Is Proton Mail HIPAA Compliant?
Like most questions relating to HIPAA and technology, the answer to the question is Proton Mail HIPAA compliant is “it depends”. This is because no technology is HIPAA compliant. It is how the technology is configured and used that determines compliance with HIPAA.
Proton Mail offers mail, storage, and VPN services, and claims to be “the world’s largest end-to-end encrypted email service”. The “end-to-end” part of the claim does a lot of heavy lifting because emails are only fully encrypted between Proton Mail users. If you send an encrypted email to a (say) Outlook user, you have to set a password for the recipient to open the email.
Nonetheless, Proton Mail is an attractive option for businesses operating in regulated industries because of its zero-knowledge model and advanced privacy protections. It is also fairly easy to configure (compared to – for example – Microsoft365) and it is possible to “bridge” accounts between the Proton Mail client and third-party email service providers.
Do Covered Entities Need Encrypted Email?
Before considering is Proton Mail HIPAA compliant, it may be worth considering whether Covered Entities need encrypted email. This is because the Privacy and Security Rules do not stipulate that emails have to be encrypted – only that the privacy of PHI is protected and that measures are implemented to ensure the confidentiality, integrity, and availability of electronic PHI.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Therefore, although encrypted email services such as Proton Mail can prevent data breaches if emails are intercepted in transit or if a mail server is hacked, encrypted email services do not prevent emails containing PHI being sent to the wrong recipient, mail shots being sent with all recipients’ names in the “to” or “cc” boxes, or malicious insiders using encrypted email to steal PHI.
Furthermore, HHS has issued guidance that it is okay to communicate PHI with a patient via unencrypted email provided the patient has not specifically requested to be contacted via a more secure channel. Indeed, the guidance states Covered Entities can assume a patient has given their consent to be contacted by unencrypted email if the patient has initiated contact in this manner.
But Is Proton Mail HIPAA Compliant?
For Covered Entities that feel encrypted email is an essential part of a multi-layered defense strategy, Proton Mail meets the physical, technical, and administrative safeguards required of a Business Associate and will enter into a Business Associate Agreement with Covered Entities – even though the vendor does not have access to the content of emails due to its zero knowledge model.
All emails between Proton Mail users are encrypted by default, and the user-friendly Administrator’s Console makes it easy to onboard or remove users, manage user credentials, and control which users have access to Proton Drive storage volumes containing PHI. The console also allows administrators to force sign outs when user credentials are believed to have been compromised.
In these respects, Proton Mail goes beyond the minimum requirements to support HIPAA compliance, and it could be said that Proton Mail is HIPAA compliant. However, users still have to be trained – and remember – to set a password for each recipient that is not a Proton Mail user, which may cause more compliance issues than not using an encrypted mail service to communicate PHI.
