KKH To Chip
On 11/10/2025 2:45 PM, Karina Horton wrote:
> Hi Chip,
>
> We ended up having some srs emails end up in our Spam folder which
> prompted a PCC ticket. We've gotten all our reports now, but Jim's
> response implied that these emails from Partner were not encrypted?
>
> "Email is not a secure communication method, as most email is not end-
> to-end encrypted, meaning messages and attachments can be accessed or
> intercepted at several points along the way."
>
> I don't know if he was stating this in general or specifically regarding
> Partner. This is concerning given the volume of data that we are
> emailed from Partner. Is this level of security your understanding of
> emails from Partner to PedsOne?
Chip's Answer
Partner reports are not encrypted. Originally, clients used their local
PCC addresses, so there was no need - it never left the server.
As a practical matter, though, mailing from a PCC server to a PedsOne
address is safe. The email transfer process is encrypted. It's only if
someone somehow intercepts the email - have you ever heard of that
happening? No, me neither.
Your bigger danger will always be, by far, someone sending the email
from a Partner server to a non-PedsOne address or sending something from
a PedsOne address to another email address. Encryption doesn't matter
in that regard.
Does that make sense?
Trevor's Input
I agree – Jim’s response was pretty general and definitely worth clarifying with him directly. Chip’s note, however, is clear on the specifics. When you say “secure email,” do you mean PCC’s transmission method or us encrypting the document before sending?
On our side: in 2024 we “flipped the switches” in Gmail so PedsOne cannot send email to inboxes that don’t support TLS/secure transmission. That protects outgoing email from us and keeps us compliant for our part of the chain. What it does not remove is the ever-present risk of sending to the wrong address, which remains the leading risk as long as email is a transmission path for ePHI. Unfortunately, PCC’s workflow (SRS > email) forces copies of ePHI to live in email while essentially normalizing email as a channel for ePHI transmission, versus a direct download.
Portals meaningfully reduce mis-send risk, but they do not eliminate it entirely (e.g., the same way we’ve seen credit-card uploads end up under the wrong practice).
PedsOne’s responsibility begins once the ePHI reaches our environment. If PCC’s outbound transmission were not encrypted, that would reflect their transmission method, not a compliance failure on our end. That said, it of course remains best practice for us and PCC to collaborate on making the entire end-to-end flow as secure as possible.
Lynn's Question
On our side: in 2024 we “flipped the switches” in Gmail so PedsOne cannot send email to inboxes that don’t support TLS/secure transmission. That protects outgoing email from us and keeps us compliant for our part of the chain.
Trevor's Answer
However:I don’t want to normalize emailing PHI unless it’s absolutely necessary. Emailing PHI should always be the exception or last resort, not our standard or go-to workflow. With that in mind, I think we need a workflow with guardrails that does two things:
- Defines acceptable scenarios where email is allowed. For example, payers who only accept email submissions, and possibly a very limited set of other documented, justifiable cases. We'd need Jenn and the TLs to help identify these.
- Confirms there are no lower-risk avenues available such as a payer portal, secure upload, and the like.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article