You may have heard rumblings about a big movement in the email provider world, with a lot of community leadership from Google, for different email companies to start encrypting the emails that they send out around the Internet. The grumblings are true! Like many such things, however, the practical application of this development is still limited. But we believe that it has grown useful enough to finally release an article on it. So here it goes.
There are a number of ways to refer to this movement towards encrypting emails as they travel over the Internet, and Google calls it “safer email.” So we’re going to use the same moniker.
Many of our readers are pragmatists, so let’s first lay out how safer email actually helps our practices. We’ve identified these 2 ways in which it is directly helpful right now at the time of writing:
- When doing your collaborative risk analysis with clients around using conventional email, you can include a look at whether or not the client’s email service engages in sending safer emails. That could indicate that exchanging emails with this client is much lower risk than if they didn’t have an email service that supports safer emails. This can be also helpful when making initial contact with prospective clients or using a service that provides automatic appointment reminders to clients. (If you’re not sure what we’re referring to, see our article on using nonsecure emails and texts with clients.)
- If a client’s main email service doesn’t do safer emails, maybe they have an alternate email address at a service that does do it. They can communicate with you using that email address instead.
When choosing your own email service, you likely want one that engages in sending safer emails. We can make a blanket statement, however, that pretty much any email service that will do a Business Associate Agreement is very likely to engage in safer emailing. Most cloud services that serve health care providers, e.g. practice management systems and the like, use email services that do safer emails. If you’re not sure, you can ask them or look them up in Google’s safer email transparency report.
Please note that getting a service that engages in safer email is not equivalent, in terms of your HIPAA compliance setup, to getting a secure email service. It can certainly help, however.
What Is This “Safer Email” Thing?
I’m glad you asked. Here is a quick explanation.
Imagine the process of sending an email:
- You write an email, using an imaginary service called MyMail, that is addressed to your client. Your client uses an imaginary service called TheirMail.
- MyMail then uses the Internet to create a connection to TheirMail.
- MyMail uses this connection to send your email to TheirMail, who then passes it on to the client.
Normally this connection between the two email providers is unprotected, and your emails are exposed to some of the Internet’s prying eyes in the process.
Well, there is a way for any Internet-based exchange to be done using an “encrypted tunnel,” so that anything sent during that exchange goes through the tunnel, and is protected from the prying eyes of the Internet by the magical powers of encryption. Wouldn’t it be great if the email providers that we all rely on used these encrypted tunnels when they talked to each other?
Well, the safer email movement is an effort on the part of many companies to start using these encrypted tunnels when they exchange emails with each other. Lots of companies have gotten on the bandwagon. No special equipment or services are needed from you — these companies just do it.
Remember that encryption is a two-player game, though. I can’t send you an encrypted message if you don’t have the decoder ring that decodes it, and vice versa. So companies have to actively cooperate to create these encrypted tunnels with each other. If just one company in the exchange isn’t able to do the encrypted tunnel thing, then neither of them can create the encrypted tunnel. If both of them are doing the encrypted tunnel thing, then they can protect your email with encryption while it is being exchanged across the open Internet.
You can see Google’s report on companies that seem to be participating in the effort here: Google Transparency Report: Explore the Data. The report only shows companies that exchange a lot of emails with Google, so your company may not be on there. In that case, you can contact your provider and ask them if their email service is set up to do safer emails as described on Google’s page.
Rob Reinhardt describes how to recognize the use of encrypted email tunnels in GMail in this article here.
We briefly touch on this encrypted tunnel effort in our article on email and HIPAA compliance here.
Please do bear in mind that safer emails do not remove the need for a Business Associate Agreement with your email provider. They also don’t address all the risks of using email with clients. For example, emails to a client who has an abusive spouse create a danger for that client whether the emails are encrypted or not.
So I Just Need to Get a Service That Does Safer Email? Do I Still Need a Secure Email Provider?
Here’s the still extant problem with the safer email effort:
Not every company participates in this encrypted tunnel effort and not at all times. At the time of writing (Feb 2017), the Google report indicated that ~84% of the emails they send and receive travel through an encrypted tunnel. That’s pretty darn good! But it means about 1 in 5 emails was sent with no protection whatsoever.
We need to know that 100% of the HIPAA-covered messages we send are secured in order to lean on it for our HIPAA compliance and ethical needs. That’s why the safer email movement doesn’t yet work as a replacement for the secure email services we employ in our practices. It does, however, enhance our potential to meet clients where they are with technology and collaborate around email security with them, facilitate easier communication with them, and possibly not have to sacrifice security in the process.