HIPAA Compliant Email

HIPAA compliant email is the most convenient way to transmit patient health information (PHI) electronically between individuals, organizations, and agencies in the healthcare industry. All healthcare professionals are required by law to protect the privacy and security of health information. The use of free email services, personal email addresses, or even hosted email services from reputable web hosting companies and cloud service providers generally does not meet HIPAA requirements.

HIPAA violations can result in penalties up to $1.5 million and criminal charges filed against the individual(s) responsible for a breach of PHI.

Many people make the mistake of thinking they will have HIPAA compliant email by simply deploying an encryption solution. What they fail to understand is there are several components required to have HIPAA compliant email. Our team of Certified HIPAA Security Experts have engineered our email service from the ground up to comply with the standards of the HIPAA Privacy Rule and HIPAA Security Rule. We have gone through training for certification, and have identified the following requirements for HIPAA compliant email.

HIPAA Compliant Email Requirements


  1. Access Control. The email server that stores and transmits your email must be physically secured. Running your own email server inside a locked closet at your company does not meet this requirement as anyone can break in and steal your hardware. In addition to physical safeguards, you must have full control over any person who can access that email server, either physically or remotely.

    Email Pros owns and operates our own infrastructure in our state-of-the-art datacenter here in Irvine, California. Our fully-staffed datacenter is one of the best in the world with the following certifications: SSAE 16, SOC 1 Type 2, SOC 2 Type II, SOC 3, PCI DSS 3.0, and the Uptime Institute M&O Stamp of Approval. We have security guards on duty and video surveillance 24/7/365. In order to gain physical access to our servers, a person must have a keycard to enter the building, check-in with Security, pass through several mantraps, and only authorized persons are allowed to enter specific areas after passing a biometric verification. We have full control over who can access data on our servers.
  2. Privacy Control. Free email service providers give you free email solely for the purpose of tracking your usage and scanning your data so they can advertise to you, they don’t care about your privacy or data security. The use of email from Internet Service Providers, Web Hosting companies, and Cloud Service Providers does not meet this requirement because they don't care about your privacy or data security either, you have no control over where your data is stored, where your data is replicated to, and who has access to that data.

    Email Pros ensures your data is private and secure, we do not outsource our billing, customer service, or technical support. Our internal systems cannot be accessed off-site. Your phone calls and support emails will never be answered by a call center overseas. We are proud to be an American Company, and you will always be helped by a highly-trained staff member here in Southern California. All our employees are college educated, they must pass an extensive national, federal, and county criminal background check. We make sure they are not a sex offender or on a terrorist watch list, and they must also pass a rigorous drug screening. Rest assured - your data is in good hands.
  3. Audit Controls. HIPAA requires a log for everything, and those logs must be kept for a minimum of 6 years. In the event of a breach, the logs will help identify where the breach occurred and who was responsible for the breach. Email Pros keeps a log of who enters and leaves our datacenter, who opens and closes a door, who goes in and out of our server cages, and who logs on and off of our server systems. We keep a log of all email activity including user IDs, timestamps, sender and recipient addresses, type of encryption, login attempts, and more. In an effort to protect our customers from unauthorized access, we also monitor and log all failed login attempts, suspected hacking activity, and password resets. Every single transaction in our billing system, ticketing system, and control panel is also logged.
  4. Integrity Controls. Every email sent and received must be authentic and not improperly altered. The storage of data on any server must have the highest integrity to prevent data loss. Email Pros digitally signs all outgoing email to ensure recipients receive genuine email from our customers that originated from our servers. All outgoing emails go through our Data Loss Prevention (DLP) system to ensure that sensitive information such as social security numbers don’t get sent in clear text. We run our own DNS infrastructure with DNSSEC and DDOS protection to ensure that all incoming emails get routed to our customers without any man-in-the-middle attacks. To protect the integrity of your data, we only use the best All-Flash Array data storage systems featuring Enterprise Solid State Drives (SSD). Everything is N+1 redundant here, including power, network, and data storage.
  5. Transmission Security. Emails must be sent over an encrypted connection and/or sent encrypted at rest. Email Pros uses the highest level of encryption available provided by Digicert to transmit data over the internet with Transport Layer Security (TLS) 1.2 and 256-bit AES Encryption. We also provide advanced features such as the ability to send secure attachments with Secure File Link, and password protected encrypted messages. Digicert goes through a vigorous process to check a company’s business registration, location, phone number, and owner, to make sure a business is legitimate before they issue an Extended Validation encryption certificate. Take a look at your address bar, you should see Email Pros, Inc. in green. That stamp means we are who we say we are, and we have been verified by one of the top security companies in the world.
  6. Business Associate Agreement (BAA). A Business Associate Agreement is the legal documentation necessary to prove that you have HIPAA compliant email. A signed BAA is required between you and your email service provider in order to achieve HIPAA compliant email. Email Pros’ BAA was professionally written by a HIPAA and Healthcare Specialized Law Firm, which outlines the permitted and required uses of protected health information by us. In a nutshell, our BAA ensures that we do not access your data for any other purpose than administration and support, and that your data is completely private, secure, and confidential on our servers. We provide our BAA to our customers free of charge. The BAA is conveniently signed online with an e-signature through Adobe Sign after a customer signs up. During an audit, you will need to present the BAA to the auditor.

HIPAA Email Archiving

Though HIPAA puts forth some standards for sending PHI via emails, it doesn't stipulate specific regulations regarding email archiving. It does recommend archiving email in a safe and comprehensive manner since the archiving of emails (carrying PHI) contributes to making electronic patient health information (e-PHI) more secure.

Our Advanced Email Archiving System allows easy retrieval of emails beyond the mandated preservation period of e-PHI for six years, we will archive your data indefinitely as long as you are a customer.

Why should you archive emails?

Your Personal Email Is Not Secure

Switch to HIPAA Compliant Email Today