Organizations operating in the healthcare industry are continuously under pressure to use resources as efficiently as possible. They must provide innovation in patient care products and services while complying with increasingly stringent privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Email is an old technology that has become vastly more secure just in the last five years, as new encryption tools have emerged to meet the rising demand for data privacy. For healthcare organizations subject to HIPAA compliance, this is good news: email is one of the most widely used forms of communication. Today it is possible to meet HIPAA’s privacy and security requirements while benefiting from the convenience of cloud-based email.

HIPAA requires data security in transit and at rest

HIPAA and its recent update, the Health Information Technology for Economic and Clinical Health (HITECH) Act, establish data security and privacy rules for organizations that handle people’s medical records, health payment histories, and other protected health information (PHI).

Organizations must have administrative, physical, and technical safeguards in place to protect PHI. Among the technical safeguards, PHI must be secured while “in transit” and “at rest,” which essentially means the data must be encrypted at all times, whether it is traveling across the Internet or stored on a server. In terms of physical security, access to hardware and software must be strictly controlled.

Organizations must also make it easy for people to access and correct their PHI. Data must be stored and secured for 50 years after the subject’s death. Any data breach (i.e. hack, leak, accidental disclosure, etc.) resulting in harm to individuals must be reported. Any violation of HIPAA can result in civil and criminal penalties, including fines up to $1.5 million and (in cases of intentional abuse) prison time.

All of the privacy and security requirements also extend to any vendors you use, including your email service provider.

How encrypted email supports HIPAA compliance

Encrypted email services employ end-to-end encryption to secure your data, meaning no one except the sender and the recipient is able to read the message. (This contrasts with many cloud-based email services, like Gmail, which have the ability to open and read messages.)

End-to-end encryption works by converting readable text and attachments into scrambled, illegible characters. The information is stored and transmitted to recipients in this format. Only the sender and recipient can convert the scrambled text back into a readable message. Therefore, even if hackers were to gain access to the servers or intercept an email, the contents of the message would remain secure.

In the case of ProtonMail, this process happens behind the scenes: no technical know-how is necessary to secure the messages. In this way, you can safely communicate PHI with associates and patients using regular email from any device.

Work efficiently and securely

Not long ago, email encryption was a tedious process involving extra software and technical knowledge on the part of the user. In 2013, ProtonMail set out to simplify the process and give more people access to data security. Today, it is possible to send and receive encrypted emails on any device with no extra steps or software installation.

ProtonMail Professional accounts allow you to create custom-domain email addresses for your organization. All emails sent within your organization and to other ProtonMail accounts are automatically end-to-end encrypted. Emails to non-ProtonMail accounts (e.g. a patient with a Gmail account) can be end-to-end encrypted by setting a password. Multiple user control levels and account types let you easily administer your organization and fine tune security settings.

Additionally, ProtonMail can be accessed securely from any web browser and through mobile apps for Android and iOS. You can also use ProtonMail with your mail client (Outlook, Thunderbird, or Apple Mail), allowing you to back up data locally and use full text search. For extra security, you can easily enable two-factor authentication to prevent unauthorized access.

How ProtonMail complies with HIPAA

At ProtonMail, we understand the sensitivities and the importance of keeping patient healthcare data private and secure. The information below is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential.

Business Associate Agreement

Our Business Associate Agreement with covered entities establishes our obligations under HIPAA. You can download this agreement here. If you require this agreement signed by ProtonMail, please contact us.

Physical data safety

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland. All our datacenters have ISO27001 certification, which assures that our data security is up to global corporate standards and independently verified. Strong physical security provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

Proper disposal of data

If you end your contract with ProtonMail, all your data is deleted from the ProtonMail servers. No printed reports or paper copies are ever retained in our facility. If you ever request printed reports, we shred them immediately upon completion of the task that required the paper output.

Data encryption

HIPAA requires that careful attention be paid to data in motion and at rest. This requirement mandates that data be encrypted as it is transmitted between computers and devices. ProtonMail was built with encryption at its core. All emails are stored with zero-access encryption, and in all instances, it is possible to also protect emails in transit with end-to-end encryption. Our open source encryption software has also undergone third-party security audits. All this works to ensure that your data and your patients’ data will remain secure and under your sole control.

Learn more about ProtonMail’s security features here or read our white paper for technical details. If you are also subject to the EU’s General Data Protection Regulation, you can check out the ProtonMail GDPR compliance.

If you have additional questions about HIPAA compliance and email security, please contact us.

Best Regards,

The ProtonMail Team