Are all inbound emails encrypted?

Not every inbound email arrives over an encrypted connection, and that is expected.

Why some inbound emails are not encrypted

Paubox cannot force outside senders to use encryption when they email your domain. Encryption for inbound mail depends on the sending mail server.

If the sender’s mail server supports modern encryption standards like TLS 1.2 or higher, the message is encrypted in transit.

If the sender’s mail server does not offer modern encryption, the email is accepted into Paubox over an unencrypted connection.

This situation is outside your control and applies to all email providers, not just Paubox.

What happens when you reply to inbound emails

While you cannot control how messages are sent to you, Paubox ensures that all replies you send are encrypted.

Replies are delivered securely in one of two ways:

• Via TLS 1.2 or higher, when the recipient’s mail server supports encryption

• Via the Secure Message Center, when a secure TLS connection cannot be established

This guarantees that your outbound emails containing PHI are always protected and compliant, regardless of the recipient’s email system.

How this aligns with HIPAA compliance

HIPAA places responsibility on covered entities and business associates to safeguard electronic protected health information that they send.

You are responsible for ensuring that emails you send to patients or clients are secure. Paubox fully satisfies this requirement by automatically encrypting all outbound email.

You are not responsible for the security posture of messages sent to you by patients or third parties. If a patient chooses to send information from an insecure email system, that risk is outside your control and does not create a compliance violation on your end.