We spoke with a prospective customer this week who expressed an interest in our HIPAA compliant email solution. Great! We love calls like that. Then he told us his business uses Yahoo! Small Business for email and web hosting. Wow! I didn't know they still offered that service. We then began to investigate if Yahoo is HIPAA compliant or not. This post is about determining if Yahoo meets HIPAA compliance requirements.
Is Yahoo Small Business Email Encrypted?
There are a couple key indicators to look for when choosing a HIPAA complaint email solution. Failure to do this important homework is a proven recipe for fines from the U.S. Department of Health and Human Services. First, does Yahoo store your email in an encrypted state in their system? This is known as at-rest encryption and is a requirement for HIPAA compliance. In Yahoo's case, we could not find any mention of storing email in an encrypted state when it's hosted with them. In fact, their Business Email page is lacking many details. Second, does Yahoo encrypt communication between your devices/computers and their system? This is known as in-motion encryption and is also a HIPAA compliance requirement. We checked Yahoo's Help Center and found a somewhat useful article on their transmission encryption. Yahoo supports encrypted connections between your devices and computers and their email systems. What was not mentioned however, if they explicitly refuse unencrypted email connections. If an email provider allows connections to their systems in cleartext (unencrypted), this is a HIPAA violation. Third, does Yahoo encrypt email communications when you send email? We could not find any mention on Yahoo's Small Business site of any type of email encryption service.
Does Yahoo sign Business Associate Agreements?
We could not find any instance of Yahoo offering to sign a Business Associate Agreement. As we've covered before, a Business Associate is required by law to sign a BAA if they are handling protected health information (PHI) on behalf of a covered entity. We checked the Yahoo Privacy Center for any mention of HIPAA, HIPAA compliance, or Business Associate Agreement. We couldn't find any mention of these important items. We then checked the Yahoo Small Business Terms of Service page. We again searched for any signs of HIPAA, HIPAA compliance, or Business Associate Agreements. No mentions here either.
Conclusion: Is Yahoo! HIPAA compliant?
As you may have guessed by now, Yahoo is not HIPAA compliant. Their encryption technology is not adequate and poorly documented. In addition, they are not offering to sign Business Associate Agreements. In conclusion, if you are a covered entity and bound by HIPAA compliance laws, you should stay away from Yahoo! Small Business for email.
HIPPA Compliant Email?
Confusion certainly exists between HIPAA email and HIPPA email. HIPAA is often misspelled as HIPPA and it’s easy to mistakenly google for "HIPPA compliant email" or "HIPPA email." Google however, is smart enough to know the correct spelling and will point you to the right pages by default. In a nutshell, "HIPPA compliant email" or "HIPPA email" are not correct. "HIPAA compliant email" or "HIPAA email" are the correct search terms.