Last updated: 9 January 2023
Email is a critical business service for any healthcare organization. But given the sensitive medical information involved, federal privacy laws like HIPAA mean there are special requirements for any health IT system.
Security threats can come from outside as well as from within, via hackers or employees, so the best email system combines HIPAA compliant email with the ability to integrate and automate email messages via an API (application programming interface). There are many email API providers, and Mailgun is one of the most popular.
But is Mailgun HIPAA compliant?
What is Mailgun?
Mailgun was launched in 2010 as an API-based email delivery service, allowing companies to build email into their existing applications rather than building an email system from scratch.
With a decade of experience in the email and API space, the San Antonio-based firm has offerings that run the gamut from user-friendly email templates and analytics to more technical tools like email and IP reputation tracking and mass email services.
Today, Mailgun and its 200 global employees provide email solutions for many household names, including Microsoft, Johnson & Johnson, Etsy, Lyft, and Github.
Mailgun and the business associate agreement
Mailgun has a HIPAA Business Associate Addendum, which reveals that Mailgun can serve as a business associate for covered entities like healthcare providers, health plans, and healthcare clearinghouses.
However, section 2D states:
- "Within five Business Days of becoming aware, Business Associate agrees to report to you (i) Security Incidents (as defined in 45 C.F.R. §164.304 and as further described below)"
- "Depending on your use of the Services, they may include the transmission of plain text email in an unsecured fashion using the public internet. Business Associate shall have no obligation to monitor or attempt to monitor the access to such emails, including whether they are stored by or potentially accessed by third parties during ordinary email transmission activities."
There appears to be some legal aikido at work here. On the one hand, Mailgun is correct in that as a business associate, they must notify customers when impermissible disclosure of protect health information (PHI) occurs. Yet on the other, they readily admit that by using their service, customers may very well be exposing PHI by transmitting plain text email in an unsecured fashion. In addition, they make no attempt to monitor whether this happens or not.
Another are of acute concern when it comes to HIPAA compliance is section 5.3:
- "You acknowledge and understand that the Mailgun Services include the transmission of unencrypted email in plain text over the public internet and open networks. Customer Data you upload to the Mailgun Services is not encrypted by Business Associate and is stored (and transmitted) in similar fashion as you provide it. You are responsible for encrypting any sensitive data you use in conjunction with the Mailgun Services. Email sent using the Mailgun Services may be unsecured, may be intercepted by other users of the public internet, and may be stored and disclosed by third parties (such as a recipient’s email service provider) who have no obligations to Business Associate with regards to the treatment of such communications."
If HIPAA compliance is a requirement for your organization, this is not a reassuring message.
Is Mailgun HIPAA compliant?
On the one hand, Mailgun will enter into a BAA with healthcare organizations. On the other hand, if you read the fine print, the BAA does not cover much as it relates to Mailgun's ability to provide HIPAA compliant email.
Mailgun is technically HIPAA compliant because it will sign a BAA, but it leaves all of the heavy lifting on the customer, from determining how to limit the information sent via its service, to ensuring email encryption, to providing recipients adequate disclaimers.
Avoid these problems with Paubox Email API
Paubox Email API encrypts every email by default, so unlike Mailgun users, our customers don't have to limit what information they share with patients. And with our patented technology, our solution ensures HIPAA compliance even when an email recipient doesn't support encryption.
With our HITRUST CSF certified product, patients receive encrypted emails directly to their inboxes—no passwords or portals required. Easy to implement with clear documentation, a developer’s experience is as seamless as the email recipient’s.