Yes, ProtonMail states that it is HIPAA compliant. Healthcare organizations can use this secure email platform to send PHI through mobile and webmail apps.
Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. World-class data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.
If a user’s device is stolen or lost, a remote wipe feature protects PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.
ProtonMail employees don’t have access to PHI. Since the encryption is zero access, ProtonMail employees can’t read a user’s encrypted data. As part of the employment contract, each employee signs a confidentiality agreement.
At the end of a contract with ProtonMail, the company deletes all of an organization’s data from its servers. ProtonMail doesn’t store paper copies or printed reports in its facilities.
ProtonMail offers a signed BAA for all accounts, including its free plan. Healthcare organizations can request a signed copy by emailing firstname.lastname@example.org and using the email subject line: “HIPAA BAA.”