When do I need to use encryption to protect an email?

If your message contains PHI (Patient Health Information), you may need to use an encryption tool to protect it.

Take look at our How it Works page for a detailed, illustrated overview of how TLS and message encryption work.



Internal Messages are End-to-End Secure, by Default

There is no need to use an encryption tool for internal messages. You can send any patient information back and forth that you would like, and you don’t need to do anything special to protect it. Internal email messages never leave our secure system. This is true for any EnGuard address communicating with any other EnGuard address. If you happen to know another person is using us for email hosting, then you know that your messages are internal. You are automatically end-to-end secure when emailing anyone using our service.

 

Transport Layer Security (TLS)

HIPAA requires that all Covered Entities or healthcare professionals use encryption to transmit data over the internet to each other. The current email encryption standard is Transport Layer Security (TLS) for data in-transit. This ensures that email servers transmit data back and forth with users and other servers securely over an encrypted connection, protecting the data in transit. When both emails servers use TLS, the user experience between the sender and the recipient is seamless.

All of your outgoing messages are protected in transit by TLS, automatically.

 

When to Use an Encryption Tool: Subject to HIPAA vs. Not Subject to HIPAA

When you need to send PHI to an external address, there are two scenarios: (1) You are sending to someone else that is a covered entity subject to HIPAA such as doctors, hospitals, insurance companies, labs, medical billers, etc. or (2) You are sending directly to a patient/guardian. 
 

1. No need to use encryption with other healthcare entities:

Your secure inbox and built in TLS are enough when sending emails containing PHI to all Covered Entities or healthcare professionals. In these scenarios, your recipient is fully responsible for the security of the message on their end. Like you, they are required to have a HIPAA compliant email host and use TLS. If they fail to have secure email services or experience a breach, that is not your violation. It is often impossible to verify whether a recipient is HIPAA compliant, but you can rest assured in knowing that if any covered entity fails on their end it is their violation.
 

2. You must use encryption on messages to patients:

TLS is not enough when sending emails (containing PHI) to patients, their guardians, or any entities who would not be considered "covered" under HIPAA, and thus required to have their own secure email services. You should always assume that patients do not have secure email services, which means you need to protect the message in their inbox as well. To send them any PHI via email, please use one of our security tools:

How to Send and Encrypted Email

How to Send a Secure File Link


 

When in doubt, just use encryption.

That's what we advise the people/teams we train during their setup process. Sometimes you'll know that a healthcare provider entity you are emailing is not secure (for example, a doctor using email@gmail.com for their business). Though it is still their responsibility to protect their end of your email transactions with them, out of kindness and concern for your patient's information you can choose to protect the message with encryption anyway - even though it is technically not your obligation.