Is Proton Mail HIPAA Compliant?
Proton Mail is HIPAA compliant and can be used by covered entities and business associates to send encrypted emails containing PHI to other Proton users, share files via Proton Drive, and take advantage of the sharable Proton Calendar. However, there can be compliance issues when sending emails to non-Proton Mail users.
Proton Mail offers mail, storage, and VPN services, and claims to be “the world’s largest end-to-end encrypted email service”. The “end-to-end” part of the claim does a lot of heavy lifting because emails are only fully encrypted between Proton Mail users. If you send an encrypted email to a (say) Outlook user, you have to set a password for the recipient to open the email.
Nonetheless, Proton Mail is an attractive option for businesses operating in regulated industries because of its zero-knowledge model and advanced privacy protections. It is also fairly easy to configure (compared to – for example – Microsoft365) and it is possible to “bridge” accounts between the Proton Mail client and third-party email service providers.
Do Covered Entities Need Encrypted Email?
Before considering is Proton Mail HIPAA compliant, it may be worth considering whether Covered Entities need encrypted email. This is because the Privacy and Security Rules do not stipulate that emails have to be encrypted – only that the privacy of PHI is protected and that measures are implemented to ensure the confidentiality, integrity, and availability of electronic PHI.
Therefore, although encrypted email services such as Proton Mail can prevent data breaches if emails are intercepted in transit or if a mail server is hacked, encrypted email services do not prevent emails containing PHI being sent to the wrong recipient, mail shots being sent with all recipients’ names in the “to” or “cc” boxes, or malicious insiders using encrypted email to steal PHI.
Furthermore, HHS has issued guidance that it is okay to communicate PHI with a patient via unencrypted email provided the patient has not specifically requested to be contacted via a more secure channel. Indeed, the guidance states Covered Entities can assume a patient has given their consent to be contacted by unencrypted email if the patient has initiated contact in this manner.
But Is Proton Mail HIPAA Compliant?
For Covered Entities that feel encrypted email is an essential part of a multi-layered defense strategy, Proton Mail meets the physical, technical, and administrative safeguards required of a Business Associate and will enter into a Business Associate Agreement with Covered Entities – even though the vendor does not have access to the content of emails due to its zero knowledge model.
All emails between Proton Mail users are encrypted by default, and the user-friendly Administrator’s Console makes it easy to onboard or remove users, manage user credentials, and control which users have access to Proton Drive storage volumes containing PHI. The console also allows administrators to force sign outs when user credentials are believed to have been compromised.
In these respects, Proton Mail goes beyond the minimum requirements to support HIPAA compliance, and it could be said that Proton Mail is HIPAA compliant. However, users still have to be trained – and remember – to set a password for each recipient that is not a Proton Mail user in order to encrypt emails containing PHI. Due to the risk that workforce members forget to generate a password – or send the password to the recipient – this may cause more compliance issues than not using an encrypted mail service to communicate PHI.
