Proton

The benefits of using encrypted email for HIPAA compliance

Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services while complying with increasingly stringent privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Email is an old technology that has become vastly more secure just in the last five years, as new encryption tools have emerged to meet the rising demand for data privacy. For healthcare organizations subject to HIPAA compliance(new window), this is good news: email is one of the most widely used forms of communication. Today it is possible to meet HIPAA’s privacy and security requirements while benefiting from the convenience of cloud-based email.

HIPAA requires data security in transit and at rest

HIPAA and its recent update, the Health Information Technology for Economic and Clinical Health (HITECH) Act, establish data security and privacy rules for organizations that handle people’s medical records, health payment histories, and other protected health information (PHI).

Organizations must have administrative, physical, and technical safeguards in place to protect PHI. Among the technical safeguards, PHI must be secured while “in transit” and “at rest,” which essentially means the data must be encrypted at all times, whether it is traveling across the Internet or stored on a server. In terms of physical security, access to hardware and software must be strictly controlled.

Organizations must also make it easy for people to access and correct their PHI. Data must be stored and secured for 50 years after the subject’s death. Any data breach (i.e. hack, leak, accidental disclosure, etc.) resulting in harm to individuals must be reported. Any violation of HIPAA can result in civil and criminal penalties, including fines up to $1.5 million and (in cases of intentional abuse) prison time.

All of the privacy and security requirements also extend to any vendors you use, including your email service provider.

How encrypted email supports HIPAA compliance

Encrypted email services employ end-to-end encryption(new window) to secure your data, meaning no one except the sender and the recipient is able to read the message. (This contrasts with many cloud-based email services, like Gmail, which have the ability to open and read messages.)

End-to-end encryption works by converting readable text and attachments into scrambled, illegible characters. The information is stored and transmitted to recipients in this format. Only the sender and recipient can convert the scrambled text back into a readable message. Therefore, even if hackers were to gain access to the servers or intercept an email, the contents of the message would remain secure.

In the case of Proton Mail, this process happens behind the scenes: no technical know-how is necessary to secure the messages. In this way, you can safely communicate PHI with associates and patients using regular email from any device.

Work efficiently and securely

Not long ago, email encryption was a tedious process involving extra software and technical knowledge on the part of the user. In 2013, Proton Mail set out to simplify the process and give more people access to data security. Today, it is possible to send and receive encrypted emails on any device with no extra steps or software installation.

Proton for Business plans(new window) allow you to create custom-domain email addresses for your organization. All emails sent within your organization and to other Proton Mail accounts are automatically end-to-end encrypted. Emails to non-Proton Mail accounts (e.g. a patient with a Gmail account) can be end-to-end encrypted by setting a password. Multiple user control levels and account types let you easily administer your organization and fine tune security settings.

Additionally, Proton Mail can be accessed securely from any web browser and through mobile apps for Android and iOS. You can also use Proton Mail with your mail client(new window) (Outlook, Thunderbird, or Apple Mail), allowing you to back up data locally and use full text search. For extra security, you can easily enable two-factor authentication to prevent unauthorized access.

How Proton Mail complies with HIPAA

At Proton Mail, we understand the sensitivities and the importance of keeping patient healthcare data private and secure. The information below is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential.

Business Associate Agreement

Our Business Associate Agreement with covered entities establishes our obligations under HIPAA. You can download this agreement here(new window). If you require this agreement signed by Proton Mail, please contact us.

Physical data safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland. All our datacenters have ISO27001 certification, which assures that our data security is up to global corporate standards and independently verified. Strong physical security provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

Proper disposal of data

If you end your contract with Proton Mail, all your data is deleted from the Proton Mail servers. No printed reports or paper copies are ever retained in our facility. If you ever request printed reports, we shred them immediately upon completion of the task that required the paper output.

Data encryption

HIPAA requires that careful attention be paid to data in motion and at rest. This requirement mandates that data be encrypted as it is transmitted between computers and devices. Proton Mail was built with encryption at its core. All emails are stored with zero-access encryption, and in all instances, it is possible to also protect emails in transit with end-to-end encryption. Our open source encryption software has also undergone third-party security audits. All this works to ensure that your data and your patients’ data will remain secure and under your sole control.

Learn more about Proton Mail’s security features here(new window) or read our white paper(new window) for technical details. If you are also subject to the EU’s General Data Protection Regulation, you can check out the Proton Mail GDPR compliance(new window).

If you have additional questions about HIPAA compliance and email security, please contact us.

Related articles

laptop showing Bitcoin price climbing
en
  • Guias de privacidade
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Atualizações de produto
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.