I was recently asked how a healthcare organization can send PHI/ePHI (Personal Health Information) safely through SparkPost. The quick answer to that is really pretty simple — please don’t. Email is inherently insecure and no matter how many solutions we (or others) provide, at the end of the day, that email is still going to end up in someone’s unsecured, unencrypted mailbox.
If you need to send PHI, we recommend you email a call to action for your customers to log into your own secure web portal to retrieve the sensitive documents, rather than sending the actual data. Send your customers a quick note that says something like this instead.
“Hi Bob, Your documents are available for review. Please click <here> to login to your secure portal to view.”
On your end, the smaller message will be sent faster, is less likely to be blocked as spam, and contains no PHI. As a result, the requirements of HIPAA (Health Insurance Portability and Accountability Act of 1996) are not triggered and thus no Business Associate Agreement (BAA) with SparkPost is required. Additionally, your customers will appreciate your sensitivity to their secure data. The smaller message is easier for the customer to read and is more accessible on multiple devices which is an important factor in today’s mobile world.
On the topic of sending sensitive information, the SparkPost team has created many ways to send a secure email. Our top priority is our customer’s email and security is one of the highest considerations on our checklist every time we deploy a new feature. All email from our system is sent with opportunistic TLS security enabled by default – no matter who you are. We are fully SOC2 (SSAE-16) compliant in all domains. We were months ahead of the industry with GDPR compliance. We support and have had seats on boards and steering committees that guide our industry in matters of security, compliance, and anti-abuse efforts. If anyone is going to find a solution to the email security problem, it will be this team.
Earlier this year, my colleague Steve Tuck completed a 5-part series on how to implement S/MIME using SparkPost. This is one of the oldest email security solutions and has been largely forgotten by the industry as a whole, but it still works, and it puts the end-to-end security in the hands of the sender and recipient. A health care agency wanting to send encrypted and/or digitally signed messages using our service should be able to deploy that solution with relative ease. Steve walks you through all aspects of understanding how it works and how to integrate with your SparkPost account.
Some time ago, I also wrote a piece about our partnership with the security company Echoworx. In that blog post, we introduce you to how SparkPost can accept mail from Echoworx to deliver to your end users in a secure way without any complex integration. Echoworx provides a middleware solution that empowers you to control who can see the message and attachments and when. You also have the ability to REMOVE access to an email you have already sent.
SparkPost leads the industry in security efforts and we are constantly adapting to the shifting threat landscape. Please review the referenced links above and don’t hesitate to ask anyone on our team if you need more information.