What is HIPAA Compliant Email?

Updated 7/20/20 - HIPAA Compliant Email is a type of email system used by Healthcare Professionals to send Patient Health Information (PHI) via email to other Healthcare Industry Professionals or directly to their Patients. The main difference between a HIPAA compliant email system compared to email systems provided by web hosting companies, internet service providers, or free email services is the extreme focus on Data Protection. The Critical Infrastructure for a HIPAA compliant email system must comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of PHI. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. A company that provides HIPAA compliant email services must have in-depth knowledge on the application of the HIPAA Security Rule as it relates to the security of protected PHI. They must be able to identify technical or electronic threats to the Healthcare Enterprise, and implement technology available to reduce or prevent those threats.

Employees that manage or support the use of a HIPAA compliant email system must receive advanced training in the topics of administrative, physical, and technical safeguards. A company who specializes in HIPAA compliant email must develop policies and procedures to both describe those safeguards and address larger risk management strategies. A company with knowledge and experience of the HIPAA Privacy Rule makes them better able to articulate and address its core requirements, key terms, and concepts with HIPAA compliant email.

To learn more about HIPAA Compliance, head on over to this page.

EnGuard HIPAA Compliant Email

Enterprise Guardian (EnGuard), an American Company based out of Southern California, is a HIPAA Compliant Email Service Provider since 2007 for healthcare providers, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, hospitals, and billing services.

We are HIPAA, HITECH, and OMNIBUS Compliant!

Although there is no HIPAA standard or implementation specification that requires EnGuard to “certify” our compliance, we completed HIPAA training for the Certified HIPAA Security Experts certification over a decade ago. It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule. Today, we are only required to perform periodic technical and non-technical evaluations that establishes the extent to which security policies and procedures meet the security requirements under the evaluation standard § 164.308(a)(8).

Many companies make the huge mistake of thinking they can make their email system "HIPAA compliant" by simply deploying an email encryption solution. What they fail to understand is there are more requirements for HIPAA compliant email than just adding an encryption gateway to their existing email system.

As a Leading Authority for HIPAA Compliant Email services, this is what makes us HIPAA compliant:

  1. Access Control. EnGuard has implemented technical policies and physical procedures that restrict anyone from accessing stored email messages and electronic Protected Health Information (PHI) on all of our servers. We own and operate our Private Cloud at a state-of-the-art datacenter in Irvine, California with video surveillance and round-the-clock security personnel. In order to enter our facility, a person must surrender their photo ID with our security, obtain a guest pass, and be escorted by an authorized personnel who must pass a biometric verification through multiple mantraps.
  2. Privacy Control. EnGuard ensures your data is private and secure. We do not outsource our customer service or technical support overseas; you will always be helped by a highly-trained staff member here in Southern California. All of our employees are college educated, and they must pass an extensive national, federal, and county criminal background check. Our employees are screened to be certain that they have never been convicted sex offenders or placed on a terrorist watch list, and they must also pass a rigorous drug screening. Our systems cannot be accessed off-site. Rest assured - your data is in good hands.
  3. Audit Controls. EnGuard has implemented hardware, software, and procedural mechanisms to record and examine access and other activity in our information systems. We keep a log of all email activity including user ID, date, time, sender, recipient, type of encryption, and more for a minimum of 6 years. This data can be examined by the Department of Health and Human Services anytime during an audit. In an effort to protect our customers from unauthorized access, we also monitor and record all failed login attempts, hacking activity, and password resets.
  4. Integrity Controls. EnGuard has implemented policies and procedures to ensure that e-PHI is not improperly altered or destroyed. All outgoing emails are digitally signed to ensure their integrity and authenticity, and each message passes through our Data Loss Prevention (DLP) system. We run our own DNS infrastructure with DNSSE and DDOS Protection to ensure all incoming emails safe from man-in-the-middle attacks. To protect your data, we only use Enterprise Solid State Disks and Hard Drives in our Data Storage Systems.
  5. Transmission Security. EnGuard has implemented technical security measures that guard against unauthorized access to e-PHI as it is transmitted over the internet. We use the strongest encryption available with Transport Layer Security (TLS1.2 and 256-bit AES Encryption. We also provide advanced features such as the ability to send secure attachments up to 2GB in size with Secure File Link, and password protected encrypted messages via our Secure Messaging System.
  6. Business Associate. Enterprise Guardian is considered a Business Associate and provides every customer with a signed Business Associate Agreement (BAA) outlining the permitted and required uses of protected health information by us. In a nutshell, we do not access your data outside of support purposes, period. This ensures that the privacy and security of your email is completely protected and confidential. During an audit, a signed Business Associate Agreement from us is required for the Department of Health and Human Services.

Your Personal Email Is Not Secure

Switch to HIPAA Compliant Email Today