Product names don't get much simpler than Private Email, a "web-based business hosting solution." But as we've learned, the definition of "private" can vary, especially for covered entities trying to comply with the HIPAA Privacy Rule. Private Email promises "everything you need for simple and secure web-based email hosting wrapped in a fast, lightweight interface." But can they deliver for healthcare?
Who is Private Email?
As it turns out, Private Email isn't a company. The name, domain name, and landing page at privateemail.com provide no owner, copyright, or "about us" information at all. In fact, the typical links to a terms of use or privacy policy are also missing. All you have to do is click on any of the links on the site to realize that Private Email is just a subsidiary brand of Namecheap, a company whose primary business is registering domain names and hosting websites. When you click on the bright yellow "Try It Free!" button on the Private Email site, you're taken to Namecheap's Business Email Hosting Service page. And you'll have to scroll down to the bottom to see "Private Email" mentioned again, where it's called "Namecheap Private Email." The product is described as"a collaborative and cloud-based email solution" that includes shared folders, group scheduling, task management, and file and data sharing.
How does Namecheap Private Email work?
While the Namecheap site provides a lot of information on the many features and settings available to Namecheap Private Email customers, none of them mention privacy or security. The company has published a support article " What is Namecheap Private Email," which notes that it is powered by Open-Xchange, "cloud-based open-source collaboration software." Open-Xchange can be downloaded and installed for free, and in fact, it provides a product called OX Cloud specifically to companies like Namecheap with features that can specifically be resold as "premium features." Notably, Open-Xchange email is not encrypted by default. There is an add-on called OX Guard that uses the PGP standard, but PGP has its flaws. And Namecheap's implementation does not appear to include it, anyway.
Is Private Email HIPAA compliant?
Private Email is just a subsidiary brand of Namecheap, which is using freely available software to provide email hosting. And despite the word "private," there appear to be no particular features related to email security, including encryption. Not surprisingly, there is also no mention of HIPAA or a business associate agreement. We are quite confident in determining that Namecheap Private Email is not a HIPAA compliant email provider.