Isn't a secure PDF in an email compliant?
Short answer no, but no email is. You deserve a more robust answer.
Many providers will tell you that their service, app, or flavor of office365 is HIPAA compliant, but MOST are not fully compliant. They are compliant up to the provider's responsibilities alone - leaving the client themselves liable. There exists no certification for an email provider to become HIPAA compliant because the proper configuration of the mail client on the sending end AND on the receiving end - is impossible to enforce. Moreover, let's use the senders/client computer as an example. The computer is stolen, and there is no encryption on the machine itself. The computer password is weak or non-existent. Office365 saves its login and server passwords by default. The transit and storage of messages up to the server were encrypted (assuming the server at rest was encrypted). The transmission from the server on to the recipient server and on to the recipient mail client was enforced. The thief now has access to the computer they stole. The client is liable for fines and jail time for the HIPAA violations. Remember when I mentioned enforcing encrypted transfer from the server to the recipient server? Recipient servers such as Gmail, Yahoo, etc. take it upon themselves to downgrade messages in transit, stripping the encryption, which leaves the client liable. Then if all that was enforced (which it cant be), then there's the opportunity for the recipient to misconfigured or misuse their mail client of choice - and even there, the client, not their patient, is liable. The only way to ACTUALLY be HIPAA compliant with email is to use an advanced version of office365 (or similar service) AND use a plugin that (after extra steps per email) adds a wrapper of encryption around each individual message with a password that must be supplied to the recipient separately from email. That way, encryption is enforced from point A to B (that's how our SECURE SEND service operates without the need for email). Even then, if the client stores the passwords in an accessible place (remember their stolen computer?) the client becomes liable again, also even with that system AND proper practices, there is rarely a sufficient audit trail for HIPAA compliance. While HIPAA compliance can be achieved with our SECURE SEND service, the send and receive of information is wholly segregated and is inefficient at high volume/frequency correspondence. It still carries the burden of individual passwords per message and the practices there, just like the plugins. So SECURE SEND is a better fit for low volume CPA firms and such. For actual HIPAA compliance without the burden of per-message passwords, zero liability for recipient/patient passwords, and also ensuring that no installed software even stores an accessible copy of the files on a steal-able computer, our PORTAL is a truly HIPAA compliant service. It also has the industry's best audit-trailing (which is why so many fortune 100 & 500 companies use it). Data is encrypted in transit and at rest, and the content is never stored locally by the service (its 100% web-based). Recipients/patients handle their own passwords, which remain unknown and unaccessible by the client. If a patient moves a file off of the PORTAL or tells their device to remember their PORTAL password - the liability is on that patient. The only requirements of the client to keep their PORTAL installation compliant is never to allow their browser to save their login info, change login credentials with staff turnover, and make sure that wherever they store their files locally is encrypted (which they are required to do anyway, regardless of transmitting patient data). Our PORTAL is competitively priced to other actually-compliant solutions; our value-add is the hands-on handling of setup, support, and backend administration - that they typically won't receive buying a service from another provider. During training, we can also review the HIPAA required practices of handling digital files outside of our system at their location (we would be acting as a consultant, not as an authority - so any location should have their own HIPAA compliance officer on-staff or outsourced as a final say for their in-office practices).