Mailgun is a powerful email service provider that enables organizations to send, receive, and track transactional and marketing emails through reliable APIs and applications.
With Mailgun, businesses can automate and manage their email communications at scale, with strong deliverability and analytics.
Is Mailgun HIPAA compliant? Yes, Mailgun can be HIPAA compliant, but there are limitations.
Will Mailgun sign a business associate agreement (BAA)?
Yes, Mailgun will sign a business associate agreement, which can be reviewed here.
What does the Mailgun BAA cover?
The Mailgun BAA covers the use and disclosure of protected health information (PHI), stating,
“This HIPAA Addendum defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, ‘HIPAA’).”
Their BAA covers:
- Protection of PHI
- Technical, administrative, and physical safeguards
- Reporting of security incidents and breaches
- Access by HHS requests
- Return or destruction of PHI
What does the Mailgun BAA exclude?
Mailgun’s BAA clearly states that certain aspects of email transmission depend on customer configuration and actions; specifically, the customer is responsible for encrypting PHI when transmitting email via Mailgun.
Mailgun’s terms say:
“You acknowledge and understand that the Mailgun Services include the transmission of unencrypted email in plain text over the public internet and open networks. Customer Data you upload to the Mailgun Services is not encrypted by Business Associate and is stored (and transmitted) in similar fashion as you provide it. You are responsible for encrypting any sensitive data you use in conjunction with the Mailgun Services... Although Mailgun Services include support for TLS, content will be transmitted even if the recipient does not also support TLS, resulting in an unencrypted transmission.”
This means users must ensure email encryption and obtain patient consent for email communications, as Mailgun itself does not guarantee encryption in every scenario.
Conclusion
Mailgun signs a BAA and can be HIPAA compliant. However, to ensure full HIPAA compliance, customers must properly configure encryption for PHI, gain patient consent, and understand the limitations described in Mailgun’s terms.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQS
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
