Is ProtonMail HIPAA Compliant? BAA and Encryption Explained

Proton Mail can be used in a HIPAA-compliant way, but only on its business plans and only after you sign a Business Associate Agreement (BAA) with Proton. The encryption technology is there out of the box, but compliance depends on how your organization configures and uses the service. Without a BAA in place, no email provider meets HIPAA requirements, regardless of how secure it is.

The BAA Is the Starting Point

HIPAA requires any vendor that handles protected health information (PHI) on your behalf to sign a BAA. This is a legal contract that makes the vendor responsible for safeguarding patient data and liable if they mishandle it. Proton offers BAA signing through its business plans, specifically the Workspace Standard and Workspace Premium tiers. If you’re on a free or individual paid plan, you don’t have access to a BAA, and using that account to send or store PHI would be a compliance violation.

Signing the BAA is step one, not the finish line. Your organization still needs to configure the platform correctly, train staff, and maintain proper records. HIPAA compliance is a shared responsibility between the email provider and the covered entity using it.

How Proton Mail’s Encryption Works

HIPAA’s Security Rule requires technical safeguards for electronic PHI, including encryption both when data is stored (at rest) and when it’s being sent (in transit). Proton Mail covers both by default, which is its main advantage over conventional email providers that require manual configuration.

For stored data, Proton uses what it calls zero-access encryption. Your emails are encrypted with your public key and can only be decrypted with your private key, which you alone control. Proton’s servers never have access to the readable content of your messages. If Proton’s servers were ever breached, stolen data would be unreadable ciphertext. This is a meaningful security advantage for healthcare organizations worried about data breaches.

For emails sent between two Proton Mail users, messages are end-to-end encrypted automatically. Neither Proton nor any intermediary can read the content during transmission or storage. No extra steps required.

Sending PHI to Non-Proton Recipients

This is where things get more complicated. When you email someone outside Proton Mail (a patient using Gmail, for example), end-to-end encryption doesn’t apply automatically. To maintain encryption in transit, you need to use Proton’s password-protected email feature.

Here’s how it works: before hitting send, you click the encryption button and set a message password. The recipient gets a notification that a secure message is waiting for them. They enter the password you’ve shared with them separately (by phone, in person, or through another secure channel) and are taken to a secure Proton Mail inbox where they can read and reply with full end-to-end encryption. Attachments are encrypted too.

This feature is critical for HIPAA compliance because most of the people you email in healthcare, patients, referring providers, insurance contacts, won’t be Proton Mail users. If your staff sends PHI to an external address without using password protection, that message travels without end-to-end encryption, and you have a potential HIPAA violation. Staff training on this point is essential.

Security Certifications

Proton completed a SOC 2 Type II audit in July 2025, conducted by Schellman, an independent auditing firm. SOC 2 Type II is one of the most widely recognized standards for operational security in business, and it’s often a baseline requirement for vendors in regulated industries like healthcare and finance. The audit examined real-world implementation of Proton’s security controls across its infrastructure, including technical reviews, interviews, and documentation checks.

Proton also received ISO 27001 certification in May 2024 and maintains compliance with GDPR and the Swiss Data Protection Act. These certifications don’t equal HIPAA compliance on their own, but they demonstrate that Proton’s security practices have been independently verified, which matters when you’re evaluating vendors for handling sensitive health data.

Configuration Steps You’re Responsible For

Signing the BAA and having encryption in place doesn’t make your organization compliant by itself. You need to handle several administrative responsibilities on your end:

  • Access controls: Require strong passwords and two-factor authentication for every account. Proton’s business plans let you create multiple user control levels and account types, so you can limit who has access to what.
  • Retention: Don’t delete email correspondence containing PHI for at least six years. HIPAA requires you to maintain records for potential audits.
  • Audit logs: Properly maintain email logs and archives. If an audit or breach investigation occurs, you need to show who accessed what and when.
  • Staff training: Everyone in your organization who uses email needs to understand the protocols for handling PHI, including when to use password-protected emails and how to verify recipient consent.
  • Patient consent: Always obtain consent before sending PHI to non-secure addresses.

Proton’s business dashboard gives you the tools to manage most of this, including custom domain email addresses and organization-wide security settings. But the responsibility for actually enforcing these policies falls on you.

Where Proton Stores Your Data

Proton has historically kept its servers in Switzerland, benefiting from some of the strongest privacy laws in the world. As of mid-2025, Proton is diversifying its infrastructure across Europe, with data centers in Germany and Norway in addition to Switzerland. For HIPAA purposes, the physical location of servers matters less than the encryption and access controls protecting the data. Since Proton’s zero-access encryption means even Proton itself can’t read your stored emails, the jurisdiction of the servers is less of a practical concern than it might be with other providers.

How Proton Mail Compares to Other Options

The main alternatives for HIPAA-compliant email are Microsoft 365 and Google Workspace, both of which offer BAAs on their business plans. The key difference is configuration complexity. Proton Mail encrypts data at rest by default with zero-access encryption, while Microsoft 365 and Google Workspace require more manual setup to achieve comparable encryption levels. On the other hand, Microsoft and Google have larger ecosystems of integrated healthcare tools (EHR integrations, compliance dashboards) that may matter for bigger organizations.

Proton also supports bridging accounts with third-party email clients like Outlook or Apple Mail through its Proton Mail Bridge tool. This is convenient if your staff prefers a familiar interface, but you should be aware that once emails are decrypted and displayed in a third-party client, the security of that data depends on the client’s own protections and your device security policies. This doesn’t automatically break compliance, but it adds another layer you need to manage.

For small to mid-sized healthcare practices that want strong default encryption without complex IT configuration, Proton Mail is a solid choice. The critical requirements are straightforward: get on a business plan, sign the BAA, enforce two-factor authentication, train your staff on password-protected emails for external recipients, and maintain your retention and logging policies.