Is TLS encryption HIPAA compliant?

George Davidson
Dec 25, 2020

No, TLS encryption isn’t HIPAA compliant. If covered entities use TLS encryption, additional security measures are required for protected health information (PHI).

Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.

Certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.

Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.

TLS encryption can be one tool to support HIPAA compliance. But TLS encryption alone isn’t sufficient for HIPAA requirements because the information will be exposed if the encryption fails.


Product details

Business Associate Agreement

No

HIPAA Compliant

No

Categories

Encryption

Product description

Transport Layer Security, or TLS encryption, is a common cryptographic protocol to safeguard communication between a client and a server. Encryption applications are available for email, voice over IP (VoIP), and messaging.

Disclaimer:

Readers should perform their own research before making the final decision. The information on the JotForm HIPAA Compliance Checker does not constitute official healthcare or legal advice. JotForm is not liable for any damage or liabilities arising out of or connected in any manner with this platform.

If you see any incorrect, incomplete or inaccurate information, please request correction by filling the form below.

Request Correction