Like most HIPAA related questions concerning technology, the answer to the question is Proton Mail HIPAA compliant is “it depends”. This is because no technology is HIPAA compliant by default. It is how the technology is configured and used that determines whether it is HIPAA compliant.
The Proton suite of open source privacy solutions is designed to “improve the security of your business and comply with data protection laws”. The suite consists of the Proton Mail email service, the Proton Drive storage service, Proton Calendar, Proton VPN, and Proton Pass – a vault-based password manager which can support HIPAA compliance under certain business plans.
With regards to Proton Mail and the question is Proton Mail HIPAA compliant, all three Proton business plans support HIPAA compliance by encrypting emails “end-to-end” between Proton Mail accounts. The plans also facilitate password protected encrypted emails sent by Proton Mail accounts to accounts maintained by other email providers (i.e. Office 365).
Therefore, in the context of the question is proton Mail HIPAA compliant, the technology behind Proton Mail supports HIPAA compliance. However, for the service to comply with HIPAA, it has to be configured to be HIPAA compliant and members of the workforce must be trained on how to use Proton Mail in compliance with HIPAA. More on this below.
Does HIPAA Require Encrypted Emails?
Before discussing how to make Proton Mail HIPAA compliant, it may be worth discussing whether HIPAA requires covered entities and business associates to use encrypted emails. The Privacy and Security Rules do not stipulate emails have to be encrypted – only that the privacy of PHI is protected and that the confidentiality, integrity, and availability of electronic PHI is ensured.
Furthermore, although Proton Mail can mitigate the risk of a data breach if emails are intercepted in transit or if a mail server is hacked, encrypted email services do not prevent emails containing PHI and their passwords being sent to the wrong recipient, email accounts being hacked in a phishing attack, or malicious insiders stealing PHI – which is why effective HIPAA training is necessary.
Additionally, the Department of Health and Human Services (HHS) has issued guidance that it is permissible to communicate with patients via unencrypted email if the patient has initiated contact by email or exercised their Privacy Rule rights to request email communications. In such circumstances, HHS notes the importance of applying reasonable safeguards to protect PHI.
How to Make Proton Mail HIPAA Compliant
For covered entities and business associates that feel encrypted email is an important part of a multi-layered defense strategy against data breaches, Proton Mail complies with the physical, technical, and administrative safeguards required by the Security Rule and will enter into a Business Associate Agreement with customers that use the service to transmit PHI.
With regards to administrative controls, system administrators can remotely manage user credentials (with or without the Proton Pass tool), onboard and offboard workforce members, and control which workforce members have access to Proton Drive storage volumes containing PHI. The administrative console can also force sign outs when user credentials are believed to have been compromised.
With regards to training members of the workforce to use Proton Mail in compliance with HIPAA, the user interface is similar to most other email services – so minimal user training should be necessary. However, it is important workforce members are advised of the controls put in place by system administrators to make Proton Mail HIPAA compliant so end users do not risk the confidentiality, integrity, or availability of PHI by trying to circumnavigate the controls.