The benefits of using encrypted email for HIPAA compliance

Share this page

Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services while complying with increasingly stringent privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Email is an old technology that has become vastly more secure just in the last five years, as new encryption tools have emerged to meet the rising demand for data privacy. For healthcare organizations subject to HIPAA compliance, this is good news: email is one of the most widely used forms of communication. Today it is possible to meet HIPAA’s privacy and security requirements while benefiting from the convenience of cloud-based email.

HIPAA requires data security in transit and at rest

HIPAA and its recent update, the Health Information Technology for Economic and Clinical Health (HITECH) Act, establish data security and privacy rules for organizations that handle people’s medical records, health payment histories, and other protected health information (PHI).

Organizations must have administrative, physical, and technical safeguards in place to protect PHI. Among the technical safeguards, PHI must be secured while “in transit” and “at rest,” which essentially means the data must be encrypted at all times, whether it is traveling across the Internet or stored on a server. In terms of physical security, access to hardware and software must be strictly controlled.

Organizations must also make it easy for people to access and correct their PHI. Data must be stored and secured for 50 years after the subject’s death. Any data breach (i.e. hack, leak, accidental disclosure, etc.) resulting in harm to individuals must be reported. Any violation of HIPAA can result in civil and criminal penalties, including fines up to $1.5 million and (in cases of intentional abuse) prison time.

All of the privacy and security requirements also extend to any vendors you use, including your email service provider.

How encrypted email supports HIPAA compliance

Encrypted email services employ end-to-end encryption to secure your data, meaning no one except the sender and the recipient is able to read the message. (This contrasts with many cloud-based email services, like Gmail, which have the ability to open and read messages.)

End-to-end encryption works by converting readable text and attachments into scrambled, illegible characters. The information is stored and transmitted to recipients in this format. Only the sender and recipient can convert the scrambled text back into a readable message. Therefore, even if hackers were to gain access to the servers or intercept an email, the contents of the message would remain secure.

In the case of Proton Mail, this process happens behind the scenes: no technical know-how is necessary to secure the messages. In this way, you can safely communicate PHI with associates and patients using regular email from any device.

Work efficiently and securely

Not long ago, email encryption was a tedious process involving extra software and technical knowledge on the part of the user. In 2013, Proton Mail set out to simplify the process and give more people access to data security. Today, it is possible to send and receive encrypted emails on any device with no extra steps or software installation.

Proton for Business plans allow you to create custom-domain email addresses for your organization. All emails sent within your organization and to other Proton Mail accounts are automatically end-to-end encrypted. Emails to non-Proton Mail accounts (e.g. a patient with a Gmail account) can be end-to-end encrypted by setting a password. Multiple user control levels and account types let you easily administer your organization and fine tune security settings.

Additionally, Proton Mail can be accessed securely from any web browser and through mobile apps for Android and iOS. You can also use Proton Mail with your mail client (Outlook, Thunderbird, or Apple Mail), allowing you to back up data locally and use full text search. For extra security, you can easily enable two-factor authentication to prevent unauthorized access.

How Proton Mail complies with HIPAA

At Proton Mail, we understand the sensitivities and the importance of keeping patient healthcare data private and secure. The information below is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential.

Business Associate Agreement

Our Business Associate Agreement with covered entities establishes our obligations under HIPAA. You can download this agreement here. If you require this agreement signed by Proton Mail, please contact us.

Physical data safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland. All our datacenters have ISO27001 certification, which assures that our data security is up to global corporate standards and independently verified. Strong physical security provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

Proper disposal of data

If you end your contract with Proton Mail, all your data is deleted from the Proton Mail servers. No printed reports or paper copies are ever retained in our facility. If you ever request printed reports, we shred them immediately upon completion of the task that required the paper output.

Data encryption

HIPAA requires that careful attention be paid to data in motion and at rest. This requirement mandates that data be encrypted as it is transmitted between computers and devices. Proton Mail was built with encryption at its core. All emails are stored with zero-access encryption, and in all instances, it is possible to also protect emails in transit with end-to-end encryption. Our open source encryption software has also undergone third-party security audits. All this works to ensure that your data and your patients’ data will remain secure and under your sole control.

Learn more about Proton Mail’s security features here or read our white paper for technical details. If you are also subject to the EU’s General Data Protection Regulation, you can check out the Proton Mail GDPR compliance.

If you have additional questions about HIPAA compliance and email security, please contact us.

Join the Proton ecosystem
Create a free account

Share this page

Related articles

Over 300 billion emails are sent and received daily around the world, making it one of the most popular forms of communication. However, most modern email providers, such as Gmail or Outlook, do not adequately protect your emails.  Gmail stopped rea
Your calendar is more than just a planning tool — it’s a record of your life. It lists what you’ve done, where you’ve been, and who you’ve met. This information deserves the same level of protection as your email and files, which is why we created Pr
Everyone has files that need to be encrypted. From intimate personal details to legal and financial documents, your files contain information that should be private and secure. But many internet services we all use every day are not private. Compani
For years, Apple watched Google and Meta make billions by collecting every scrap of people’s data to target them with ads. Now it appears it was just taking notes. Apple’s advertising operation follows the surveillance capitalism model of its rivals
When we launched Proton Drive two months ago, we wanted to create a truly private and secure cloud storage service. An encrypted cloud that allows anyone on the internet to safely store, access, and share their files without worrying about unauthoriz
From our initial crowdfunding campaign to the recent launch of our encrypted cloud storage service Proton Drive, Proton has always been supported by the community. Your feedback tells us what new features to develop and which we should improve.  For