What is HIPAA Compliant Email?

HIPAA Compliant Email is a secure and private email platform or service used by healthcare professionals (Covered Entities) to send Patient Health Information (PHI) via email to other healthcare providers (Business Associates) or directly to their patients. HIPAA compliant email requires the use of end-to-end encryption and best privacy practices to ensure that emails are transmitted through internet securely. To setup HIPAA compliant email, an organization must setup their own email server or outsource their email hosting to an email service provider that specializes in HIPAA compliant email such as Enterprise Guardian.

Deploying your own email server requires a significant investment upfront in hardware and software. Then there is a monthly cost for datacenter space, reliable internet service, backup systems, and a small team of IT staff to keep that system running 24/7. In order to make your email system HIPAA compliant, you also need to implement the following requirements below. For most small to medium sized Covered Entities, it is not practical to run their own HIPAA compliant email system. We hope by the end of this article, we hope it makes sense to pay as little as $3 per user per month to have us host your HIPAA compliant email.

EnGuard HIPAA Compliant Email

Enterprise Guardian (EnGuard), an American Company based out of Southern California, is a HIPAA Compliant Email Service Provider for healthcare providers, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, hospitals, and billing services.

We are HIPAA, HITECH, and OMNIBUS Compliant!

Many companies make the huge mistake of thinking they can become HIPAA compliant by simply deploying an email encryption solution. What they fail to understand is there is a lot more required for HIPAA compliant email than just using encryption.

Our team of Certified HIPAA Security Experts has engineered our email service from the ground up to comply with the standards of the HIPAA Privacy and Security Rules. We have gone through training, certification, and have identified 6 areas a Covered Entity must correctly address in order for their email communications to be fully HIPAA Compliant:

  1. Access Control. EnGuard has implemented technical policies and physical procedures that restrict anyone from accessing stored email messages and electronic Protected Health Information (PHI) on all of our servers. We own and operate our Private Cloud at a state-of-the-art datacenter in Irvine, California with video surveillance and round-the-clock security personnel. In order to enter our facility, a person must surrender their photo ID with our security, obtain a guest pass, and be escorted by an authorized personnel who must pass a biometric verification through multiple mantraps.
  2. Privacy Control. EnGuard ensures your data is private and secure. We do not outsource our customer service or technical support overseas; you will always be helped by a highly-trained staff member here in Southern California. All of our employees are college educated, and they must pass an extensive national, federal, and county criminal background check. Our employees are screened to be certain that they have never been convicted sex offenders or placed on a terrorist watch list, and they must also pass a rigorous drug screening. Our systems cannot be accessed off-site. Rest assured - your data is in good hands.
  3. Audit Controls. EnGuard has implemented hardware, software, and procedural mechanisms to record and examine access and other activity in our information systems. We keep a log of all email activity including user ID, date, time, sender, recipient, type of encryption, and more for a minimum of 6 years. This data can be examined by the Department of Health and Human Services anytime during an audit. In an effort to protect our customers from unauthorized access, we also monitor and record all failed login attempts, hacking activity, and password resets.
  4. Integrity Controls. EnGuard has implemented policies and procedures to ensure that e-PHI is not improperly altered or destroyed. All outgoing emails are digitally signed to ensure their integrity and authenticity, and each message passes through our Data Loss Prevention (DLP) system. We run our own DNS infrastructure with DNSSEC and DDOS to protect all incoming emails from man-in-the-middle attacks. To protect your data, we only use the best Enterprise Solid State All-Flash data storage systems.
  5. Transmission Security. Enterprise Guardian has implemented technical security measures that guard against unauthorized access to e-PHI as it is transmitted over the internet. We use the strongest encryption available with Transport Layer Security (TLS1.2 and 256-bit AES Encryption. We also provide advanced features such as the ability to send secure attachments up to 2GB in size with Secure File Link, and password protected encrypted messages via our Secure Messaging System.
  6. Business Associate. Enterprise Guardian is considered a Business Associate and provides every customer with a signed Business Associate Agreement (BAA) outlining the permitted and required uses of protected health information by us. In a nutshell, we do not access your data outside of support purposes, period. This ensures that the privacy and security of your email is completely protected and confidential. During an audit, a signed Business Associate Agreement from us will satisfy the Department of Health and Human Services.

Your Personal Email Is Not Secure

Switch to HIPAA Compliant Email Today