No, TLS encryption isn’t HIPAA compliant. If covered entities use TLS encryption, additional security measures are required for protected health information (PHI).
Transport Layer Security (TLS encryption) offers security when sending emails, but it doesn’t guarantee secure delivery to the recipient. Even though cryptography codes the messages in transit, security isn’t assured for information at rest.
Certain email providers don’t support the delivery of encrypted messages. So the service removes the encryption to deliver the email, resulting in a message that contains plain text without encryption. Also, if the recipient responds, the reply transmits without encryption.
Covered entities must make sure they’re using tools that ensure encryption on delivery. To meet HIPAA requirements, both mail servers must use TLS encryption.
TLS encryption can be one tool to support HIPAA compliance. But TLS encryption alone isn’t sufficient for HIPAA requirements because the information will be exposed if the encryption fails.