by Hoala Greevy CEO of Paubox
Article filed in

Can I use Mixmax and be HIPAA Compliant?

by Hoala Greevy CEO of Paubox

Can I use Mixmax and be HIPAA Compliant? - Paubox


Table of Contents:


We’ve been seeing more vendors, customers, and prospects using Mixmax lately. Since Paubox is a Business Associate to thousands of customers, we’ve been wondering internally if we are able to use Mixmax in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if Mixmax offers HIPAA compliant service or not.

Mixmax

Mixmax is a Gmail-based productivity app for customer-facing teams. They are based in San Francisco and closed a Series A round of financing in 2018.

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

Mixmax and the Business Associate Agreement

We checked the Mixmax site for mention of their ability to sign a Business Associate Agreement.

We found the answer we were looking for on several pages:

  • Mixmax Privacy Policy
    First on the Mixmax Privacy Policy page, we see that Mixmax discourages customers from transmitting PHI in emails composed using their tool.

    We can see evidence of this in a section called Information You Provide to Us:

    “In keeping with standard online privacy practices, users should not include any highly sensitive information (such as social security numbers, financial information, or “protected health information” (as that term is defined by the Health Insurance Portability & Accountability Act)) in any emails so that such data does not transfer to our servers (even if only temporarily). For the use of our Services in a HIPAA compliant environment, please see “Industry-based Compliance” section below.”


    Can I use Mixmax and be HIPAA Compliant? - Paubox


    We also see however, that Mixmax complies with HIPAA Security Rule standards for data it retains on its infrastructure.

    Industry-based compliance

    Mixmax can be effectively deployed within a HIPAA-compliant environment. We have implemented reasonable and accurate safeguards around your electronic Protected Health Information (ePHI), including the specific safeguards of the HIPAA Security Rule. We implement all types of controls – administrative, physical, and technical – against all types of risks – natural, environmental, and technical.


    Can I use Mixmax and be HIPAA Compliant? - Paubox


  • Security at Mixmax
    Then on their Security page, we again see Mixmax is prepared to serve as a Business Associate to its customers.

    “Mixmax has created a robust security program designed to meet the requirements of a ‘business associate’ under HIPAA, including implementation of each of the implementation specifications which underlie the administrative, physical, and technical safeguards required under the Security Rule. In addition, Mixmax has implemented a comprehensive internal security policy and program to regularly review and assess the adequacy of controls we have in place.”


    Can I use Mixmax and be HIPAA Compliant? - Paubox


Does Mixmax offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We were able to learn the following about Mixmax and its stance on HIPAA compliance:

  • They are prepared to act as a Business Associate to their customers.
  • They do not want PHI sent in emails via their service.
  • Although we weren’t able to find a copy of a Business Associate Agreement on their site, we came away with the impression it can be obtained by reaching out to Mixmax directly.


Conclusion: Mixmax can be used in a HIPAA compliant manner, as long as PHI is not actually transmitted in emails via their service.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.