therefore, in the event of an email being intercepted, there would be no data breach. This will make HIPAA-compliant email essential for all PHI.

How Paubox Can Help Overcome the Challenges

Paubox can help overcome the challenge of HIPAA email compliance in various ways depending on which products are used. For example:

  • The entry-level email suite can be configured to automatically encrypt emails without the necessity for members of the workforce to go through extra procedures or for recipients to enter a password or visit a secure portal to read the email.
  • The suite can be integrated with major business email platforms and the Salesforce CRM for a seamless user experience, while administrators and compliance officers can take advantage of a library of analytic and email reports.
  • The email suite “Plus” includes advanced email filtering capabilities to reduce the risk of malware and ransomware. It also includes two extremely efficient capabilities to mitigate the threat of phishing – DomainAge and ExecProtect.
  • At the top level of the Paubox email suite, Covered Entities can take advantage of a HIPAA-compliant email archiving service and a Data Loss Prevention feature that prevents PHI from being sent outside the corporate network by unauthorized members of the workforce.

Two further products in the Paubox portfolio may also be of interest to Covered Entities and Business Associates – Paubox Marketing and the Paubox Email API.

  • Paubox Marketing is a simple-to-use email builder that enables marketing departments to personalize marketing emails according to patients’ medical conditions, prescribed medications, and more.
  • The Paubox Email API is a tool that can be used to automate email communications at scale while ensuring HIPAA compliance. When used with Paubox Marketing, Paubox can be configured to respond to specified triggers.

The additional products make Paubox the leading HIPAA compliant email provider.

Making Paubox HIPAA Compliant

Software is not usually HIPAA compliant “out of the box”. In most cases, the software has to be configured to operate compliantly – especially when integrated with other technologies. Fortunately, making Paubox HIPAA compliant is not complicated due to the simple-to-follow instructions for integrating the email suite with existing business email platforms and the Salesforce CRM.

Once user email addresses have been imported into Paubox, members of the workforce will not notice any difference when sending emails. Nonetheless, it is advisable to explain to users what changes have been made in case a patient raises a concern about PHI being disclosed via email. HIPAA training on Paubox will enable users to answer patient concerns quickly.

Additionally, Covered Entities and Business Associates subscribing to the email encryption service will need to enter into a Business Associate Agreement with Paubox. Like many major software vendors, Paubox has its own Business Associate Agreement; but, having reviewed its content, we have no concerns about the Paubox HIPAA-compliant Business Associate Agreement.

Conclusion: Paubox is HIPAA Compliant

Covered Entities and Business Associates looking at ways to overcome the challenges of HIPAA email compliance can consider Paubox a HIPAA-compliant solution. At the entry level, Paubox removes the compliance overhead of warning patients about the dangers of unencrypted email and documenting their requests to receive PHI via email.

At higher subscription levels, Paubox has a number of HIPAA-compliant capabilities that can help organizations maintain the security of PHI and archive emails for fast search and retrieval. Naturally, the software can be used to ensure other confidential information (governed by other regulations) remains private and is protected against unauthorized access.

Therefore, in answer to the question is Paubox HIPAA compliant, the answer is yes, provided that Covered Entities and Business Associates configure the software to comply with the technical safeguards of the Security Rule and enter into a Business Associate Agreement with Paubox. It is also recommended to provide user training in order to prevent unjustified complaints from uninformed patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist