Yes, ProtonMail is HIPAA compliant. Healthcare organizations can use this secure email platform to send PHI through mobile and webmail apps.
Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI)
. ProtonMail includes a HIPAA compliance statement on its website that assures HIPAA-covered entities the company will do its part to protect patient data.
Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. World-class data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.
If a user’s device is stolen or lost, a remote wipe feature protects PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.
ProtonMail employees don’t have access to PHI. Since the encryption is zero access, ProtonMail employees can’t read a user’s encrypted data. As part of the employment contract, each employee signs a confidentiality agreement.
At the end of a contract with ProtonMail, the company deletes all of an organization’s data from its servers. ProtonMail doesn’t store paper copies or printed reports in its facilities.
ProtonMail offers a signed BAA for all accounts, including its free plan. Healthcare organizations can request a signed copy by emailing firstname.lastname@example.org and using the email subject line: “HIPAA BAA.”
Readers should perform their own research before making the final decision. The information on the JotForm HIPAA Compliance Checker does not constitute official healthcare or legal advice. JotForm is not liable for any damage or liabilities arising out of or connected in any manner with this platform.