Is Proton Mail HIPAA Compliant?

Is Proton Mail HIPAA compliant?

Proton Mail is HIPAA compliant and can be used either with an existing domain or as a standalone service to send, receive, and store emails containing Protected Health Information (PHI). However, HIPAA covered entities and business associates may have to reconfigure third party security tools and provide additional HIPAA training to ensure PHI transmitted via Proton Mail remains protected.

Proton Mail is an email encryption, Drive, and Calendar service that automatically encrypts emails between Proton users and password-encrypts emails sent to non-Proton users. In the context of answering the question is Proton Mail HIPAA compliant, Proton Mail helps covered entities comply with §164.312(e) of the Security Rule relating to transmission security by facilitating the encryption of emails in transit.

Whether the service helps covered entities comply with the encryption requirements for data at rest §164.312(a) depends on what happens to PHI when it is received by a covered entity. If PHI remains in a Proton Mail folder or is securely transferred to Proton Drive, the PHI will remain encrypted. If it is transferred anywhere else, compliance with the encryption at rest standard depends on the controls at the PHI’s destination.

Is Proton Mail HIPAA Compliant by Default?

Unlike most HIPAA-compliant software solutions Proton Mail is practically HIPAA compliant “out of the box”. All covered entities have to do before using Proton Mail to send, receive, or store emails containing PHI is agree to the terms of the Proton Business Associate Agreement. Thereafter, it is necessary to activate “authentication logs” and “advanced logs”, and advisable to enable the Proton Sentinel feature.

Existing users, emails, and contacts are easy to import, but it is important to designate “non-private” statuses to all user accounts in order to maintain vision of user activity. It may also be necessary to configure third party email filters and DLP solutions so that inbound emails are scanned between being decrypted and opened, or – in the case of DLP solutions – before outbound emails are encrypted and sent.

Potential Compliance Issues to be Aware Of

HIPAA compliance is not solely determined by the capabilities of any software. It is how the software – and any connected software – is configured and used that determines compliance. For example, the reason it may be necessary to reconfigure email filters is that, when a user sends an encrypted email to an external contact, any replies to the email will also be encrypted and it may not be possible for the email filter to scan its content for malware.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

With regards to using Proton Mail, members of the workforce must receive HIPAA training on how to use the service in compliance with HIPAA. Recommended instructions for Proton Mail HIPAA compliant use include:

  • Refraining from entering PHI in the subject line of emails.
  • Refraining from using PHI in the names of files stored in Drive.
  • Refraining from externally sharing Calendars if an Event discloses PHI.
  • Refraining from entering notes in the Proton Password Manager that include PHI.

Possibly the most important instruction for Proton Mail HIPAA compliant use is remembering to generate and send a password when emails containing PHI are sent to recipients that do not use Proton Mail. This is because emails to non-Proton users are not encrypted by default. It is easy to imagine scenarios in which a distracted workforce member sends an unprotected email containing PHI, or forgets to send the recipient a password to open the email.

Proton Mail is Good for Some Scenarios, but Not All

There are some scenarios in healthcare where it is easy to see the benefits of Proton Mail. Home healthcare professionals can take advantage of mobile apps to secure remote connections, facilities with unsecure Internet connections can take advantage of Proton Mail’s accelerated VPN service, and all covered entities that identify a risk to emails in transit in a risk assessment can take advantage of Proton Mail’s encryption services.

However, Proton Mail does not mitigate the threat from phishing, nor reduce the chances of non-password protected emails containing PHI being sent to unauthorized recipients. In addition, Proton Mail HIPAA compliant training will be necessary to alert workforce members to the importance of manually encrypting emails by generating a password and sending the password to external recipients when emails contain PHI.

For this reason, Proton Mail should only be considered once a risk assessment has identified what threats and vulnerabilities to the security of PHI exist and how they can be mitigated to a reasonable and acceptable level. Covered entities who require assistance conducting a risk assessment, or who require further information about making Proton Mall HIPAA compliant, are advised to seek advice from a compliance expert.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: