What Is Encryption, and How Do I Know If I Need Encrypted Email?
Many healthcare practitioners are hesitant to use email when communicating with clients, believing that it’s inherently insecure. And if you’re using certain email programs or services that don’t come with enhanced encryption, you may be right. However, email services such as Hushmail use encryption to provide security, allowing you to keep information safe when it’s being stored, sent, or received while taking advantage of the benefits of electronic communication, whether it’s through your computer, tablet, or smartphone.
But what exactly is encryption? How does it work? And how do you know if you have the right kind of encryption to make your emails HIPAA compliant?
Today’s post will shed some light on the different types of encryption and help you choose an encrypted email service that’s right for you.
What is encryption exactly?
Do you remember playing with decoder rings when you were a kid? Your friend would write a message with a jumble of letters or numbers that were indecipherable – unless you had the decoder ring that gave you the corresponding letters so you could read the secret message.
Modern day encryption that’s used to keep our online information private is very similar. When you send an email that’s encrypted, the content is jumbled up and assigned a random assortment of letters, numbers, and symbols. The message is indecipherable to anyone unless they have the “key,” the digital world’s version of the decoder ring.
This key might be a public key, which is used to encrypt an email; or a private key, which is used to decrypt an email. Just as it sounds, a public key is available to a group, for example, customers of an encrypted email service provider. The recipient has a private key.
For an excellent, in-depth explanation of public and private keys, read this article by Panayotis Vryonis.
Different types of encryption act in different ways. Let’s look at Transport Layer Security (TLS) encryption, which is considered the standard for encryption protection on the web.
When you look at the URL in your web browser, you’ll likely see https next to a locked padlock icon. This means the information you’re sending and receiving on that website is encrypted and protected between servers with TLS.
TLS also protects email with encryption during transit as long as all of the email servers used along the email’s journey support it.
How do you know if the servers support TLS? That’s the problem. Some email providers provide this information when you compose an email, but their ability to do so is limited. For example, Gmail only provides a warning if you’re using your computer or an Android device.
There is also a way to determine TLS support by analyzing email headers, but this isn’t a method for the faint-hearted. Unless you have a strong tech background, it’s likely to cause more frustration than security.
That’s why it’s a good idea to find an encrypted email service that can both confirm TLS support and also provide another encryption method to protect your emails.
It’s great to have TLS working in the background to secure your emails when it’s supported, but it’s a good idea to add an extra layer of security with OpenPGP encryption.
While TLS encryption is automatic when an email is sent from one server supporting TLS to another, OpenPGP encryption must be enabled. The way you trigger encryption varies depending on the email service you’re using and might involve enabling a switch or requiring a password from the recipient.
The great thing about OpenPGP encryption is that it encrypts your emails, not just in transit like TLS, but also in storage.
Does HIPAA require encryption?
The Health Insurance Portability and Accountability Act (HIPAA) stipulates that covered entities are required to implement technical safeguards of the “electronic protected health information” of their clients and patients, but they don’t specify the use of X or Y type of encryption, and there is no list of what technical safeguards you should use. However, should a breach happen, you will need to convince HIPAA officials, and maybe even a judge, that you did everything you could to safeguard the information. If you’re comfortable with saying that you sent the information protected in transit only, reliant upon the recipient supporting encryption, then TLS is all you need.
However, you may decide you want the extra protection and extra peace of mind that comes from using OpenPGP encryption.
What to look for in an encrypted email provider
If you decide that you need encryption for your emails, then it’s helpful to know what to look for to ensure you’re checking all of the boxes for HIPAA-compliance.
Multiple layers of protection are the first thing to look for. TLS encryption is great if it’s supported by both the sender and receiver, but what if it isn’t? You’re left with no other option unless you’re using an email service that gives you a way to send email with OpenPGP encryption.
Other layers of protection include the following:
- a required passphrase
- the ability to add on a security question
- adjustable message expiration so your emails aren’t hanging around long past the time when they’re needed
- an email archive, so you have a record of your communications, making it easier to prove compliance in case of an audit
Hushmail for Healthcare offers all of the above and is proud to provide the encryption behind Brighter Vision’s HIPAA-Compliant Email package. Ask Brighter Vision how you can include encrypted, HIPAA-compliant email and web forms with your new website.
Want the beautiful therapist website you deserve? Then you’re in the perfect place.
Brighter Vision is the ultimate marketing package for therapists, centered around the best therapist website you’ve ever had. Fill out the form below to learn more about our team of professionals who can’t wait to help your practice grow like never before. 🙂