HIPAA Compliance

Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services enabled by advances in IT, and do so while maintaining compliance with an increasing burden of privacy and security regulations such as those posed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).

We at ProtonMail realize that many of our customers are required to ensure the confidentiality of patient healthcare data pursuant to HIPAA. We understand the sensitivities and the seriousness associated with keeping patient healthcare data private and secure.

This ProtonMail HIPAA Compliance Statement is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential. This Statement is not intended to take the place of a Business Associate Agreement.


Looking for a BAA?

Consult our BAA model online here.

Obtain a copy in PDF here.

To request a validly signed copy, please contact legal@protonmail.com with the subject "HIPAA BAA".



We have instituted policies and procedures to ensure that such data is kept confidential, including but not limited to the following:


Privacy and Security Rule(s):

To protect the privacy and security of the PHI we have implemented the following processes:


Data Safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland so your data never goes to the cloud. Our primary datacenter is located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack. This provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.


Data is Protected From Unauthorized Viewing:

Because ProtonMail's encryption is zero access and we do not have the ability to read our user's encrypted data, in some ways, it does not matter where we store encrypted data. However, as we have seen in the past, third parties simply cannot be trusted to safeguard online privacy and freedom. The ONLY way to ensure the highest level of data security and uptime is to have full control over the server hardware and network.


Proper Disposal of Data:

At the end of a Covered Entity's contract with ProtonMail, their data is deleted from the ProtonMail Servers. No printed reports or paper copies are ever retained in our facility. If reports are ever printed to further support the Covered Entity, they are shredded immediately upon completion of the task that required the paper output.


Data Security

HIPAA requires that careful attention be paid to data that is in motion and at rest. This requirement mandates the data to be encrypted as it is transmitted between computers and devices. ProtonMail was built with security at its core. End-to-end encryption is built into the foundation of everything we do. From the top of the line SSL certificate to the use of AES, RSA, and OpenPGP, your data will remain entirely in your control. You can see ProtonMail's security details here (https://protonmail.com/security-details).


Proton Technologies AG


Chemin du Pré-Fleuri, 3
CH-1228 Plan-les-Ouates, Genève, Switzerland