Legally Compliant Email Attachment Delivery (HIPAA, SEC, FERPA)

mxHero Inc. has developed a solution that enables standard email to be used for compliant delivery of files. The solution satisfies the requirements of HIPAA, SEC 204.2 and FERPA by leveraging the compliant storage services of Box and Google Drive.

mxHero’s email attachment compliance feature extends the compliance benefits of major cloud storage platforms like Box and Google Drive. It does this by providing a secure transmission path for email attachments from the sender to the recipient. Furthermore, it adds additional guarantees that only the recipient can access the attachments. How this is achieved is illustrated in the below diagram.


Diagram of mail2Cloud Compliant Attachment Delivery

When using mxHero mail2cloud compliance capabilities with major email providers, such as Microsoft Office 365 or Google Apps or with properly configured on-premises solutions, like Microsoft Exchange, all email is sent over highly secure TLS encrypted channels.

When messages are processed by mxHero (operated from Amazon’s AWS compliant data center), attachments are removed and uploaded over secure https channels to Box or Google Drive. (diagram step 2)

The original attachments are replaced by special, two-step, access links.

The message, with the special links in place of the original attachments, is then sent over the open Internet. (diagram step 3)

The recipient receives the email and upon clicking the attachment links receives a second email. (diagram step 4)

This second email is sent to the recipients email address and contains the actual links to the files in cloud storage (Box or Google Drive - diagram step 5). This two-step attachment delivery process has several benefits:

  1. If the email is stolen from the recipient, the attachments can not be accessed since the actual download links will only be sent to the original recipient’s email account;
  2. If the email is accidentally forwarded by the recipient, those receiving the email will not be able to access the files for the same reason as above;
  3. The two-step attachment delivery process does not require the recipient to perform additional authentication. This mechanism leverages the authentication they have already done with their email account;
  4. As an added security benefit, the actual download links in the second email will only be effective for a limited time period after first access, ex. one day (configurable).

One of the greatest benefits mxHero’s compliant feature is the ease of use by the sender and the recipient. On the sender’s side mxHero can be configured to process all outbound attachments without any need or knowledge of the sender. On the recipient’s side, no new logins or authentication processes need to be performed.


mxHero’s compliance solution provides for highly secure delivery of email attachments in a transparent experience that does not require additional training or actions on behalf of the sender and only minimal changes to how the recipient receives those attachments.



Does mxHero Support Business Associates Agreements (BAAs)?


Have more questions? Submit a request


Powered by Zendesk