October 22, 2014
Since you've hit on a subject that is near and dear to my heart, I figured I'd lend an opinion from the "IT Specialist" standpoint.
Although encrypted email is not "required" specifically, it is certainly a good idea. The reason most people don't do it is because most solutions make it overly cumbersome to use.
From my experience, most medical professionals are very set in their ways when it comes to technology. Therefore, they are loath to implement a system that forces them to use a new process/product.
Moreover, many feel that implementing encrypted email into their practice will introduce a level of complexity to their patients and to their colleagues who are trying to read the emails. Unfortunately this is somewhat true with many solutions out there.
Quite a few solutions make you use a separate "portal" to send the emails, and make the recipients jump through hoops when they want to read them.
Ideally a system would take their existing email process and allow them to easily add encryption to the mix.
We've taken a good deal of time evaluating different solutions, and decided to use one based on ZixCorp. They are far and away the industry leader, and have more users than anyone else in the world (roughly 40 million).
The only problem was that they were a bit pricy, which turned a lot of clients off.
However, we were able to leverage our industry relationships and are offering it to our clients at very reasonable rates.
It's completely simple, and can be used by anyone who knows how to use email.
Encrypting an email is as simple as adding a word like 'encrypt" to the subject line - that's it.
There are also automatic triggers that search for things like SS#'s, and DOB in outgoing emails.
In the end it's a win-win for all involved. Our clients seem to love it, and find it very simple to use. We like being able to offer our clients a product that would normally be out of their price-range but is now reasonably priced.
We made this offering part of our HIPAA Essentials package along with Managed Antivirus and Encrypted Backups, and our clients couldn't be happier with it.
Now, as to your list of HIPAA compliant companies...
1. Google Apps - We're big fans of Google Apps. They are a great resource for many companies. Additionally, anyone who knows how to use Gmail, can use Email on the Google Apps system as they are essentially the same (with a few tweaks added). However, being HIPAA compliant is a gray area for them. They only recently decided to become "HIPAA Compliant" and started signing BAA agreements. Essentially what they agreed to was to stop reading the emails, and reviewing the files that go through their system. Anyone who is still using the free GMAIL system is not afforded the same luxury. All of those emails and files are actively scanned for marketing purposes. Google admits this openly (that is how they make their money after all). But, even the paid Google Apps service itself cannot send encrypted emails all the way to your recipient. There are some 3rd part integrators that offer encrypted email on Google Apps for an additional fee. However, they vary in their ease of use, cost, and stability. Essentially it's a free-for-all when it comes to 3rd party integrators for encrypted email on Google Apps.
2. Citrix Sharefile - This is not an email solution. In fact, this is simply a file sharing application. They claim that it offers a way to securely share files with others - and that part is essentially true. However, it brings into the mix another layer of complexity for the medical office. Using this system they would need to 1)create a secure "folder" in the Citrix client 2)upload a patient file into that folder 3)copy the link to that file 4)open their usual email client 5)compose the email 6)insert the previously mentioned file link.
It's not very user friendly, and certainly isn't as simple as just sending an email (which is what most medical offices are used to). Additionally, the recipient might find the process to recover the files a bit confusing.
3. Email Pros - these guys are essentially snake-oil salesmen that prey on those that are not IT savy. They only encrypt communications between the sending computer and the Email Pro servers. Any communication between Email Pro servers and recipient servers or destination computers is not encrypted unless that have TLS and SSL enabled and configured. They even admit to this, although it's buried deep in their tech jargon.
"Email communications with people from the outside world is automatically secure if their email server supports Transport Layer Security (TLS) and SecureSockets Layer (SSL), then the entire transmission is 100% secure."
4. Safety Send - I can honestly say I've never heard of these folks. Looking through their site it seems to be a very similar product as Email Pros. They don't give very much technical information as to how their product works, which is a bit concerning. What's more worrisome is that they don't even have a phone number to call. Even their "Contact Us" page has no number to call - just a form to fill out. Pricing seems to be a mystery as well as it cannot be found anywhere on the site. Overall, I would be a bit hesitant in recommending these folks.
5. Sookasa - Similar to Citrix Sharefile, this is more of a file-sharing solution than an encrypted email solution. It seems like it might work, and should be somewhat familiar since many people already know/understand dropbox. But it does implement several steps to the secure email process. It's also another system for the medical office to "manage".
I hope you find this information helpful. Please feel free to contact me if you have any questions on this, or any other IT matter.