Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. However, there are important caveats and notes to heed
# of Caveats: 2 view caveats→
# of Usage Notes: 2 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.
  • The leadership or management behind this product includes at least one health care professional (but no mental/behavioral health professionals that we could find.)

What Is This Product?

Paubox Encrypted EmailFirst, an explanation. Paubox’ real value can be hard to understand because we, their customers, don’t know about the thing I’m about to explain. So let me explain it:

There is a big movement in the email provider world, with a lot of community leadership from Google, for different email provider companies to start using encryption when they exchange customers’ emails with each other.

Imagine the process:

  1. You write an email, using Email Provider A, that is addressed to your client, who uses Email Provider B.
  2. Email Provider A then uses the Internet to create a connection to Email Provider B.
  3. Email Provider A uses this connection to send your email to Email Provider B, who passes it on to the client.

Normally this connection between email providers is unprotected, and your emails are exposed to some of the Internet’s prying eyes in the process.

Well, there is a way for any Internet-based exchange to be done using an “encrypted tunnel,” so that anything sent during that exchange goes through the tunnel, and is protected from the prying eyes of the Internet by the magical powers of encryption. Wouldn’t it be great if the email providers that we all rely on used these encrypted tunnels when they talked to each other? (More on that below.)

When you use a website, and you see the little lock icon in the corner of your web browser, you are using one of those encrypted tunnels to exchange information with that website. Most of the time these encrypted tunnels are referred to as “TLS,” although they used to be called “SSL.” Some places still use SSL encrypted tunnels, but it is on its way out. TLS is strongly preferred and it is what we want our email companies to use when they exchange our emails with each other.

Well, many email provider companies are getting involved in an effort to start using TLS encrypted tunnels when they exchange customers’ emails with each other. Lots of companies have gotten on the bandwagon, which means quite a few companies already use TLS encrypted tunnel connections when they exchange customers’ emails with each other. No special equipment or services are needed from you — these companies just do it.

Remember that encryption is a two-player game, though. I can’t send you an encrypted message if you don’t have the decoder ring that decodes it, and vice versa. So companies have to actively cooperate to create these encrypted tunnels with each other. If one company in the exchange doesn’t do the TLS encrypted tunnel thing, then neither of them can create the encrypted tunnel. If both of them are doing the TLS thing, then they can create the tunnel and your email will be protected by encryption while it is being exchanged across the Internet by these companies.

You can see Google’s report on companies that seem to be participating in the effort here: Google Transparency Report: Explore the Data

(Paubox is definitely on that list. That’s an important part of the value they offer.)

Rob Reinhardt describes how to recognize the use of encrypted email tunnels in GMail in this article here.

We talk about this encrypted tunnel effort in our article on email and HIPAA compliance here.

Here’s the still extant problem with this big effort, and it explains what Paubox’s value is:

Not every company participates in this encrypted tunnel effort and not at all times. At the time of writing (Oct 2016), the Google report indicated that ~80% of the emails they send and receive travel through a TLS encrypted tunnel. That’s pretty darn good! But it means 1 in 5 emails was sent with no protection whatsoever. We need to know that 100% of the HIPAA-covered messages we send are secured.

This is Paubox’ idea: like so many other companies, they participate in using TLS encrypted tunnels. But when the company on the other side of the exchange refuses to make a tunnel with them, Paubox doesn’t fall back on sending unencrypted emails (which is what most companies would do.) Instead, they fall back on using secure messaging. So Paubox never sends your message without some kind of protection.

The difference between encrypted emails and secure messaging becomes of vital importance here. Secure messaging is the thing where people click a link to visit a website, enter a password (usually), and then see their message. Your doctor probably uses this to send you stuff through a “patient portal” where you had to make an account some time ago. Most people find it annoying, but it’s a pretty secure way to send messages. In some ways, it’s actually more secure than the TLS encrypted tunnel thing.

(This can be a point of confusion, because many people use the phrases “encrypted email” and “secure messaging” interchangeably, despite them being two very different things. To understand Paubox’ value and to use it without compromising your client’s safety and your own HIPAA compliance, you need to know the difference.)

Paubox uses secure messaging as a fallback for situations where the other side of an email exchange won’t do the TLS encrypted tunnel thing. It’s a good service idea, and may be a great fit for your risk management plan. They refer to this as “seamless encryption,” although we have some quibbles with their characterization of it. Those quibbles are in the caveats, below.

Despite our quibbles, it appears, with good evidence, that Paubox can be used quite easily for secure email that meets your HIPAA compliance needs if you use it correctly. Thus our thumbs up verdict.

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at info@personcenteredtech.com.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) Paubox’ marketing statements imply that when messages are exchanged using a TLS encrypted tunnel, Paubox is solely responsible for creating the tunnel. This is not the case.

When a TLS encrypted tunnel is used, Paubox puts a message at the bottom of emails stating that the email was encrypted by Paubox. We want you to be aware that these messages are collaboratively encrypted by both Paubox and the other company you’re exchanging emails with. Purchasing Paubox services is not required to get this feature.

Paubox does, however, offer the fallback to secure messaging. Normal services do not offer that. Also, Paubox automatically determines if a secure message is needed or not. So you won’t accidentally send any unencrypted emails if you use Paubox. That’s definitely a good thing and valuable, despite the confusing marketing statement.

2) Marketing and support statements imply that when Paubox falls back to a secure message, any replies to the notification email that are sent as part of the secure message will be automatically encrypted.

Importantly, we know what Paubox is trying to say here and it’s completely sensible, but we also know that many non-techies who use Paubox will be confused by this statement in potentially dangerous ways.

When Paubox falls back on sending a secure message, part of making that secure message is to send a boilerplate notification email to your client (or whoever you’re emailing.) This notification email states that there is a secure message waiting for them at the Paubox site, and it contains a link they can click to go read the message.

If the client (or whoever you’re emailing) were to click “reply” in their email program after receiving this notification, that reply would not be secured at all. It would be an ordinary email reply (we can’t say who the reply would go to, however.)

However, if they click the link in the email and go read the secure message on the Paubox website, Paubox does give them a chance to securely reply from there. This is likely what they mean when they say, “If the recipient replies to this message, the reply is always encrypted.”

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Encrypted emails are not safe for clients who live in certain circumstances. Secure messages can offer better safety for those clients.

This is not a criticism of Paubox. For many clients, the TLS encrypted tunnel creates a wonderful balance of security and convenience that can be quite therapy affirming.

However, encrypted emails are only protected from the Internet’s hackery interlopers. After they arrive in the client’s Inbox, they can be read by anyone with access to the Inbox. Secure messages never make it to the client’s Inbox at all. They only exist on the site where the therapist has his or her secure messaging service (in this case, that would mean on the Paubox website.)

When a client receives your messages in their Inbox, consider that some or all of the following may have access to those messages:

  • Employers (if it’s a work address)
  • School administrators (if it’s a school address)
  • People in the client’s home life, including abusers
  • Other people who have physical access to clients’ phones or computers

Importantly, the issues we describe in this caveat are probably not necessary for you to consider under HIPAA. Once your email arrives at the client’s email provider, HIPAA lets you off the hook. This is why Paubox and every other company like Paubox doesn’t need to worry about what happens once the message lans in the client’s Inbox. At that point, your HIPAA needs are covered.

Your ethical needs, however, and your concern for your clients’ safety, are another one.

The solution here is simple, however. Include each client in risk analysis and determine if TLS encrypted tunnels work for them (they probably will for most clients), or if you need to stick to just secure messaging with them.

We don’t know if Paubox can be set so that certain clients only receive secure messages, but it’s worth asking their support staff about it.

2) Require passwords for recipient whose don’t support the TLS encrypted tunnel

By default, Paubox’ fallback secure messaging service does not require recipients to enter a password or do any other authentication in order to read your message on the Paubox website. Paubox refers to this as “seamless encryption.”

To describe it as Paubox’ website does:

  • You send a message with Paubox
  • Paubox determines that the recipient doesn’t do TLS encrypted tunnels, so it falls back to a secure message.
  • Paubox sends the notification email for this secure message, which contains a link to go read the message on Paubox’s site.
  • Your recipient clicks the link.
  • Paubox shows them the message without first requiring a password or other authentication.

This is certainly convenient, but not necessarily secure. The notification email is sent across the Internet without any protection. If an Internet prying eye were to follow the link in the email, they could read the message.

The sales people tell us that you have the option to require that people who use the secure messaging feature must enter a password before they can read their messages. We strongly urge you to activate this, as we don’t believe that the default behavior of Paubox is, in this case, secure in the ways we need it to be.