At a small office, my clients' HR department needs to communicate with some vendors regarding HIPAA-covered material. How do most companies deal with securely sending e-mails regarding HIPAA. I would prefer to encrypt the e-mails themselves instead of requiring vendors to log into a secure messaging server, but I don't know if this is commonplace
I think the most common way is to send a plain text email (as it may be read on iphone, android, etc - a device that does not have built in email decryption). OTOH, all devices understand HTTPS. So the plain text email says something like, "You have a secure message from your health care provider. Please click this link to login to view your message."
You are required to encrypt the data end to end. You can use TLS to send the email to their systems. Note that you cannot send email to another firm without them also being HIPAA and hitech compliant. Since their ePHI must already be stored in an encrypted format you do not have to worry about encrypting the data prior to transmission. That being said since encryption of the message is an addressable security measure, you would have to show why this was unreasonable. You also have to ensure that only the person that the email is addressed to can open the email. the simplest solution is to use outlooks ability to sign and encrypt messages and send the recipient your certificate (by sending signed message to each other first.
I do not recommend any sort of separate website based mail as it makes it requires a whole lot of infrastructure to make secure. this could also open up liabilities should the end user do some thing like share their password. It's best to let the other party remain liable for their security.