Is Paubox HIPAA Compliant?


Paubox is a HIPAA compliant solution to incompatible encryption standards when emails containing PHI are sent between covered entities – or between covered entities and business associates or patients. Paubox also addresses the inconvenience of encrypting emails and decrypting them on receipt.

Most covered entities that use email to communicate Protected Health Information (PHI) with each other, with business associates, or with patients, are aware that encryption is the most effective way to comply with Security Rule standards relating to transmission security (§164.312(e)). However, not all encryption standards are compatible with each other.

When an email is sent using an encryption standard that is not supported by the recipient’s email application (i.e., Microsoft IRM), the outbound mail server will either try to deliver the email using a different encryption standard (i.e., PGP); or, if this is not possible, deliver the email in an unencrypted format – which could expose PHI to unauthorized access.

The alternative to emails being delivered in an unencrypted format is that they are not delivered at all and returned to the sender (this depends on how the outbound mail server is configured). In such circumstances, the original sender might attempt to use a different, potentially unsecure, channel of communication to communicate the content of the email.

The Inconvenience of Encryption

In addition to the risk that an email containing PHI may be delivered unencrypted or not delivered at all, encrypting emails before sending them can be inconvenient if encryption is not included by default. For example, when sending an email using Microsoft IRM encryption, it can take several additional steps to encrypt the email before sending it.

For members of the workforce who send both encrypted and nonencrypted emails – or who do not know what PHI is in HIPAA – this can lead to situations in which the encryption process is omitted or forgotten. It can also lead to situations in which emails are encrypted unnecessarily – which is not necessarily bad as it demonstrates the user’s security awareness.

However, when recipients receive encrypted emails and have to go through several steps to open them, this can have consequences for how busy healthcare professionals prioritize reading their emails. It can also have consequences for patients who do not have the technical knowledge to open the emails with a different web application or passcode.

How Paubox Overcomes These Issues

At the “Standard” subscription level, Paubox is a mail encryption solution that is deployed between users and the organization’s mail gateway. All emails are encrypted by default using TLS encryption – the encryption standard most compatible with other encryption standards – and, if emails cannot be delivered, recipients have to complete a one-click process to read the email via a browser window.

Organizations that want to better protect email accounts can upgrade to a “Business Plus” subscription that includes an AI-powered blacklist bot to check inbound emails for spam, malware, and ransomware, protection against display name spoofing attacks, and geofencing to block emails from overseas. Add-ons to this subscription include secure email archiving, email data loss prevention, and voicemail transcriptions.

Is Paubox HIPAA Compliant?

With regards to the question is Paubox HIPAA compliant, no software is compliant “out of the box”. To make Paubox HIPAA compliant, it is necessary for system administrators to deploy Paubox in front of the organization’s mail gateway and configure its settings to comply with HIPAA. This is a straightforward process that can be completed with minimal disruption to email flows. Configuration guides for different email applications are available online.

Before using the software to create, receive, store, or transmit PHI, it is also necessary to agree to the terms of the Paubox Business Associate Agreement. Although the Agreement is standard for software vendors, it is advisable to review the Agreement and seek professional compliance advice if you have concerns. It is also advisable to seek professional compliance advice if you have any questions about HIPAA compliant email or HIPAA compliance in general.