Is Proton Mail HIPAA compliant? When a healthcare organization evaluates technologies that will be used to create, receive, store, or transmit electronic Protected Health Information (ePHI), one of the first questions it should ask is whether the technology is HIPAA compliant.
Proton Mail is one of five privacy and security tools bundled into the Proton Business Plan – the other four being a VPN, a secure storage service, a calendar, and a password manager. The plan supports HIPAA compliance via a selection of administrative controls and end-to-end encryption. Proton is also prepared to enter into a Business Associate Agreement with healthcare organizations.
Is this sufficient to make Proton Mail HIPAA compliant? No, because compliance is not determined by technology alone. In order to comply with HIPAA, system administrators must configure the service to comply with the access and audit standards of the Security Rule and provide appropriate HIPAA training to members of the workforce who may use Proton Mail to send emails containing ePHI.
Making Proton Mail HIPAA Compliant
Making Proton Mail HIPAA compliant is not difficult due to an intuitive Administration Control Panel that enables administrators to add and remove users, apply user roles, and assign access to shared Proton Drives. It is also recommended users are assigned “non-private” statuses so administrators can retain control of encryption keys, reset login credentials, and prevent the permanent deletion of emails.
Possibly more difficult is the need to develop policies and procedures for Proton Mail’s “encrypt-to-outside” feature which enables users to send encrypted emails to individuals outside the organization who are not using Proton Mail’s encrypted email service. In such circumstances, special care must be taken on how the password for each email is communicated to the recipient.
Why User Training is Necessary
Because Proton Mail is an end-to-end encrypted email service, users can acquire a false sense of security about the precautions that need to be taken when sending emails containing ePHI. Even though Proton Mail can prevent data breaches when emails are intercepted in transit or when mail servers are hacked, the service does not reduce the risk of other types of email threat.
Consequently HIPAA training is necessary to prevent login credentials being phished, emails and passwords being sent to the wrong recipient, or malicious insiders sending PHI to private accounts. If your organization experiences challenges in providing this type of training – whether Proton Mail is implemented or not – do not hesitate to seek professional HIPAA training advice.
