Is ProtonMail HIPAA Compliant? Why Encryption Alone Is Not Enough

The short answer

ProtonMail is not HIPAA compliant. Proton AG, the Swiss company behind Proton Mail, does not offer Business Associate Agreements to healthcare organizations. No tier, no plan, no workaround changes this.

If your clinic staff use ProtonMail for any email that references patient names, appointment details, diagnoses, or treatment information, that is a HIPAA violation. The encryption does not help.

Why encryption alone falls short

This is the most common misunderstanding. Proton Mail’s end-to-end encryption is technically strong, in some ways stronger than what Microsoft or Google offer by default. So why does it not qualify for HIPAA?

HIPAA compliance requires three categories of safeguards: administrative, physical, and technical. Encryption is one technical safeguard. The regulation also requires:

Audit controls (who accessed what, when)
Access management (role-based permissions, automatic logoff)
Breach notification procedures (documented response within 60 days)
Business Associate Agreement with every vendor that handles PHI

ProtonMail satisfies one item on that list. It does not satisfy the others, and Proton does not offer a BAA to US healthcare organizations. A tool can be technically excellent and still be off-limits for PHI. This is one of those cases.

Why clinicians reach for ProtonMail

The logic is understandable. Standard Gmail or Outlook send emails in plaintext over the open internet. ProtonMail encrypts everything end-to-end. A clinician who cares about patient privacy sees the encryption and assumes the problem is solved.

The problem is that HIPAA compliance is not purely a technical question. It is also an organizational one. A BAA creates legal accountability between your practice and your vendor. It defines what happens if a breach occurs, who is responsible for notifying patients, and what remediation is required. Swiss-based Proton AG is not subject to HIPAA enforcement and cannot take on that legal role for a US-based covered entity.

What the BAA requirement actually means

When your practice sends patient information to a vendor’s system (whether it is an EHR, a task management tool, or an email provider), that vendor becomes a business associate under HIPAA. You need a signed BAA before any PHI touches their infrastructure.

A BAA is not optional paperwork you can skip if the tool is encrypted. HHS has assessed fines for BAA violations independent of whether any breach actually occurred. The absence of a BAA is itself a compliance failure.

What to use instead

For standard clinic email, two options cover most practices. Microsoft 365 Business Premium signs BAAs and includes encryption, audit logging, and data loss prevention. Most practices already have Microsoft accounts, which makes this the path of least resistance. Google Workspace for Healthcare also offers a BAA and covers HIPAA-relevant controls across Gmail, Drive, and Meet.

For clinical messaging between staff and with patients, consider purpose-built platforms. TigerConnect, Klara, and Spruce Health all include BAAs and are designed around healthcare communication workflows. They look similar to standard messaging apps but operate over encrypted channels with full audit trails.

What PHIGuard covers

PHIGuard handles task coordination and compliance program management within your clinic, not external email. We built it because clinics using general-purpose tools like Asana and Monday.com face the same problem as ProtonMail users: good tools that were not built for healthcare and cannot sign a BAA that covers PHI-related workflows.

If your clinic needs a task management tool where staff can assign follow-ups, track prior authorizations, and run compliance checklists without worrying about PHI exposure, PHIGuard includes a BAA at every pricing tier starting at $20/month for up to 10 staff.

For email, use Microsoft 365 or Google Workspace. For ProtonMail, the answer is the same whether you are a small family practice or a multi-provider clinic: it is not an option for PHI.

Like what you're reading?

Try PHIGuard free — no credit card required.

Business Associate Agreement (BAA): A contract required by HIPAA between a covered entity (your practice) and any vendor that handles protected health information on its behalf. Without a signed BAA, using that vendor's service for PHI-related communications is a HIPAA violation.

End-to-End Encryption (E2EE): A method of encrypting messages so only the sender and recipient can read them. ProtonMail uses E2EE, but encryption alone does not satisfy HIPAA's full set of administrative, physical, and technical safeguards.

Technical Safeguard: One of three categories of HIPAA safeguards (alongside administrative and physical). Technical safeguards include encryption, access controls, audit controls, and automatic logoff. Meeting only one technical safeguard, such as encryption, does not make a system HIPAA compliant.

Q&A

Is ProtonMail HIPAA compliant?

No. ProtonMail does not offer a Business Associate Agreement to healthcare organizations. Using ProtonMail for email containing protected health information is a HIPAA violation regardless of encryption strength.

Q&A

Does strong encryption make ProtonMail acceptable for patient communications?

No. Encryption satisfies one technical safeguard under HIPAA, but the regulation also requires audit controls, breach notification procedures, access management, and a signed BAA with every vendor that touches PHI. ProtonMail provides none of these for healthcare use.

Q&A

What should clinics use instead of ProtonMail for secure communications?

For general clinic email, Microsoft 365 and Google Workspace both offer HIPAA BAAs. For clinical messaging with patients and between staff, purpose-built platforms like TigerConnect, Klara, and Spruce Health are designed specifically for healthcare and include BAAs.

Want to learn more?

Learn More

Is ProtonMail HIPAA compliant?

No. ProtonMail does not offer a BAA to healthcare organizations. Without a signed BAA, using Proton Mail for any email containing protected health information is a HIPAA violation, regardless of how encrypted the messages are.

Does ProtonMail's encryption make it safe enough for PHI?

Encryption is one of several HIPAA technical safeguards, but it does not satisfy the full HIPAA rule on its own. HIPAA also requires audit controls, access management, breach notification procedures, and a signed BAA with every vendor that handles PHI. ProtonMail provides none of these for healthcare organizations.

Can I use ProtonMail for non-PHI emails at my clinic?

You can use ProtonMail for clinic communications that contain no protected health information: office supply orders, internal team scheduling, HR communications. Any email that mentions patient names, conditions, appointment details, or treatment information requires a HIPAA-compliant email platform with a signed BAA.

Why doesn't ProtonMail offer BAAs?

Proton AG is a Swiss company operating under Swiss law. HIPAA is a US law that applies to US-based covered entities and their business associates. Proton has not built the compliance infrastructure (BAA, breach notification, audit logging) required by HIPAA, and does not offer these to healthcare customers.

What email platforms are HIPAA compliant for clinics?

Microsoft 365 (Business Premium and above) and Google Workspace (Business Starter and above) both offer BAAs and meet HIPAA technical safeguard requirements. For clinical messaging between staff and patients, purpose-built platforms like TigerConnect, Klara, and Spruce Health include BAAs and are designed for healthcare workflows.

Keep reading

5 HIPAA Compliant Messaging Apps for Medical Practices (2026)

WhatsApp and standard SMS are not HIPAA compliant. These five apps sign a BAA and encrypt messages at rest and in transit — compared by price, features, and practice size fit.

Is Gmail HIPAA Compliant?

Personal @gmail.com accounts are never HIPAA compliant. Gmail inside Google Workspace can be compliant — but only after you sign a BAA with Google in the Admin console. Here's exactly what's required.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

10 HIPAA Violation Examples Small Practices Actually Encounter

Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.