by Ryan Ozawa
Article filed in

Is PrivateMail HIPAA compliant?

by Ryan Ozawa

Is PrivateMail HIPPA Compliant? - Paubox

If you want to keep your email private, it makes sense that you’d find your way to PrivateMail.

Not to be confused with Snapnames Private Email (at privateemail.com instead of privatemail.com), PrivateMail specializes in encrypted email and encrypted cloud storage.

To keep the contents of your messages and attachments secure, email encryption is a must. But if you’re a covered entity trying to comply with the HIPAA Privacy Rule, there are a few more things to consider.

“You don’t have to be a Scientific Genius to use PrivateMail,” according to the website. But what if you’re a healthcare provider?

Who is PrivateMail?

The “About Us” link on the PrivateMail site doesn’t go anywhere, but we do know that it comes from the makers of TorGuard, a popular virtual private network (VPN) provider.

And the company says it can’t access your inbox or files even if it wanted to. “We don’t have access to your encryption keys, we can’t read your emails, and we have no idea what’s in your encrypted cloud storage, because it’s mathematically impossible,” the company explains.

What does PrivateMail offer?

PrivateMail has downloadable apps for most major platforms. In addition to a limited free service tier that offers 100MB of email and file storage, PrivateMail has paid service tiers that offer up to 100GB of storage, and several other features are available in addition to email.

How does PrivateMail work?

PrivateMail uses the OpenPGP encryption standard for its services. It does not own the encryption technology it uses. Nobody does. OpenPGP is open source: free to use, audit, and modify.

Based on a private, commercial software package called PGP (“pretty good privacy”), OpenPGP was born in 1997 and is today the standard for most of the world’s encrypted email. These standards can be implemented by any company without paying licensing fees to anyone.

To be clear, OpenPGP is not a company, and its technology relies on a global community of developers to build and maintain tools to integrate it with more mainstream email applications.

What does using OpenPGP mean for users?

The advantage of OpenPGP is that the encryption and decryption of your email and data are handled locally, on your device or computer instead of in the cloud.

The disadvantage is that managing OpenPGP encryption keys is complex. PrivateMail offers a key manager, but that’s not something a typical consumer would know how to use. Many technology professionals don’t.

“It has features competitors lack, but it’s expensive and harder to set up than others,” noted PC Magazine in its review of PrivateMail. “It can only share plain-text messages, and the process of setting up for encrypted message exchange involves a lot of manual labor, where competitors automate the process.”

Is OpenPGP secure?

While widely used, security flaws discovered as recently as 2018 prompted security researchers to recommend disabling PGP.

More troublingly, OpenPGP encryption only works if both sender and recipient use it. Microsoft 365 and Google only support PGP if the user installs a plugin, which few of your patients will do. That means your PrivateMail messages will be unreadable or will end up being sent unencrypted and unsecured.

Is PrivateMail HIPAA compliant?

PrivateMail says on its website that it can be used to send HIPAA compliant email. While that may be technically true, we can find no information on whether PrivateMail will sign a business associate agreement (BAA), which is required from any business associate accessing protected health information (PHI).

On top of that, its encryption technology is cumbersome to use and subject to security vulnerabilities. If your patient’s email address doesn’t support PGP (and it probably doesn’t), they will not receive your email in secure manner, which leaves you open to a HIPAA violation.

A better option is Paubox Email Suite, which leverages TLS 1.2 and 1.3 encryption protocols, per the NSA’s latest guidelines.  HIPAA compliant messages are delivered directly to your patients’ inboxes via our patented delivery method.

Try Paubox Email Suite for FREE today.