Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes regarding HIPAA-specific items.
# of Caveats: 0 view caveats→
# of Usage Notes: 7 view notes→

Relevant Product Characteristics

  • This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.

What Is This Product?

This review is public. Generally, our HIPAA-propriateness reviews are only available to members of Person-Centered Tech Support, but this one is special. If you want access to all of our HIPAA-propriateness reviews, please subscribe to Person-Centered Tech Support today.


Protonmail LogoProtonMail is a high-privacy secure messaging platform with both webmail and mobile apps. They also offer a BAA even with their FREE tier of service. This is rare, folks.

It’s Hosted in Switzerland. Is that okay for HIPAA?

For a long time, we weren’t sure about that. Luckily, HHS has been on a guidance-writing streak throughout 2016 and they dispelled this nasty rumor. Hosting information outside the US is fine so long as there is a BAA in place (citation). We also need to take the locale into account in our risk analyses. At the time of writing, we are not aware of any political unrest or problems of note in Switzerland that would impact the security of ProtonMail’s servers.

Downsides That Aren’t Caveats

Caveats are criticisms of the company or warnings about the product. None of these downsides meet those criteria, so we’re just calling them “downsides.”

  1. ProtonMail doesn’t offer an easy way for someone to initiate a secure message to you – of course they could still send a normal e-mail. In order for a client to send you a secure message through ProtonMail, they must either:
    • Have their own ProtonMail account
    • Find a ProtonMail message you sent to them that hasn’t already expired and then reply to it.

Okay, there was only 1 downside. That’s a good thing!

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at [email protected].


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.



Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Request Your Business Associate Agreement by Email

The BAA doesn’t come by default. You need to email them and ask for one. Our experience was that they were positive and responsive to requests for BAAs. Did we mention they even offer the BAA on their free account? You don’t see that often, if at all.

2) Set up two-factor authentication

ProtonMail supports two-factor authentication — that’s the deal where after you enter your password, you then also have to receive a text message and then type in the code you receive in the text message. ProtonMail and Person-Centered Tech both recommend you set up two-factor authentication.

ProtonMail used to require two passwords – a login password and a mailbox password – this is no longer the case, though older accounts may still have this set up.

3) Don’t forget your password!

If you forget your ProtonMail password, you lose everything. This is the downside of a high-privacy messaging service. So be sure you use a password management program to store your ProtonMail password.

4) Remember to click the encryption button before you send!

It’s a classic secure email blunder: you hit “send” before you hit “secure” and there goes all that shiny protected health information out into the unsecured, barbaric hinterlands of the Internet.

Like most email providers that can do secure messaging, ProtonMail messages are not secured by default. Be sure to click the button that makes your message a secured one before you send those sensitive messages!

5) Turn on “Advanced” authentication logs

The ProtonMail welcome email that covers security recommends that you activate logging of attempts to sign on to your account.

HIPAA also recommends — er, sorry — requires that. In fact, you should activate the “Advanced” logging, because it keeps a log of the IP addresses of those who attempted to log in. Your BAA with ProtonMail makes this legal and acceptable for you to do, and keeping those logs gives you the audit trail you need for meeting that part of HIPAA’s standards.

6) Make sure clients and colleagues know that your secure messages will expire after some time

In order to maximize the security of messages, ProtonMail secure messages become inaccessible to their recipients after a period of time. Make sure the people you send messages to know that before-hand. Otherwise they may delay opening your message until after it has expired.

You also need to consider this in your procedure for documenting emails.

7) Be sure you are following simple security measures like using appropriate passwords and computer/device security

ProtonMail has a mobile app that can display notifications that messages have arrived and some of the message content. This could potentially allow someone to see a client’s information even when the screen is locked. The app depends on you to keep your phone secure so that the app is secure, too. Our Device Security Instruction Center covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss