While researching so called HIPAA compliant email providers, I came across Cisco Registered Envelope Service(CRES), which claims to be HIPAA compliant.
According to this instruction, upon receiving an email (e.g. from the physician) containing an encrypted message as the attachment, all the recipient (e.g. the patient) needs to do to open the message can be summarized as:
1) download the the attachment as an html file.
2) open the html file, click the registration link inside, and the recipient will be taken to cisco's website to register for an account.
3) finish the registration (typical name, password, security QA type of registration)
4) receive a confirmation email and active the account
5) open the html file downloaded in step 1) again, enter account password used in step 3), the message will decrypt itself.
You can read the details in the section Steps to Opening Your First Password-Protected Envelope starting on page 8.
Of course, once this initial handshake is done, subsequent communications can be regarded as secure. But how can this initial handshake provide any security above the security of plain email itself, when an obvious attack is:
a) hijack the email
b) finish the registration process pretending to be the recipient, hijacking the confirmation email
c) open the encrypted message
Well, well, the message is encrypted, so HIPAA compliant. But how is this even close to a secure solution?
Somewhat relevant: spammers might be faking the CRES emails as a new spamming tactic. Obviously, attackers can do the same to hijack the email account.