Email is a critical business service for any healthcare organization. But given the sensitive medical information involved, federal privacy laws like HIPAA mean there are special requirements for any health IT system.
Security threats can come from outside as well as from within, via hackers or employees, so the best email system combines HIPAA compliant email with the ability to integrate and automate email messages via an API (application programming interface). There are many email API providers, and Mailgun is one of the most popular.
But is Mailgun HIPAA compliant?
What is Mailgun?
Mailgun was launched in 2010 as an API-based email delivery service, allowing companies to build email into their existing applications rather than building an email system from scratch.
With a decade of experience in the email and API space, the San Antonio-based firm has offerings that run the gamut from user-friendly email templates and analytics to more technical tools like email and IP reputation tracking and mass email services.
Today, Mailgun and its 200 global employees provide email solutions for many household names, including Microsoft, Johnson & Johnson, Etsy, Lyft, and Github.
Mailgun and the business associate agreement
The Mailgun Terms of Service has a HIPAA clause, which reveals that Mailgun can serve as a business associate for covered entities like healthcare providers, health plans, and healthcare clearinghouses.
The terms state, “If Mailgun is your ‘Business Associate’ as defined in the Health Insurance Portability and Accountability Act of 1996, as amended, then as of the date that Mailgun becomes your Business Associate the HIPAA Business Associate Addendum . . . shall become part of the Agreement.”
It is not clear in Mailgun’s terms, however, what steps need to be taken to sign the BAA, and whether it requires a specific Mailgun product or service level.
Is Mailgun HIPAA compliant?
So far so good for healthcare providers using Mailgun, right? Unfortunately, the fine print paints a different picture.
Despite the HIPAA clause in its Terms of Service and the availability of a business associate agreement, Mailgun provides very little support to customers to ensure HIPAA compliance.
For example, in section 5.3, the BAA says that customers have an obligation “to implement and maintain appropriate safeguards as required for you to comply with the Security and Privacy Rules,” including “reasonably limiting the amount or type of information disclosed through the Mailgun Services.”
This puts the onus on customers to determine what’s appropriate to send via Mailgun, leaving them at risk of a breach due to human error.
Mailgun also points out in section 5.4 that the customer is responsible for “encrypting PHI transmitted through the Mailgun services,” and goes as far as to say that using TLS encryption with a recipient that does not support it will result in an “unencrypted transmission.” (This isn’t true with Paubox—See below.)
Finally, all of these limitations must be disclosed to email recipients, which at best means a lot of fine print and at worst an adverse impact on their level of trust.
Mailgun is technically HIPAA compliant because it will sign a BAA, but it leaves all of the heavy lifting on the customer, from determining how to limit the information sent via its service, to ensuring email encryption, to providing recipients adequate disclaimers.
Avoid these problems with Paubox Email API
Paubox Email API encrypts every email by default, so unlike Mailgun users, our customers don’t have to limit what information they share with patients. And with our patented technology, our solution ensures HIPAA compliance even when an email recipient doesn’t support encryption.
With our HITRUST CSF certified product, patients receive encrypted emails directly to their inboxes—no passwords or portals required. Easy to implement with clear documentation, a developer’s experience is as seamless as the email recipient’s.