ProtonMail has become an established name in email services. Known for its strict security standards, it’s one of the go-to alternatives for healthcare professionals concerned about data privacy and security. However, not all email services that advertise themselves as secure comply with the Health Insurance Portability and Accountability Act (HIPAA), a federal law to ensure privacy for protected health information (PHI).
Given the importance of HIPAA compliance, it’s important to ask: Is ProtonMail HIPAA-compliant, and can you use it in healthcare settings?
Table of Contents
The Critical Role of Secure Email in Healthcare
Email is one of the most convenient and accessible ways to communicate in a healthcare setting. In medical situations, you and your clients will choose quick, easy, and free email communication over snail mail any day. However, email is also one of the most vulnerable technologies to cyberattacks.
By sending a simple email, your business may become a victim of phishing, ransomware, viruses, and malware. Given this reality, it’s critical to follow the standards set by HIPAA when sending emails. While your email provider alone cannot ensure HIPAA compliance, it may be one of the keys to helping you avoid legal trouble and ensure that you’re protecting critical patient data.
Is ProtonMail HIPAA-Compliant?
Yes, ProtonMail is HIPAA-compliant, provided that you use Proton for Business and have obtained a validly signed Business Associate Agreement (BAA).
The Independent Advisor notes ProtonMail had no major security breaches in the past five years. The free version also includes impressive security features that are present in the paid plans, such as access to a secure VPN, password-protected emails, expiration times, and AES-256 encryption. However, ProtonMail Free doesn’t provide a BAA.
ProtonMail HIPAA Compliance Features
Here are the critical ProtonMail for Business features that enable HIPAA compliance:
- Business Associate Agreement: The ProtonMail for Business BAA shows that the email provider is aware of their responsibility under HIPAA. A BAA is an agreement between your healthcare organization and the service providers you use in connection with PHI.
- End-to-end encryption: All the messages within your organization are protected by encryption. If you send an email to your clients, you can opt to encrypt your messages and attachments using a password.
- Automatic encryption for third-party apps: By default, ProtonMail uses built-in encryption third-party tools you may use with its service. This is important as third-party apps may not be HIPAA-compliant, even if you use a HIPAA-compliant email.
- Automatic PGP encryption: ProtonMail automatically encrypts email using Pretty Good Encryption (PGP) when you communicate to outsiders using Microsoft Outlook, Apple Mail, and Mozilla Thunderbird. PGP verifies the sender’s identity and encrypts and protects data in transit.
- Tracking protection: Advertisers are blocked from tracking you based on your mail activity. The app also conceals your IP address and blocks tracking pixels, so your personal information remains confidential.
- Zero-access encryption: ProtonMail cannot access the content of your emails. Only the user with the decryption key can read the message.
- Secure data centers: ProtonMail’s data centers in Switzerland and Germany are protected with biometrics access. Hard disks are encrypted with multiple passwords to protect your data.
- Two-Factor Authentication (2FA) with hardware security keys: ProtonMail offers hardware security keys to verify your identity through 2FA. These security keys are not accessible to cyber attackers. Moreover, you don’t need an authenticator app to access your account.
- Access controls: The admin panel helps you manage all user accounts. You can add and remove users, track their activity, and add storage. ProtonMail also lets you quickly change passwords and log out from all activity in case an employee’s account is compromised.
- Independent auditing: Proton apps are all open source and available for auditing by anyone. The Proton Mail Code has also undergone independent audits by third-party security experts. You can view the ProtonMail audit report on their website.
Does ProtonMail Have a HIPAA Compliance Certificate?
ProtonMail does not have a HIPAA compliance certificate, but as we have shown, it ticks off the most important requirements that help your business align with HIPAA. Note that there is no official HIPAA certifying body recognized by the Department of Health and Human Services (HHS). Nevertheless, ProtonMail is transparent with its audit report. Your healthcare organization should also do its part in ensuring HIPAA compliance.
Alternatives to ProtonMail for Healthcare Email
While ProtonMail is a strong contender for secure email, you can consider other HIPAA-compliant email providers. This includes Aspida Mail, MailHippo, and LuxSci. Evaluate the features these other email providers offer and see if they align with your needs.
Ultimately, ProtonMail and HIPAA compliance must go hand in hand for those who intend to use it for healthcare communication purposes. Whether you stick with it or choose another email provider, always consider HIPAA compliance a top priority. Doing so will help save you from costly penalties and legal repercussions.
