2 min read

Can I use Mixmax and be HIPAA compliant?

Picture of Hoala Greevy Hoala Greevy May 12, 2019

HIPAA compliance
People gathered at an indoor event with laptops and phones

Table of Contents:

We've been seeing more vendors, customers, and prospects using Mixmax lately. Since Paubox is a Business Associate to thousands of customers, we've been wondering internally if we are able to use Mixmax in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector. Today, we will determine if Mixmax offers HIPAA compliant service or not.

Mixmax

Mixmax is a Gmail-based productivity app for customer-facing teams. They are based in San Francisco and closed a Series A round of financing in 2018.

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity. In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Read full article: What does it mean to be a Business Associate?

 

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place. A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance. At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

 

Mixmax and the Business Associate Agreement

We checked the Mixmax site for mention of their ability to sign a Business Associate Agreement. We found the answer we were looking for on several pages:
  • Mixmax Privacy Policy First on the Mixmax Privacy Policy page, we see that Mixmax discourages customers from transmitting PHI in emails composed using their tool.We can see evidence of this in a section called Information You Provide to Us: "In keeping with standard online privacy practices, users should not include any highly sensitive information (such as social security numbers, financial information, or “protected health information” (as that term is defined by the Health Insurance Portability & Accountability Act)) in any emails so that such data does not transfer to our servers (even if only temporarily). For the use of our Services in a HIPAA compliant environment, please see “Industry-based Compliance” section below."
  • Read about Mixmax HIPAA compliance
    We also see however, that Mixmax complies with HIPAA Security Rule standards for data it retains on its infrastructure.  

  • Industry-based compliance

    Mixmax can be effectively deployed within a HIPAA-compliant environment. We have implemented reasonable and accurate safeguards around your electronic Protected Health Information (ePHI), including the specific safeguards of the HIPAA Security Rule. We implement all types of controls - administrative, physical, and technical - against all types of risks - natural, environmental, and technical.

    Read about Mixmax HIPAA compliance
  • Security at Mixmax Then on their Security page, we again see Mixmax is prepared to serve as a Business Associate to its customers."Mixmax has created a robust security program designed to meet the requirements of a ‘business associate’ under HIPAA, including implementation of each of the implementation specifications which underlie the administrative, physical, and technical safeguards required under the Security Rule. In addition, Mixmax has implemented a comprehensive internal security policy and program to regularly review and assess the adequacy of controls we have in place."
    Learn about Mixmax HIPAA compliance

Does Mixmax offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate. We were able to learn the following about Mixmax and its stance on HIPAA compliance:
  • They are prepared to act as a Business Associate to their customers.
  • They do not want PHI sent in emails via their service.
  • Although we weren't able to find a copy of a Business Associate Agreement on their site, we came away with the impression it can be obtained by reaching out to Mixmax directly.

 

Conclusion: Mixmax can be used in a HIPAA compliant manner, as long as PHI is not actually transmitted in emails via their service.

 

Try Paubox Email Suite for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Paramedics wheeling a patient into a hospital emergency room entrance

How to be HIPAA compliant in emergency situations

Picture of Hoala Greevy Hoala Greevy : November 11, 2014

In light of an emergency situation like the Ebola outbreak, the U.S. Department of Health and Human Services (HHS) has provided a bulletin to ensure...

HIPAA compliance
Read More
Two professionals discussing at a table with a laptop

Business associate agreement provisions

Picture of Hoala Greevy Hoala Greevy : August 3, 2014

In our last post, we covered the HIPAA Privacy Rule and how it applies to Business Associates. In this post, we'll cover Business Associate...

HIPAA compliance
Read More
Two men in business casual attire conversing in an office setting

HIPAA Privacy Rule for business associates

Picture of Hoala Greevy Hoala Greevy : August 1, 2014

The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It was issued by the...

HIPAA compliance
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.