Sign In Sign Up

HIPAA-Compliant Email and File Sharing

What HIPAA requires of you, in plain English

If your practice handles Protected Health Information (PHI) — patient charts, X-rays, lab results, intake forms — you need to keep that data private when it's emailed or shared electronically. HIPAA's Security Rule calls these "technical safeguards." Three things matter most:

  1. Encrypt PHI in transit and at rest. Patient data should never travel over plain email or sit unprotected on a server.
  2. Authenticate the recipient. Only the intended person should be able to open the message.
  3. Have a Business Associate Agreement (BAA) in place with anyone who handles PHI on your behalf.

How Lockbin handles each one

Encryption in transit and at rest. Every message and attachment is encrypted with AES-256 the moment it leaves your browser, and stays encrypted on our servers until your recipient opens it. We use a FIPS 140-2 verified cryptographic library (NIST certificate #2357), the same standard required for federal use.

Recipient authentication. Recipients open messages from a unique URL plus a password. Without both pieces, the message stays locked. You can also use passwordless secure links for known recipients.

Business Associate Agreement. Lockbin offers a signed BAA on Premium and Enterprise plans (by request — email support@lockbin.com). The BAA contractually commits Lockbin to safeguard your PHI and notify you within 60 days of any breach, per HIPAA rule CFR 164.410(b).

What you don't have to worry about

  • No software installs. Lockbin runs in any modern browser.
  • No special training. Your front desk can send a secure message in under a minute.
  • No special accounts on your patients' end. They open your message from a link.
  • No data sitting on our servers indefinitely. Messages auto-delete after the retention window you set.
  • No keys held by us in plaintext. Your encryption keys never live on our servers in usable form, so even if our infrastructure were compromised, your patient data stays unreadable.

Get started

Premium ($10/user/month) and Enterprise ($10/user/month for multiple seats) include the signed BAA option, multi-message archive, custom branding, and admin compliance copy. Start a free trial or email support@lockbin.com for help choosing a plan.

Technical details for IT and compliance teams

HIPAA Security Rule, 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii) — covered entities must consider implementing encryption as a method for safeguarding EPHI. DHHS guidance specifies that "valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, or others which are FIPS 140-2 validated."

Lockbin encrypts messages and attachments with AES-256 using a FIPS 140-2 verified cryptographic library issued NIST certificate #2357. Note: there is a difference between "FIPS verified" (issued a certificate) and "FIPS compliant" (claims compliance without a certificate). DHHS guidance applies to verified modules.

NIST Special Publication 800-88, "Guidelines for Media Sanitization." EPHI must be destroyed in accordance with this guidance. Lockbin destroys content at scheduled intervals using a US DoD 5220.22-M (8-306./E) three-pass wipe.

HIPAA rule CFR 164.505(e)(2)(ii)(C) and 164.314(a)(2)(i)(C) — covered entities and business associates must establish a contract requiring the BA to report to the CE any uses or disclosures of EPHI not provided by the contract, plus any security incidents. Our BAA satisfies this and commits to breach notification within 60 days, per CFR 164.410(b).

Key management. Decryption keys are not stored on Lockbin's servers in plaintext. The sender and the recipient hold the decryption keys; the data at rest on our servers is encrypted. This satisfies the DHHS guidance that "decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt."

Hosting. Lockbin's servers are hosted by a leading enterprise cloud infrastructure provider in a fully redundant facility with physical security and access controls.

Email support@lockbin.com for our risk-analysis document, network diagram, and BAA template.