Let’s face it – most people do not like encrypted email. It’s not surprising that encrypted email use is a major area of HIPAA non-compliance in developmental disability boards.
Secure email is usually not intuitive for the sender – such as a support administrator – to use or remember.
“Do I have to type SECURE or [SECURE] or [ENCRYPT] at the start of the email subject? I can’t remember!”
If your organization decides to automatically encrypt some emails based on keywords in the email body, then you need to go through the challenges of defining the appropriate keyword list and dealing with the various false-positive emails that were encrypted when they didn’t need to be.
The experience is often more challenging for the email recipient, since in most solutions the recipient has to create and remember a login for the encrypted email portal. In the best-case scenario, the recipient is a provider or at a state agency. They may not have trouble navigating the portal account setup process but who now has yet another login they need to keep track of. The other common scenarios are emailing an individual with intellectual disabilities or an individual’s family member or caretaker. These folks have a wide variety of technological capabilities, and many have a hard time with the extra steps of encrypted emails.
Sender frustration, recipient frustration, or just a lack of response – this combination of struggles on both ends of the experience leads to a high degree of HIPAA and policy non-compliance for encrypted email use. Many support administrators at a variety of DD boards have shared stories with us at Eagle about individuals or family members unable to access a secure email even after additional guidance. Considering the number of SAs who have confided in us that text messages are the only reliable way to contact some of the individuals and families they serve, it’s no surprise that encrypted email is a problem!
Again we’ve heard plenty of stories from DD board employees that when they and their recipients had trouble with an encrypted email, they would just send it un-encrypted instead. A few admitted that they’ve sent the email from their personal accounts to get around any auto-encrypt keyword rules the board might have in place. Because the reality of support administrators and other encrypted email users is they are just trying to do their jobs and transmit information or coordinate care, and at the end of the day, that email needs to have been sent – and received – in a timely manner, even if how they sent it isn’t perfect.
I get it, and I’m not passing judgment. It is a tension between the board’s legal data protection responsibilities and the messy realities of trying to provide care and service to individuals.
As leaders and managers in your organization, consider how to alleviate frustrations in order to improve everyone’s experience and therefore increase compliance.
Characteristics of Ideal Encrypted Email Service
First and foremost, any email encryption service needs to sign a business associate agreement with you and be able to address your other compliance needs. A second consideration is providing a simple sender experience, usually by integrating into your email client. And a third consideration is providing a reliable and positive recipient experience.
Common Email Encryption Solutions
Microsoft includes an encryption solution as an optional part of its Office 365 package. It typically triggers encryption based on a keyword in the subject line, and it requires the recipient to create a login account in order to access the message. Automatic encryption rules are also an option. Microsoft automatically includes a Business Associate Agreement in their contracts with any covered entity.
Other commonly-used providers include Zix, Echoworx, and Barracuda. Each of these offers various features comparable to Microsoft. Price and implementation details, and extra features might differentiate one of these for your organization.
ShareFile is an encrypted email provider doing things a little bit differently. It may be a helpful solution for DD boards to consider.
- ShareFile can require only the recipient’s name and email for decryption. This option is simpler for most recipients while still maintaining compliance. The usual option to require a login is also available.
- Plugins for Outlook and Outlook Online add an encryption button right next to the Send button, making it simple for users to know they are sending an encrypted email. All they need to do is click the plugin’s padlock button to “Send Secure.”
- Senders also have the option to encrypt only attachments rather than an entire email, providing a simple and secure file-sharing option.
Whatever service you use for email encryption, boost your compliance by regularly reviewing user experience. What frustrations do your employees have with your current setup? What do your recipients think? Address pain points will go a long way toward improving utilization.
Finally, consider whether ShareFile or one of the other services mentioned here might make sense for your organization.
Disclaimer: This is not a sponsored post, and we do not have a financial stake in any email encryption provider. We are just highlighting services that may be beneficial to our clients.