HIPAA Compliant Email From Xojo App?

Does anyone have experience sending HIPAA-compliant email from within your Xojo app? We have been looking for a 3rd party provider of a secure email portal so that I don’t have to roll my own. The first one we have been investigating is called NeoCertified. I’m reluctant to go with them because they are VERY windows-centric and only offer SOAP-XML endpoints for their webservices. I was hoping to find something that offered JSON endpoints.

Can anyone point me to a secure email provider that you’ve successfully integrated into your Xojo app?

What makes an email HIPAA compliant?

It must be sent thru a secure channel so that only the recipent can read it… When I was at Aetna, all inter-company email was automatically encyrpted within our network, and emails that went outside (to patients or providers) were sent to a secure web based hosting portal, and an email was sent to the recipent telling then to log in to get the data… it was then deleted from the portal.

Check with google. Among their business level services, they now offer an email system that they certify as HIPAA compliance capable. You will still have a security issue with your end-points (the user machines), but that is another portion of the problem.

Because I don’t trust that any large service provider’s encryption will remain secure, I’m rolling out Cosalient Crypto, a 2nd level encryption system to further encapsulate PHI (personal health information) for my anesthesia group. We’ll be able to track the entire creation, usage history, time expire, and remotely rescind our PHI documents, XOJO is making project cross platform possible.

From our IT guy:

And he adds:

[quote]Just let them know that the rule has to be configured on their side, so simply adding the word “Encrypted” to a subject will not do anything in and of itself. It has to be paired with an appropriate compliance rule.

Here’s a quick write-up on the topic from MS: https://support.office.com/en-us/article/define-mail-flow-rules-to-encrypt-email-messages-in-office-365-9b7daf19-d5f2-415b-bc43-a0f5f4a585e8[/quote]


+1 for Paubox. Been back and forth with them a bunch today, and so far they have all the right answers to my questions.

@Kem Tekinay - we would prefer not to have to deal with handling the infrastructure ourselves. I think we’ve found a great solution in Paubox. I’ll know more in a few days after I’ve had a chance to set up a test account, etc.

Fine, be that way.

I mean, great, I trust that will work out for you. Since you’re going to be that way.


I think if you use the correct encryption you can email an attached file with regular email and remain HIPAA compliant. The attached encrypted file would be fine but you must NOT put any of the 18 Protected Health Information identifiers anywhere in the email including the attached file name. You would have to pre-exchange the encryption key. Or you could make an ever changing algorithm based key built with a date and some other constant information that the receiver could re-create.

You could use this tool (below) with a command line to encrypt a PDF then send it. You would also need a copy of the program on the receiving end. You could bundle the decryption into a custom Xojo email receiving client. Or just send the attachment and decrypt manually. The other alternative would be to drag and drop the attached file to an Xojo desktop app that ran the decryption via command line.


This would require the container encryption tool on each end. They have both Mac and Windows versions.

If you had lots of clients this could be more expensive but it would be a one time charge not a subscription for a new email service.

Also note it is possible to have a patient give permission to send un-encrypted health information via email. But, you better get this in a written agreement with specific method to revoke it.

Food for thought.