ProtonBlog(new window)

The benefits of using encrypted email for HIPAA compliance

Share this page

Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services while complying with increasingly stringent privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Email is an old technology that has become vastly more secure just in the last five years, as new encryption tools have emerged to meet the rising demand for data privacy. For healthcare organizations subject to HIPAA compliance(new window), this is good news: email is one of the most widely used forms of communication. Today it is possible to meet HIPAA’s privacy and security requirements while benefiting from the convenience of cloud-based email.

HIPAA requires data security in transit and at rest

HIPAA and its recent update, the Health Information Technology for Economic and Clinical Health (HITECH) Act, establish data security and privacy rules for organizations that handle people’s medical records, health payment histories, and other protected health information (PHI).

Organizations must have administrative, physical, and technical safeguards in place to protect PHI. Among the technical safeguards, PHI must be secured while “in transit” and “at rest,” which essentially means the data must be encrypted at all times, whether it is traveling across the Internet or stored on a server. In terms of physical security, access to hardware and software must be strictly controlled.

Organizations must also make it easy for people to access and correct their PHI. Data must be stored and secured for 50 years after the subject’s death. Any data breach (i.e. hack, leak, accidental disclosure, etc.) resulting in harm to individuals must be reported. Any violation of HIPAA can result in civil and criminal penalties, including fines up to $1.5 million and (in cases of intentional abuse) prison time.

All of the privacy and security requirements also extend to any vendors you use, including your email service provider.

How encrypted email supports HIPAA compliance

Encrypted email services employ end-to-end encryption(new window) to secure your data, meaning no one except the sender and the recipient is able to read the message. (This contrasts with many cloud-based email services, like Gmail, which have the ability to open and read messages.)

End-to-end encryption works by converting readable text and attachments into scrambled, illegible characters. The information is stored and transmitted to recipients in this format. Only the sender and recipient can convert the scrambled text back into a readable message. Therefore, even if hackers were to gain access to the servers or intercept an email, the contents of the message would remain secure.

In the case of Proton Mail, this process happens behind the scenes: no technical know-how is necessary to secure the messages. In this way, you can safely communicate PHI with associates and patients using regular email from any device.

Work efficiently and securely

Not long ago, email encryption was a tedious process involving extra software and technical knowledge on the part of the user. In 2013, Proton Mail set out to simplify the process and give more people access to data security. Today, it is possible to send and receive encrypted emails on any device with no extra steps or software installation.

Proton for Business plans(new window) allow you to create custom-domain email addresses for your organization. All emails sent within your organization and to other Proton Mail accounts are automatically end-to-end encrypted. Emails to non-Proton Mail accounts (e.g. a patient with a Gmail account) can be end-to-end encrypted by setting a password. Multiple user control levels and account types let you easily administer your organization and fine tune security settings.

Additionally, Proton Mail can be accessed securely from any web browser and through mobile apps for Android and iOS. You can also use Proton Mail with your mail client(new window) (Outlook, Thunderbird, or Apple Mail), allowing you to back up data locally and use full text search. For extra security, you can easily enable two-factor authentication to prevent unauthorized access.

How Proton Mail complies with HIPAA

At Proton Mail, we understand the sensitivities and the importance of keeping patient healthcare data private and secure. The information below is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential.

Business Associate Agreement

Our Business Associate Agreement with covered entities establishes our obligations under HIPAA. You can download this agreement here(new window). If you require this agreement signed by Proton Mail, please contact us.

Physical data safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland. All our datacenters have ISO27001 certification, which assures that our data security is up to global corporate standards and independently verified. Strong physical security provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

Proper disposal of data

If you end your contract with Proton Mail, all your data is deleted from the Proton Mail servers. No printed reports or paper copies are ever retained in our facility. If you ever request printed reports, we shred them immediately upon completion of the task that required the paper output.

Data encryption

HIPAA requires that careful attention be paid to data in motion and at rest. This requirement mandates that data be encrypted as it is transmitted between computers and devices. Proton Mail was built with encryption at its core. All emails are stored with zero-access encryption, and in all instances, it is possible to also protect emails in transit with end-to-end encryption. Our open source encryption software has also undergone third-party security audits. All this works to ensure that your data and your patients’ data will remain secure and under your sole control.

Learn more about Proton Mail’s security features here(new window) or read our white paper(new window) for technical details. If you are also subject to the EU’s General Data Protection Regulation, you can check out the Proton Mail GDPR compliance(new window).

If you have additional questions about HIPAA compliance and email security, please contact us.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions