OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

Is it a HIPAA violation to email medical records?

Heart beat medical image. HIPAA compliant email and medical records

Email offers a convenient way for patients and healthcare providers to communicate. At the same time, it can lead to concerns around keeping patient information and protected health information (PHI) secure in emails.

So, can providers safely email medical records while still remaining in HIPAA compliance? 

The following information will help you stay HIPAA compliant when sending medical records over email. Additionally, learn why you should use a secure email provider to ensure HIPAA compliance and ease of use for your practice and organization.

Read more

Can I email medical records? 

Yes, medical records can be sent over email as long as they are sufficiently protected and follow HIPAA email compliance. And strengthening your email security strategy is a good place to start. 

Does the HIPAA Security Rule allow medical records sent through email?

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Security Rule does not explicitly prohibit using email to send electronic protected health information (ePHI). 

However, covered entities are required to implement certain policies and procedures based on HIPAA standards for access control, integrity and transmission security.

These measures must “restrict access to PHI, monitor how PHI is communicated, ensure the integrity of PHI at rest, ensure 100% message accountability and protect PHI from unauthorized access during transit.” 

How can I make sure that my emails are HIPAA compliant?

According to HIPAA email rules, ePHI must remain secure at rest and in transit. In order to accomplish this, organizations should use a HIPAA secure email provider that supports encryption. 

Encryption ensures that only the intended recipient can access the PHI included in the email. Even if an unauthorized individual successfully accesses the email, they will be unable to read the PHI contained within it. 

What is the difference between a HIPAA compliant email platform and a HIPAA capable one?

It is also important to keep in mind that there is a difference between a HIPAA compliant email platform and a HIPAA capable one. 

Although many popular email providers offer email encryption, they often are not HIPAA compliant until you configure additional features and sign a business associate agreement (BAA) with the company.

Is Gmail HIPAA compliant?

For instance, as of October 2022, Gmail encrypts 79% of sent emails. However, HIPAA requires 100% encryption for emails containing PHI. That 21% still gives cybercriminals an opening to intercept sensitive information in transit. 

Strengthen your provider email security with Paubox

The best way to safely send medical records over email is by using a third-party email security provider that encrypts 100% of the emails you send. That’s where Paubox Email Suite’s HIPAA compliant email service comes in. 

Make your email HIPAA compliant

Designed to seamlessly integrate with your existing email platforms, such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt. Your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

Protect your healthcare practice and organization from ransomware and inbound attacks

Along with enabling healthcare email encryption for compliance with HIPAA email rules, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools. These block malicious cyberattacks from reaching the inbox in the first place. 

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect feature quickly intercepts display name spoofing attempts.

Young Asia lady doctor in white medical uniform with stethoscope using computer laptop talking video conference call with patient at desk in health clinic or hospital. Consulting and therapy concept.

Need to email medical records?

Over 4,000 healthcare customers trust Paubox to secure nearly 70,000,000 emails each month. HIPAA compliant and HITRUST-CSF certified technology that’s rated 4.9/5.0 on G2. Start sending secure and HIPAA compliant email with medical records today.

HIPAA Compliant Email: The Definitive Guide [2023 update]

2023 HIPAA compliant email: The Definitive Guide

HIPAA Compliant Email: The Definitive Guide [2023 update]

HIPAA compliance and email is a critical issue for healthcare. This guide answers all your questions to HIPAA compliant email to get you up and running quickly.

HIPAA Compliant Email: The Definitive Guide is your resource to give you a clear understanding of HIPAA, how to encrypt and secure email so it’s HIPAA compliant, and a concise but complete understanding of how HIPAA regulations impact healthcare email.

  1. What you need to know about HIPAA compliance for email
  2. Is it a HIPAA violation to email patient names?
  3. Does HIPAA allow healthcare providers to email patients?
  4. How to safely email patients.
  5. HIPAA email rules for compliance.
  6. How to secure your healthcare email today for peace of mind.
Read more

Table of contents

  1. What is HIPAA?
  2. HIPAA compliance and email
  3. The easiest way to send HIPAA compliant email
  4. Quick guide to HIPAA regulations and rules you need to know
  5. 2023 update to HIPAA email and compliance
  6. HIPAA violations, breaches and fines FAQ
  7. Answers to your top HIPAA compliant email questions

What is HIPAA?

HIPAA compliance and email: image of healthcare workers around HIPAA text

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standard for protecting sensitive patient data. As a result, email HIPAA compliance can be a confusing topic. But this definitive guide is your source to clarify key requirements and outline the important steps to leverage HIPAA compliant email.

HIPAA compliance and email

HIPAA notice on laptop. 2023 update HIPAA email definitive guide

Is it a HIPAA violation to email patient names and PHI?

Any organization dealing with protected health information (PHI) must follow all the physical, network and process security measures required by HIPAA. HIPAA compliant email falls into this scope.

Covered entities and BAAs

Organizations subject to HIPAA include covered entities (any company that provides treatment, payment or healthcare operations) and business associates (any company with access to PHI that provides support for covered entities). Even subcontractors (i.e., business associates of business associates) must comply. So if you happen to fall into any of these categories, you must ensure that the email you send is secured and HIPAA compliant.

HIPAA encryption requirements are specified by two main terms—required and addressable.

Required encryption must take place when sending electronic protected health information (ePHI) per the HIPAA Privacy Rule and the HIPAA Security Rule.

Illustration of man with questions

How do I make my email HIPAA compliant and secure?

Follow these technical and procedural steps for HIPAA compliant email. Because sending PHI through email can be done easily as long as you follow the right steps. What’s more, connecting with patients through easily accessed email is well worth it for patient well-being, staff work satisfaction and your bottom line.

It’s no secret that healthcare providers are busy. But you can easily have HIPAA compliant and secure email with Paubox without spending precious time installing or deciding what to encrypt or what not to encrypt. At the same time, implementation is simple and quick, and all emails secured by Paubox email solutions are HIPAA compliant. In fact, more than 4,000 healthcare members use Paubox every day for peace of mind to secure nearly 70,000,000 emails each month.

To learn more about HIPAA compliance and email, keep reading.

4 HIPAA compliant email technical steps

  1. Any email sitting on your server (like your inbox) is considered “at rest” and must be secured.
  2. Whenever you send an email, it moves from one server to another; it is considered “in transit.” Therefore, it must be secured every step of the way until it reaches the recipient’s inbox. This process is typically handled with email encryption. Another key point is that once an email is delivered securely to a recipient’s inbox, you are no longer responsible for it under HIPAA regulations.
  3. If your email provider secures email with Transport Layer Security (TLS) encryption, this does not mean your message will be delivered securely. Messages downgrade and arrive unencrypted in clear text if a recipient’s email provider doesn’t support TLS. So make sure you are using a solution that addresses this. Paubox solutions ensure 100% of emails are secured regardless of having or not having TLS. 
  4. If you use a third-party email provider, like Google Workspace, Microsoft 365 or Microsoft Exchange. In that case, you must get a business associate agreement (BAA) to protect PHI from cybercriminals or negligent employees. A BAA outlines vendor responsibilities and duties when they handle PHI.

3 HIPAA compliant procedural steps

  1. Ensure all employees are appropriately trained on HIPAA compliance and leverage the right technology to overcome human error, such as forgetting to press a button or typing a password to encrypt an email when sending PHI. Human error accounts for the vast majority of email-related HIPAA violations. Because of this, Paubox email solutions eliminate doctor or patient errors related to sending an email that is not secured. You can take advantage of a no-risk trial here.
  2. HIPAA requires reasonable safeguards for PHI, like encryption. If you choose not to use a third-party email encryption service, you will need to take the time to audit your organization with this assessment. 
  3. Limit access to PHI to only staff members who need it to do their jobs.
Seamless email saves time. 2023 update HIPAA email definitive guide

The easiest way to send HIPAA compliant email

The easiest way to send email in compliance with HIPAA is seamless encryption. It gives providers the expected benefit—HIPAA compliant email—without asking senders or recipients to change their behavior. Secure all email sent from your server without the need for additional security steps for you or your email recipients and remain HIPAA compliant.

Seamless email workflow for your staff

It is a stressful and time-burning burden for staff to decide if an email needs encryption. But encrypting email by default eliminates the risk and stress of accidentally sending unencrypted PHI over email.

Because for a distracted or busy employee, hitting the send button without noticing that an email contains ePHI is far too easy and makes for a very costly mistake.

Seamless and secure email connections with your patients

Find a solution that allows you to write and send HIPAA compliant emails as usual from a laptop, desktop or mobile device without needing to enter passwords, download an app or log into a portal.

The reality is, having portals and passcodes is a security “check in the block.” Email’s purpose is to communicate. But if you make your patients log in, the odds are you will not be communicating with them. In fact, only 1/3 of people with access to portals use them, but over 90% of U.S. adults regularly use email.

Paubox email integrates with microsoft and Google. 2023 update HIPAA email definitive guide

Seamless and secure integration into your existing email provider

Fortunately, Paubox integrates with Google Workspace, Microsoft 365 and other commercial email providers. So, conveniently, you don’t have to change your email address.

Seamless HIPAA compliant email and a more secure inbox

What’s more, our Plus and Premium subscriptions add robust spam, virus, ransomware and phishing protection. Unfortunately, phishing scams are still the most common way email gets hacked and continue to lead to HIPAA violations.

Finally, Paubox provides a BAA to all members. In addition, no minimum number of staff members or providers is required.

Quick guide to HIPAA regulations and rules you need to know

HIPAA rules you need to know. 2023 update HIPAA email definitive guide

HIPAA compliant email and the HIPAA Enforcement Rule

The U.S. Department of Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat PHI fraud and abuse. Additionally, the Office for Civil Rights (OCR) regulates and enforces the act, which consists of the following sections (or titles). Most referenced is Title II, as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.

6 rules of HIPAA you need to know

  1. Privacy Rule (2003): covers the protection of PHI as well as compliance standards
  2. Security Rule (2005): sets required security standards to protect ePHI
  3. Enforcement Rule (2006): provides a general guide for compliance, investigation and penalties for violations
  4. HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  5. Breach Notification Rule (2009): sets the procedures for reporting breaches
  6. Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections
HIPAA rules. 2023 update HIPAA email definitive guide

Does the HIPAA Privacy Rule permit healthcare providers to use email to discuss health issues and treatment with their patients?

Yes. In 2000, the HIPAA Privacy Rule created a set of national standards for safeguarding certain health information for the first time. Providers can communicate electronically with their patients under the Privacy Rule, provided they apply reasonable safeguards.

HIPAA does not mandate encryption

Although HIPAA does not mandate encryption, you must perform a risk assessment and determine that encryption is not needed to manage risks to PHI and then you can implement addressable encryption protocols. If you use addressable encryption protocols, you must document why you do not need encryption if that is what your organization decides. Then create a secure alternative for your ePHI.

Paubox recommends encryption for HIPAA compliant email

Not using email encryption is risky for your patients’ information and your organization. Encryption is the only option to securely protect PHI.

The HIPAA Privacy Rule allows covered entities to disclose PHI to a business associate. Nevertheless, business associates must assure covered entities that PHI remains within the scope of their engagement.

What is the HIPAA Security Rule?

The HIPAA Security Rule was added in 2003 to set out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form. Therefore, covered entities must take reasonable steps to protect ePHI in email while in transit to the recipient’s inbox.

What is HIPAA. 2023 update HIPAA email definitive guide

HIPAA Compliant Email: The Definitive Guide [2023 update]

According to HHS, recently proposed updates intend to improve the consumer experience, increase consumer understanding, simplify the plan selection process, combat discriminatory benefits that disproportionately impact disadvantaged populations and advance health equity.

Here are the proposed 2023 updates to the HIPAA Privacy Rule

  • Individuals will have the right to inspect their PHI in person, including taking notes or capturing images of medical records.
  • Covered entities’ response time for medical record requests will be shortened to 15 calendar days. Also, there will be an option for an extension of no more than 15 calendar days.
  • Responding to individuals’ requests for PHI will be clear and concise, including when business associates are involved.
  • Whenever a PHI summary is offered instead of a copy, covered entities must notify individuals that they retain the right to obtain or direct copies of PHI to third parties.
  • Individuals will be provided with access rights with a reduced burden of identity verification.
  • By requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back electronic copies of the individual’s PHI in an electronic health record (EHR), individuals will be able to direct the sharing of PHI in an EHR.
  • Covered healthcare providers and health plans will be required to respond to certain requests for records sent to them by other covered healthcare providers or health plans according to their right of access.
  • The individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR will be limited.
  • The timelines for when ePHI must be provided free of charge to the individual will need specifying.
  • The fee structures for responding to requests to direct records to third parties will be amended.
  • Covered entities will be required to publish estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization and provide individualized estimates of fees for individuals requesting copies of their personal health information, as well as itemized bills for completed requests upon request.
Source: Aris Medical Solutions

HIPAA compliant email 2023 update timelines

In order to achieve compliance with any new or modified standards, covered entities and their business associates have until the “compliance date” to establish and implement policies and practices. Additionally, HHS has previously stated that the 180-day general compliance period for new or modified standards will not apply if a different compliance period is provided in the regulation.

Why is HHS making HIPAA updates in 2023?

HHS requested answers to 54 questions from providers in 2019. Then in 2020, the department issued a Notice of Proposed Rulemaking describing several changes to the HIPAA Privacy Rule based on the responses received. Then, HHS requested comments on the proposed HIPAA changes once again in 2021. Finally, On January 5, 2022, the department released its Notice of Benefit and Payment Parameters for the 2023 Proposed Rule.

Cost of data breaches: image of man upside down with money falling out. 2023 update HIPAA email definitive guide

HIPAA violations are costly. Secure your emails to stay protected.

Certainly, HIPAA violations carry a high cost, and you can be penalized for noncompliance based on the degree of negligence. The current fines typically range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Although, according to Thompson Reuters, the penalties are adjusted to inflation and could be even higher.

What are the current penalties for HIPAA email violations?

HIPAA administrative simplification covers privacy, security, breach notification and electronic healthcare transactions. Presently, HIPAA violations are categorized into four tiers, with minimum and maximum penalty amounts within each tier, and multiple violations of an identical provision are capped annually. In accordance with HIPAA administrative simplification provisions, the following indexed penalties apply:

Penalties for HIPAA Email ViolationsFromToAnnual Cap
Tier 1: Could not have avoided with reasonable care$127$63,973$1,919,173
Tier 2: HIPAA email violation despite reasonable care$1,280$63,973$1,919,173
Tier 3: Willful neglect but corrected within a reasonable time$12,794$63,973$1,919,173
Tier 4: Willful neglect and not corrected$63,973$1,919,173$1,919,173 
Source: Thompson Reuters

What’s more, according to a report by IBM Security, healthcare data breaches cost $9.3 million on average in 2021 – a 29.5% increase over the $7.13 million average in 2020.

Undeniably, over the past 20 years, the OCR has enforced violations at a blistering pace.

Cost of healthcare data breaches. 2023 update HIPAA email definitive guide

HIPAA email breaches and violation stories

HIPAA breaches and email security

In 2021, a major healthcare data breach affected 45.7 million patient records. This is the second-highest number of records reported breached since 2015. Health insurer Anthem suffered the largest healthcare data breach on record in 2015, affecting 77.8 million people.

Undoubtedly, email continues to be a primary threat vector for healthcare. In fact, 37% of all HIPAA breaches in 2020 occurred via email.

Answers to your top HIPAA compliant email questions

  1. Is my email provider HIPAA compliant?
  2. When does my obligation to secure PHI end?
  3. What is a business associate agreement, or BAA?
  4. Is there a HIPAA email provider certification?
  5. What is the gold standard for HIPAA compliance?
  6. The best HIPAA compliant email providers.
  7. Five top HIPAA compliance software tools for secure healthcare email.

1. Is my email provider HIPAA compliant?

These popular consumer email providers are not HIPAA compliant:

  • Gmail: By far one of the most popular email providers in the world, Gmail – or Google Workspace – by itself is not HIPAA compliant. Google’s own data shows that only 90% of email sent with Gmail is delivered encrypted. For HIPAA compliance, 90% isn’t good enough. Only 100% encryption is acceptable. But you can make Gmail HIPAA compliant with a few extra steps.
  • Yahoo: Another popular email provider, Yahoo is not compliant.
  • GoDaddy: A lot of people use GoDaddy’s hosting service and subsequently use GoDaddy’s Microsoft 365 product, but not all Microsoft 365 email is created equal.
  • HostGator: Another popular web hosting provider that offers email hosting and is not HIPAA compliant.

2. When does my obligation to secure PHI end?

Once the email reaches the recipient, the obligation of the sender ends, and it becomes the recipient’s job to secure any PHI they have in their inbox.

3. What is a business associate agreement, or BAA?

A BAA is a required piece of HIPAA compliant email: illustration. 2023 update HIPAA email definitive guide
A BAA is a required piece of HIPAA compliant email

If you are using a third party to transmit or host ePHI, the company is legally required to sign a business associate agreement (BAA) with you. A BAA establishes that certain administrative, physical and technical safeguards are in place to protect patient data.

On the whole, it’s important to understand a crucial piece of HIPAA is that vendors providing HIPAA compliant email services to organizations must provide and sign a business associate agreement (BAA).

Therefore, covered entities or business associates entrusting PHI to a third party legally need a BAA. 

4. Is there a HIPAA email provider certification?

Presently, there is no certification that makes an email provider HIPAA compliant. However, meeting the HIPAA Privacy and Security Rule requirements and ensuring strong technical security measures to protect ePHI are in place is the best place to start.

5. What is the gold standard for HIPAA compliance?

HITRUST-CSF certified logo. 2023 update HIPAA email definitive guide

HITRUST-CSF certification is the closest thing there is to a formal HHS HIPAA certification.

Therefore, inspect vendors’ stances on safeguarding sensitive information and their ability to manage risk and check to ensure that their products are HITRUST-CSF certified. Sometimes using HITRUST-CSF certified technology and software can help with cyber liability insurance premiums.

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In summary, HITRUST-CSF is the gold standard of security certifications in healthcare.

6. The best HIPAA compliant email providers

Choosing the best secure email provider 2023 update HIPAA email definitive guide

Perhaps the most difficult step is next—trying to sort through the noise and pick a HIPAA compliant email provider.

For that reason, here are some factors you want to consider:

  • Is the service really HIPAA compliant?
  • How easy is it to use?
  • Does it integrate with your existing IT setup?
  • Does it require new workflows?
  • How is customer support?
  • What are the hidden costs?

7. 5 top HIPAA compliance software tools for secure healthcare email

Above all, Paubox has taken security and compliance to the next level by achieving HITRUST-CSF certification for all our products:

  1. Paubox Email Suite for standard email
  2. Paubox Email Suite Plus with inbound security
  3. Paubox Email Premium with inbound security, email archiving and DLP
  4. Paubox Email API for transactional email
  5. Paubox Marketing for HIPAA compliant email marketing

HITRUST-CSF Certified patented technology

Overall, HITRUST-CSF certified status demonstrates that our solutions have met key regulatory and industry-defined requirements and are appropriately managing risk.

Notably, this achievement places Paubox in an elite group of organizations worldwide that have earned this certification. Certainly, by including federal and state regulations, standards and frameworks, and by incorporating a risk-based approach, the HITRUST-CSF certification helps organizations address compliance challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

Additional HIPAA email compliance resources

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST-CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

Looking for HIPPA compliant email in our HIPAA Compliant Email: The Definitive Guide [2023 update]?

People often confuse HIPAA email and HIPPA email. Therefore, it’s easy to Google HIPPA compliant email or HIPPA email. In short, Google is smart and knows the correct spelling while pointing you to the right pages by default. In a nutshell, “HIPPA compliant email” or “HIPPA email” are not correct. “HIPAA compliant email” or “HIPAA email” are the correct search terms.

The largest medical cyberattack in U.S. history?

The largest medical cyberattack in U.S. history may have occurred last week. CommonSpirit Health is suffering at the hands of a not-yet-identified ransomware group. The number of medical records affected could be as high as 20 million.

Read on to learn more, including why healthcare is under attack and the steps to take if your medical record is leaked.

The largest medical cyberattack in US history?

CommonSpirit Health is the nation’s fourth-largest hospital system with 142 hospitals in 21 states.

CommonSpirit Health’s Statement

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. 

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care. 

Our facilities are following existing protocols for system outages, which include taking certain systems offline, such as electronic health records. 

In addition, we are taking steps to mitigate the disruption and maintain continuity of care. 

To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. 

We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.  

Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.  

Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve. At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration. We are grateful to our staff and  physicians who are doing everything possible to mitigate the impact to our patients and ensure continuity of care.

The CommonSpirit ransomware attack impact area

Subsidiaries of CommonSpirit affected by the attack include CHI Health facilities in Nebraska and Tennessee, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. As stated above, Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident.

5 reasons why healthcare is a target for ransomware

Healthcare organizations are vulnerable to cyberattacks, even more so than other industries. The reasons why advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations, likely include the following:

  1. Medical records are valuable on the black market and fetch up to $1,000 per record.
  2. Healthcare may be more likely to pay ransoms to get data back because lives hang in the balance.
  3. The attack surface is excessive and often left vulnerable.
  4. Untrained or overworked staff are prone to make errors.
  5. Lax security: A healthcare organization may view cybersecurity as an expense, despite the fact that that expense is small compared to what the organization could lose in the event of a data breach.

Read more: Why is healthcare a juicy target for cybercrime?

How do ransomware attacks happen?

Phishing emails are a common method of delivering ransomware attacks. An attachment is sent in an email as a link that the victim believes is trustworthy. When the victim clicks on that link, the malware in the file begins to download.

Upon entering a system, the malware begins encrypting the victim’s data. The files are then encrypted with an extension which makes them inaccessible. Once this is done, the files cannot be decrypted without a key known only to the attacker. Finally, a message will be displayed to the victim, explaining that the victim’s files are inaccessible and can only be reaccessed by paying a ransom to the attackers.

Read more: What is ransomware and how to protect against it?

Are foreign governments targeting the U.S. healthcare system?

Anne Neuberger, U.S. Deputy National Security Advisor, stressed the growing threat of foreign cyberattacks, citing U.S. government reports that identify specific “preparatory activity” targeting U.S. companies and critical infrastructure.

Further, the U.S. Department of Justice confirms that a North Korean regime-backed programmer is charged with conspiracy and responsible for the destructive Global WannaCry 2.0 ransomware attacks.

“Security needs to be top of mind for every company. Email security is the number one cause of breaches,” Paubox customer Eli Golden, Director of IT at The Jellyvision Lab, explains. “Attackers are getting smarter, and while we train our staff thoroughly with simulated attacks and live sessions, it’s best to have as much protection as possible.”

Read more: The White House warns against possible Russian cyberattacks

Healthcare executives rank ransomware as the #1 threat

A recent survey of 132 healthcare executives found that ransomware was the number one cybersecurity threat – more than data breaches or insider threats – according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat forum for the healthcare industry.

Read more: The risks are too high for healthcare leaders not to understand Zero Trust

Take these 7 steps if your medical record is breached

  • File a police report
  • File a report with the FTC
  • Inform your insurer
  • Get copies of your medical record
  • Notify the three credit bureaus
  • Ask for corrections
  • Use strong passwords and 2FA or MFA on your accounts
Steps to take if your medical record is breached
Source: IDStrong

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST-CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are effortlessly easy to implement and use.

In fact, Paubox is securing nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data and organization HIPAA compliant and secure.

OCR struggles to keep up with rising ransomware cases

OCR stuggles to keep up with rising ransomware cases

According to a recent update from Politico, the Department of Health and Human Services’ Office for Civil Rights (OCR) is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats.  

Melanie Fontes Rainer, OCR acting director, states that investigators are “under incredible resource constraints and incredibly overworked.”

Keep reading to learn more about OCR’s challenges and proposed next steps. Plus, find out how HIPAA compliant email can help covered entities stay one step ahead.

Read more

Why the OCR budget matters to healthcare

The black market values protected health information (PHI) more than other types of personal information. That’s why cyberattacks are common in the healthcare industry.

Ransomware strikes these organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

As this threat grows, the OCR cannot provide the support needed to assist healthcare organizations. This is primarily due to inadequate funding and resources provided by Congress.

Because the OCR has a limited budget, it has a smaller investigation team than many local police departments. Consequently, investigators must handle more than 100 cases simultaneously.

Possible solutions on the horizon

In order to address this concern, the Biden administration has requested a 60 percent budget increase in 2023. As a result, the OCR would be able to hire 37 new investigators.

In addition to balancing the agency’s workload, additional resources will give the agency more opportunities to provide guidance.

Additionally, OCR officials believe implementing higher fines will boost enforcement and encourage healthcare organizations to comply with HIPAA requirements.

Healthcare cybersecurity advocates point to other solutions to reduce risks. Investing in better defense systems and workforce development is part of this strategy.

AHA‘s national adviser for cybersecurity and risk, John Riggi, has called for federal support to train staff to improve security. And Intermountain Healthcare‘s chief information security officer urges the Centers for Medicare & Medicaid Services to develop payment models that directly fund cybersecurity programs.

Secured email is secured healthcare

Covered entities can avoid falling victim to ransomware and other security threats by putting the right protections in place from the start. And with email serving as a leading threat vector for cybercrime, a stronger email security strategy is a must. That’s where a HIPAA compliant email provider comes in. 

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules.

This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other attacks from even reaching the inbox in the first place.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are designed to be effortlessly easy to implement and use.

In fact, Paubox is securing 70,000,000 HIPAA compliant emails each month for over 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data, organization and patients safe.

570-The HIPAA Privacy Rule and email communication with patients

570 HIPAA privacy rule

Patients want their healthcare providers to use email to communicate with them. It is the quickest and easiest way for patients to get information. However, HIPAA regulations make it difficult for healthcare providers to use email to discuss health issues and treatment with their patients unless they use a secure email provider. In this blog post, we will explore whether or not 570 The HIPAA Privacy Rule and email communication with patients is possible.

Should I email my patients?

Patients want their healthcare providers to use email to communicate with them for a variety of reasons. First, email is the quickest and easiest way for patients to get information from their providers. Second, email allows patients to keep a written record of their healthcare discussions. That record can be helpful if they need to refer back to the information at a later date. Finally, email communication between healthcare providers and patients is often more convenient than other forms of communication.

Does the HIPAA Privacy Rule allow me to email my patients?

Despite the fact that patients want providers to use email to communicate with them, HIPAA regulations make it difficult for healthcare professionals to do so. The HIPAA Privacy Rule prohibits healthcare providers from disclosing protected health information (PHI) to individuals outside of the organization without the patient’s consent. However, email is considered an “unsecured” means of communication. That means that PHI could potentially be accessed by unauthorized individuals if it is sent via email. As a result, special precautions must be taken to ensure that PHI is not disclosed via email unless the patient has consented to such disclosure.

Secure email providers make email HIPAA compliant

One way to comply with HIPAA when using email to communicate with patients is by using a secure email provider. Secure email providers encrypt emails so that only the intended recipient can access the PHI contained within the email. This means that even if an unauthorized individual were to gain access to the email, they would not be able to read the PHI contained within it. Secure email providers typically charge a monthly fee, but this fee is often worth it for healthcare providers who need to use email to communicate with their patients.

Read more: Four steps to send HIPAA compliant email

What does HHS have to say about 507-HIPAA Privacy Rule and email?

HHS states:

The Privacy Rule allows covered healthcare providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between healthcare providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

Source: https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html

In conclusion, HIPAA permits healthcare providers to use email to discuss health issues and treatment with their patients. However, special precautions are needed to ensure that PHI is not disclosed without the patient’s consent. Healthcare providers can use secure email providers or encryption to protect PHI when sending emails to patients.

Send and receive PHI with HIPAA compliant emails

With the increasing cybersecurity risks in today’s environment, maintaining HIPAA compliant communications among healthcare providers, specialists, facilities, and patients is vital. Everyone uses email, but most HIPAA compliant email solutions are complicated and difficult for both providers and patients.

Now there’s an easy way to eliminate the hassle and still have HIPAA compliant email. Paubox offers the easiest way for healthcare organizations to send and receive secure messages and attachments that comply with the protected health information (PHI) requirements of HIPAA.

Paubox integrates into email services that physicians, administrators and patients already use every day. Some of those include cloud-based email providers such as Google Workspace and Microsoft Office 365.

With more than 4,000 customers and nearly 70,000,000 emails secured per month, you can entrust your healthcare email to HITRUST CSF certified Paubox products. And our team consistently ranks 5 stars for customer service. We are here to serve healthcare.


About Inclusa

Paubox Email Suite provides encryption for 100 percent of Inclusa’s emails, without the hassle of portal-based or keyword-based solutions. For Inclusa, that translates to more time devoted to its mission.

Inclusa is a Wisconsin-based managed care organization with 1,200 employees and a network of 6,000 providers serving more than 15,500 members with patient-focused long-term care services and support. The organization’s goal is to build a more vibrant and inclusive community so that all people can thrive. 

Inclusa’s members are primarily adults with disabilities and frail elders. Care management is an integral part of the company’s work and is referred to as Commonunity®. Members are assigned a nurse and a social worker who connects with them to understand their goals and build a long-term care plan.

Testimonial headshot

Josh Jandrain, Chief Information Officer, Inclusa

[Paubox Email Suite] is one of the easiest products for email encryption that we've ever implemented. The nice thing is that it just works.

Josh Jandrain
Chief Information Officer

Company Snapshot

  • Founded in 2000
  • Number of locations: 37
  • Paubox customer since 2019
  • http://inclusa.org

Paubox Email Suite Goals

  • Make it easier for providers and members to receive emails containing protected health information (PHI)
  • Simplify the process of sending PHI over email to make employees’ jobs easier
  • Reduce the time Inclusa’s IT team spends dealing with secure email-related support tickets


With providers, employees, and members scattered across 51 counties, Inclusa needed a reliable, secure way to transmit PHI over email. The team tried Zix, a portal-based solution, as well as Microsoft 365’s secure email offering. All of the options Inclusa tried presented real problems in communicating with providers and members.

“The other solutions we tried were a real challenge for our providers, most of which are small offices. Providers would forget their passwords and not be able to log in to the portal,” explained Josh Jandrain, Inclusa’s chief information officer.

Portal-based encryption systems are often clunky and hard to use, requiring recipients to sign up for a password-protected account in order to view the email message, which not everyone will be willing or able to do. Keyword solutions, on the other hand, place the burden on the sender to remember to add specific words to the email’s subject line to trigger encryption. 

Inclusa’s IT team spent hours each week providing support for these encryption systems, resetting passwords, walking recipients through the retrieval process, handling support tickets, and auditing email usage. All of the time, they were spending handling secure email hassles could have been spent helping patients.


Jandrain learned about Paubox Email Suite at the 2019 HIMSS conference, and he knew that it was just what Inclusa needed. “At first, I thought it was too good to be true. Paubox Email Suite was exactly what we were looking for,” Jandrain said.

Paubox Email Suite is different from other secure email solutions because it encrypts email behind the scenes. Every email is encrypted—all a sender has to do is hit “send.” And even better, all the recipient has to do is hit “open” to read it—no portal, no password required. In addition, Paubox Email Suite is HITRUST certified, the gold standard of security in the healthcare industry.

Paubox Email Suites’s implementation process was easy, with onboarding, configuration, and testing all supported by the Paubox team. “It didn’t take us long to roll it out. A couple of weeks, and we were switched over. It was really simple,” Jandrain explained.


In one year, Inclusa has used Paubox Email Suite to seamlessly and securely send more than 1.3 million emails.

What’s more, implementing Paubox Email Suite has saved Inclusa’s team serious time. Jandrain estimates that Paubox has freed up 20 hours a week—equivalent to half a week’s work for a full-time employee. “It wasn’t nearly the support burden that the other solutions were. It was so much easier and so intuitive for everyone,” noted Jandrain.

Inclusa’s provider network was delighted by the ease of use as well. “Our provider offices work with so many managed care organizations and other companies, but this change really made it easier for them to do business with Inclusa,” Jandrain said.

Inclusa logo


Managed care

Use case

Transmit PHI over email in a reliable, secure way

Used solution

Paubox Email Suite

Favorite features

  • Every email is encrypted automatically
  • Easy implementation
  • Excellent customer service

Easterseals Louisiana

About Easterseals Louisiana

Since July, Paubox Email Suite has encrypted nearly 150,000 emails from Easterseals Louisiana’s 200 employees.

A Louisiana-based nonprofit organization founded nearly 70 years ago, Easterseals Louisiana’s mission is to assist individuals with physical and intellectual disabilities achieve independence, helping participants live their best lives. Its broad-based social services include early intervention, support for older adults, mental health and substance abuse services, support for participants with mental and intellectual disabilities, reentry services, and peer support services. 

Easterseals Louisiana’s goal is to maintain its participants’ independence in the community where they live, work, and play. The organization has seven locations across the state and has almost 200 employees. It serves a constantly growing group of participants – more than 10,000 in 2019 alone.

Testimonial headshot

Dawn Kendall, Vice President of Programs and Services, Easterseals Louisiana

The investment in the security and our peace of mind is priceless.

Dawn Kendall
Vice President of Programs and Services
Easterseals Louisiana
Testimonial headshot

Chris Hall, Director of Quality Enhancement and Training, Easterseals Louisiana

We tried Virtru, but we needed something that was more secure, more beneficial to our organization. Paubox protects us all the way around.

Chris Hall
Director of Quality Enhancement and Training
Easterseals Louisiana

Company Snapshot

  • Founded in 1951
  • Number of locations: 7
  • Paubox client since 2020
  • https://www.easterseals.com/louisiana/

Paubox Email Suite Goals

  • Make sure email encryption is easy to use, particularly for email recipients 
  • Encrypt emails automatically, with no extra steps 
  • Eliminate the potential for human error, mistakes, or inconsistencies in encrypting PHI
  • Find a seamless, simple, effective solution for secure email


Maintaining HIPAA compliance has always been one of the organization’s biggest concerns. At times, Easterseals Louisiana needs to share protected health information (PHI) with the participants it serves as well as with Louisiana state offices.  

“HIPAA compliance is not a simple task, and it can be overwhelming,” said Dawn Kendall, vice president of programs and services for Easterseals Louisiana. “We are really excited to have Paubox now because we don’t have to think about it anymore.”

When COVID-19 hit, making remote work more common across the organization, email began to play a larger role in the transmission of PHI. As a result, Easterseals Louisiana looked to find the best HIPAA compliant email solution. Easterseals Louisiana tried several other email encryption products, but none of them met its needs. 

Other solutions, like Virtru, required extra steps, and employees needed a lot of training to learn to use the tools correctly and consistently. Additionally, the organization would get complaints from email recipients – including funders and other important stakeholders – that the email was difficult to open and access.

“We got a lot of pushback from email recipients using our previous encryption solution,” explained Kendall. “Funders were asking us to resend things constantly because they weren’t able to open it. Since we started using Paubox, we have not heard anything. It is amazing the difference in what we’re experiencing with Paubox. We’re very pleased.”

“We needed something that was seamless and was compatible with most email platforms,” noted Chris Hall, director of quality enhancement and training for Easterseals Louisiana. “Paubox is solving a lot of the problems that we were having.”


As Easterseals Louisiana continued to research secure email solutions online, the team discovered Paubox Email Suite: easy-to-use, always-on email encryption that eliminated the potential for human error by encrypting every email automatically. Paubox Email Suite is HITRUST CSF certified, the gold standard of email security.

The implementation process was quick and easy. Within two weeks, Easterseals Louisiana was up and running with Paubox Email Suite. The staff didn’t need any training. “I wouldn’t have imagined that it would be that easy to implement something that protects our entire agency,” Hall said. 

The team chose Paubox Email Suite because it provides automatic email encryption that gives the organization peace of mind. “The security is invaluable,” Hall noted. “Additionally, the simplicity of Paubox is a big highlight.”


Since July, Paubox Email Suite has encrypted nearly 150,000 emails from Easterseals Louisiana’s 200 employees. Reducing the risk of a HIPAA violation is a major win. “We’ve never had any HIPAA compliance issues, but Paubox keeps us protected from potential email breaches. That risk reduction is priceless,” said Kendall. 

Paubox also saves the organization time because no one has to think about encryption: both in terms of day-to-day work and in terms of ongoing training. Best of all, the complaints from funders and state agencies about difficulties opening secure emails have stopped. 

In sum, Paubox helps Easterseals Louisiana focus on what’s most important: advancing its mission and serving people across Louisiana. “We are no longer doing all those extra steps, messing around with passwords, sending separate emails, going back and forth. It’s great protection for any organization, whether or not you have had a breach in the past. It works very well, and we’re excited for the product,” Hall commented.

Easterseals Louisiana logo


Social services

Use case

Protect participants’ PHI with an easy-to-use, HIPAA compliant secure email solution

Used solution

Paubox Email Suite

Favorite features

  • Compatibility with other email platforms
  • Seamlessness and ease of use
  • Simple onboarding process

Barrett Hospital & HealthCare

About Barrett Hospital & HealthCare

Frontier Behavioral Health frees up 40 hours a week by using Paubox Email Suite Premium.

For nearly 100 years, Barrett Hospital & HealthCare has been the heartbeat of the community in Dillon, Montana and the surrounding region. Located about 70 miles from Yellowstone National Park, the hospital’s two campuses are situated in the nation’s fourth largest county (by land area). The hospital celebrated the opening of a new facility in 2012, with a modern design and state-of-the-art equipment. Barrett was recognized as one of the nation’s top critical access hospitals in 2021.

Testimonial headshot

Harv Lake, IT Manager, Barrett Hospital & HealthCare

The main reason we switched from Barracuda? Simplicity. People on our team don’t have to worry about including a certain word to secure an email or remembering portal passwords to receive emails. Paubox is just easier.

Harv Lake
IT Manager
Barrett Hospital & HealthCare

Company Snapshot

Paubox Email Suite Plus Goals

  • Provide a hassle-free way to secure outgoing email
  • Protect users from display name spoofing attacks
  • Reduce or eliminate viruses and phishing attacks from reaching users’ inboxes
  • Make it easier for email recipients to open messages


As a healthcare organization, Barrett deals with protected health information (PHI) daily. Like all hospitals in the United States, it must comply with HIPAA requirements or face stiff penalties. As electronic communication becomes the preferred method of communication for more and more people, HIPAA compliant email was a must-have.

Initially, Barrett used Barracuda. However, it required email senders and recipients to jump through hoops to send and read secure emails.

“Everyone on the team was always concerned about what should be sent encrypted, and the tendency was to encrypt everything. However, a lot of times the people who are getting those secure emails can’t open them. The hassle with Barracuda was unbelievable,” said Harv Lake, IT manager for Barrett Hospital & HealthCare.

The organization was also noticing an increase in incoming security threats – including phishing attacksviruses, and display name spoofing emails. “We were getting a lot of phishing emails, as well as emails spoofing our CEO’s name or our HR department,” Lake explained.

Barrett needed an email encryption and inbound security solution that made it easier – not harder – for the organization to secure PHI and defend against threats. “Things like portals and logins really made things more difficult for our recipients. As we all know, people love having lots of passwords to manage,” Lake joked.


When Lake learned about Paubox Email Suite Plus, it seemed too good to be true, he noted. “I said, ‘let me look at the details, because I didn’t believe it could be that easy.’”

Paubox offers zero-step email encryption, with no portals or logins required. Every email is encrypted automatically, without senders or recipients having to take action. Paubox uses TLS encryption and all of our products are HITRUST CSF certified, the gold standard of compliance in the healthcare industry. Paubox Email Suite Plus also includes our robust inbound security solutions, including ExecProtect, which stops display name spoofing in its tracks.

“ExecProtect has been great. We’re always concerned about protecting our organization from getting hacked, and ExecProtect has totally eliminated the display name spoofing problems,” Lake said. “It’s nice to see that there aren’t a bunch of emails floating around supposedly from our CEO offering gift cards.”

Paubox Email Suite Plus was very easy for the Barrett team to implement. “It worked with Office 365, and everything integrated smoothly,” Lake added.


Barrett is realizing significant time and cost savings by using Paubox Email Suite Plus. Because security threats are stopped before they reach users’ inboxes, the IT team has far fewer problems to fix. It is also saving the organization money by reducing the risk of a costly HIPAA violation.

“It’s nice to know that the things coming in are meant to be here and whatever is going out is encrypted,” Lake confirmed. “At Barrett, everything we do is focused on making the patient’s experience better. Having the knowledge that their information is secure when it is sent or received helps to improve their experience by removing that worry.”

The results speak for themselves. Since November 2020, Barrett has sent more than 23,000 encrypted emails from 180 email addresses. In addition to securing outgoing emails, Paubox Email Suite Plus has blocked 11,650 spam messages, 371 viruses, and 160 phishing attacks.

Overall, Lake explained, Paubox checks all the boxes for Barrett Hospital & HealthCare. “I would recommend Paubox for three reasons: it’s safe, it’s simple, and it’s secure.”

Barrett Hospital and Healthcare



Use case

Protect PHI transmitted over email while also reducing inbound security threats

Used solution

Paubox Email Suite Plus

Favorite features

  • ExecProtect stops display name spoofing
  • Every email is encrypted automatically
  • No portals required
  • Easy-to-use dashboards track outbound and inbound activity