by Hoala Greevy CEO of Paubox
Article filed in
Can I use Mixmax and be HIPAA Compliant?
by Hoala Greevy CEO of Paubox
Table of Contents:
- What is a Business Associate?
- Business Associate Agreement provisions
- Mixmax and the Business Associate Agreement
- Does Mixmax offer HIPAA Compliant Email Service?
We’ve been seeing more vendors, customers, and prospects using Mixmax lately. Since Paubox is a Business Associate to thousands of customers, we’ve been wondering internally if we are able to use Mixmax in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
Today, we will determine if Mixmax offers HIPAA compliant service or not.
Mixmax is a Gmail-based productivity app for customer-facing teams. They are based in San Francisco and closed a Series A round of financing in 2018.
What is a Business Associate?
A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.
Read full article: What does it mean to be a Business Associate?
Business Associate Agreement provisions
If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.
A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.
At a minimum, a Business Associate Agreement contains 10 provisions.
Read full article: Business Associate Agreement Provisions
Mixmax and the Business Associate Agreement
We checked the Mixmax site for mention of their ability to sign a Business Associate Agreement.
We found the answer we were looking for on several pages:
We can see evidence of this in a section called Information You Provide to Us:
“In keeping with standard online privacy practices, users should not include any highly sensitive information (such as social security numbers, financial information, or “protected health information” (as that term is defined by the Health Insurance Portability & Accountability Act)) in any emails so that such data does not transfer to our servers (even if only temporarily). For the use of our Services in a HIPAA compliant environment, please see “Industry-based Compliance” section below.”
We also see however, that Mixmax complies with HIPAA Security Rule standards for data it retains on its infrastructure.
Mixmax can be effectively deployed within a HIPAA-compliant environment. We have implemented reasonable and accurate safeguards around your electronic Protected Health Information (ePHI), including the specific safeguards of the HIPAA Security Rule. We implement all types of controls – administrative, physical, and technical – against all types of risks – natural, environmental, and technical.
- Security at Mixmax
Then on their Security page, we again see Mixmax is prepared to serve as a Business Associate to its customers.
“Mixmax has created a robust security program designed to meet the requirements of a ‘business associate’ under HIPAA, including implementation of each of the implementation specifications which underlie the administrative, physical, and technical safeguards required under the Security Rule. In addition, Mixmax has implemented a comprehensive internal security policy and program to regularly review and assess the adequacy of controls we have in place.”
Does Mixmax offer HIPAA Compliant Service?
The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
We were able to learn the following about Mixmax and its stance on HIPAA compliance:
- They are prepared to act as a Business Associate to their customers.
- They do not want PHI sent in emails via their service.
- Although we weren’t able to find a copy of a Business Associate Agreement on their site, we came away with the impression it can be obtained by reaching out to Mixmax directly.
Conclusion: Mixmax can be used in a HIPAA compliant manner, as long as PHI is not actually transmitted in emails via their service.