We deal with lots of PHI in our client correspondence and it needs to be properly encrypted between us and the client.
The purpose of the article is to discuss what encryption options we have when sending email and how to do it.
What are the options? It all has to do with the two basic ways emails are encrypted and handled at both ends.
Option 1. End-to-End Encryption - These are the ones we dislike. "End-to-end email encryption is a method of transmitting data where only the sender and receiver can read email messages." These are the ones we have to "sign" for the email before you can open it. This is a higher form of security. To send an email this way, you include [Encrypt] in the subject line (make sure to include the square brackets.)
Option 2. Transport-Layer-Security (TLS) - TLS is less stringent, but still very secure. "TLS encryption is a method of securely transmitting data from our email server to our clients email server." Email is sent to our server where it is encrypted, sent through the network to the client's server, where it is decrypted and sent on to the client's inbox. In this case, instead of you having to "sign" for each individual email like end-to-end encryption, someone in the mailroom signs for you. Not as high a form of security, but perfectly acceptable for HIPAA compliance. To send an email this way, you include [TLS] in the subject line (make sure to include the square brackets.)
Option 3. Default - Currently in O365, the default sending encryption is TLS, no matter who you are sending to. You do not have to do anything to make this happen. However, occasionally when email servers "talk" to each other they can get confused between a great number of encryption types, so being able to tell the other server how you are sending when you are sending PHI is best practice.
Recommendation - When sending email with PHI, best practice is to include [TLS] in the subject line to ensure TLS encryption and also send a subtle signal to your client that we are encrypting. Even better practice is to ask the client what they prefer or may require, some may require end-to-end encryption and we are contractually obligated to comply.
Twist - Occasionally, a client might require end-to-end encryption as a default for PHI, but with the option of sending via TLS for those emails with no PHI (basic client communication emails). In that case, including [TLS] in the subject line will send the email the less intrusive way and most clients appreciate the difference.