ProtonBlog(new window)

The benefits of using encrypted email for HIPAA compliance

Share this page

Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services while complying with increasingly stringent privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Email is an old technology that has become vastly more secure just in the last five years, as new encryption tools have emerged to meet the rising demand for data privacy. For healthcare organizations subject to HIPAA compliance(new window), this is good news: email is one of the most widely used forms of communication. Today it is possible to meet HIPAA’s privacy and security requirements while benefiting from the convenience of cloud-based email.

HIPAA requires data security in transit and at rest

HIPAA and its recent update, the Health Information Technology for Economic and Clinical Health (HITECH) Act, establish data security and privacy rules for organizations that handle people’s medical records, health payment histories, and other protected health information (PHI).

Organizations must have administrative, physical, and technical safeguards in place to protect PHI. Among the technical safeguards, PHI must be secured while “in transit” and “at rest,” which essentially means the data must be encrypted at all times, whether it is traveling across the Internet or stored on a server. In terms of physical security, access to hardware and software must be strictly controlled.

Organizations must also make it easy for people to access and correct their PHI. Data must be stored and secured for 50 years after the subject’s death. Any data breach (i.e. hack, leak, accidental disclosure, etc.) resulting in harm to individuals must be reported. Any violation of HIPAA can result in civil and criminal penalties, including fines up to $1.5 million and (in cases of intentional abuse) prison time.

All of the privacy and security requirements also extend to any vendors you use, including your email service provider.

How encrypted email supports HIPAA compliance

Encrypted email services employ end-to-end encryption(new window) to secure your data, meaning no one except the sender and the recipient is able to read the message. (This contrasts with many cloud-based email services, like Gmail, which have the ability to open and read messages.)

End-to-end encryption works by converting readable text and attachments into scrambled, illegible characters. The information is stored and transmitted to recipients in this format. Only the sender and recipient can convert the scrambled text back into a readable message. Therefore, even if hackers were to gain access to the servers or intercept an email, the contents of the message would remain secure.

In the case of Proton Mail, this process happens behind the scenes: no technical know-how is necessary to secure the messages. In this way, you can safely communicate PHI with associates and patients using regular email from any device.

Work efficiently and securely

Not long ago, email encryption was a tedious process involving extra software and technical knowledge on the part of the user. In 2013, Proton Mail set out to simplify the process and give more people access to data security. Today, it is possible to send and receive encrypted emails on any device with no extra steps or software installation.

Proton for Business plans(new window) allow you to create custom-domain email addresses for your organization. All emails sent within your organization and to other Proton Mail accounts are automatically end-to-end encrypted. Emails to non-Proton Mail accounts (e.g. a patient with a Gmail account) can be end-to-end encrypted by setting a password. Multiple user control levels and account types let you easily administer your organization and fine tune security settings.

Additionally, Proton Mail can be accessed securely from any web browser and through mobile apps for Android and iOS. You can also use Proton Mail with your mail client(new window) (Outlook, Thunderbird, or Apple Mail), allowing you to back up data locally and use full text search. For extra security, you can easily enable two-factor authentication to prevent unauthorized access.

How Proton Mail complies with HIPAA

At Proton Mail, we understand the sensitivities and the importance of keeping patient healthcare data private and secure. The information below is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential.

Business Associate Agreement

Our Business Associate Agreement with covered entities establishes our obligations under HIPAA. You can download this agreement here(new window). If you require this agreement signed by Proton Mail, please contact us.

Physical data safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland. All our datacenters have ISO27001 certification, which assures that our data security is up to global corporate standards and independently verified. Strong physical security provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

Proper disposal of data

If you end your contract with Proton Mail, all your data is deleted from the Proton Mail servers. No printed reports or paper copies are ever retained in our facility. If you ever request printed reports, we shred them immediately upon completion of the task that required the paper output.

Data encryption

HIPAA requires that careful attention be paid to data in motion and at rest. This requirement mandates that data be encrypted as it is transmitted between computers and devices. Proton Mail was built with encryption at its core. All emails are stored with zero-access encryption, and in all instances, it is possible to also protect emails in transit with end-to-end encryption. Our open source encryption software has also undergone third-party security audits. All this works to ensure that your data and your patients’ data will remain secure and under your sole control.

Learn more about Proton Mail’s security features here(new window) or read our white paper(new window) for technical details. If you are also subject to the EU’s General Data Protection Regulation, you can check out the Proton Mail GDPR compliance(new window).

If you have additional questions about HIPAA compliance and email security, please contact us.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail