ProtonMail is an email encryption service that is designed with businesses in mind, enabling users to send and receive secure emails. But when you work with protected health information, you must consider more than a software’s security, you must also look at whether or not it is HIPAA compliant. Is ProtonMail HIPAA compliant? Find out by reading below.
ProtonMail HIPAA Compliant Email Encryption
Since ProtonMail is a software provider, they are considered a business associate under HIPAA when working with healthcare clients. Regardless of what type of healthcare business is using ProtonMail, when patient protected health information (PHI) is transmitted or received through ProtonMail’s email encryption service, the healthcare business must have a signed business associate agreement in place.
ProtonMail will sign business associate agreements (BAAs) with their clients upon request. To request a BAA from ProtonMail, you must email their team at [email protected] using the subject line “HIPAA BAA”.
Ultimately a software platform’s HIPAA compliance is dependent on how the software is used. Although ProtonMail is inherently secure as an encryption service, there are certain security and privacy measures that healthcare businesses must be aware of to ensure its HIPAA compliant use.
According to ProtonMail’s website, they enable the following security and privacy protections:
- End-to-end, zero access encryption to restrict access to PHI
- 4096-bit RSA encryption is the default on stored communications
- SwissSign TLS certificate
- Account owner authentication
- Remote wipe of PHI persistent on phone applications
- Data backups stored in secured safe, world-class data centers
- Restricted access to all servers and production workstations
- Sophisticated monitoring system is distributed between two datacenters
- Automated data backups
- Automated virus checking
- Report any non-compliance of which they become aware
- Named a HIPAA Security Official who creates, maintains, and enforces our HIPAA policies and procedures
- No employee access to PHI
- Notice of data breach
- All ProtonMail employees are required to sign a confidentiality agreement as part of their employment contract
Is ProtonMail HIPAA Compliant?
Is ProtonMail HIPAA compliant? Yes, ProtonMail is HIPAA compliant, provided that users have a signed business associate agreement in place before its use. Additionally, it is important to follow HIPAA email rules when using PHI in emails.
To read more about ProtonMail and HIPAA, please click here.