HIPAA Email Compliance

Protected Health Information (PHI)

HIPAA defines PHI as the health information of an individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers such as name, address, birth date, social security number, etc. Individually identifiable health information relates to the past, present, or future information regarding:

HIPAA HITECH legislation and Email - Important factors and main technical safeguards:

  • Business Associate Agreement. BAA has to be signed by the service provider and covered entity.
  • Access Control. This includes Unique User Identification, Two-Factor Authentication (2FA), Emergency Access Control, Automatic Logoff, and Encryption and Decryption.
  • Audit Controls to track user access and file access.
  • Person or Entity Authentication
  • Transmission Security including Integrity Controls and Encryption.
  • Device and Media Controls including data backup, data storage, and data disposal.

Where can I find the official document for the Federal HIPAA HITECH legislation?

The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act. It can be found on page 112 in the official document at: http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

Is an encrypted email HIPAA compliant?

The Security Rule of the original HIPAA legislation permits covered entities to use email as a way to electronically transmit protected health information (PHI) and requires that steps be taken to protect those transmissions.

How MDofficeMail is HIPAA compliant?

MDofficeMail is HIPAA compliant by virtue of the following features:

  • HIPAA Business Associate Agreement is signed with clients.
  • SSL connection is strictly enforced for all services, both at sender’s and recipient's end. Thiscannot be modified even by the Account Administrators.
  • Encryption is strictly enforced for all outbound messages unless the user manually over-rides it.
  • Messages can be viewed or downloaded only by establishing SSL connection.
  • Recipients can reply securely without having a secure email account.
  • Facility to validate new recipient. New recipient needs to enter a 6-digit code to access email received. This randomly generated, recipient-specific code can be provided only by the sender.
  • Minimum password length and complexity is enforced.
  • Automatic Webmail session timeout is enforced.
  • Encrypted emails sent can be force expired at anytime.
  • Encrypted emails sent will automatically get deleted after a fixed time.
  • Automatic session timeout is enforced for message viewing page of MDVault.
  • Legal archiving: All emails are archived remotely for a specified length of time, upto 7 years, These emails can not be edited or deleted. As long as the user is active archived messages can be viewed and downloaded.
  • Emergency Access Procedure: PHI in email communications can be accessed from any location via the Internet. There are also mechanisms for authorized administrative to access account data.
  • Audit Controls: Audit reports of all logins to WebMail, POP, IMAP, and SMTP services are available to administrators. Reports include the date, time, and the IP address from which logins were made.

Subject line of email message - HIPAA email compliance

As the subject line of email message is not encrypted, users should never include PHI in the subject line.

Dedicated servers - HIPAA email compliance

Though MDofficeMail is hosted in dedicated servers, there is no explicit requirement. HIPAA law is 'technology neutral' in that it makes no specific requirements for the implementation of technical security, e.g. the level of encryption (128 bits or 256 bits), the encryption type (RSA, AES, etc.), the level of auditing, etc. The security restrictions MD Officemail enforces ensure that all the hosted accounts meet the Technical Safeguards of the HIPAA Security Rule.




MDVault helps to send HIPAA-compliant, encrypted messages to any recipient, for end-to-end protection..





Email archives, Data backup, Calendar, File sharing, Access logs, Audit files, Spam control, Virus protection, Auto migration and..




Email Your Doc

Anyone can send a secure message to a MDofficeMail user!!
Just go to the webpage, compose and send!





Make your existing email account secure and HIPAA compliant with our Email Encryption Service....




Secure Fax

No more fax machines, telephone lines. Subscribe to MDfax to send/receive HIPAA compliant fax from your email or desktop...


HIPAA Compliant Email Free Trial
Free Trial of HIPAA Compliant Email Service
HIPAA Email Encryption Service Free Trial
HIPAA Secure Fax Free Trial
Free Trial