Is Mailgun HIPAA compliant?

Featured image

Share this article

Is Mailgun HIPAA Compliant? - Paubox

Email is a critical business service for any healthcare organization. But given the sensitive medical information involved, federal privacy laws like HIPAA mean there are special requirements for any health IT system.

Security threats can come from outside as well as from within, via hackers or employees, so the best email system combines HIPAA compliant email with the ability to integrate and automate email messages via an API (application programming interface). There are many email API providers, and Mailgun is one of the most popular.

But is Mailgun HIPAA compliant?

What is Mailgun?

Mailgun was launched in 2010 as an API-based email delivery service, allowing companies to build email into their existing applications rather than building an email system from scratch.

With a decade of experience in the email and API space, the San Antonio-based firm has offerings that run the gamut from user-friendly email templates and analytics to more technical tools like email and IP reputation tracking and mass email services.

Today, Mailgun and its 200 global employees provide email solutions for many household names, including Microsoft, Johnson & Johnson, Etsy, Lyft, and Github.

Mailgun and the business associate agreement

The Mailgun Terms of Service has a HIPAA clause, which reveals that Mailgun can serve as a business associate for covered entities like healthcare providers, health plans, and healthcare clearinghouses.

The terms state, “If Mailgun is your ‘Business Associate’ as defined in the Health Insurance Portability and Accountability Act of 1996, as amended, then as of the date that Mailgun becomes your Business Associate the HIPAA Business Associate Addendum . . . shall become part of the Agreement.”

It is not clear in Mailgun’s terms, however, what steps need to be taken to sign the BAA, and whether it requires a specific Mailgun product or service level.

Is Mailgun HIPAA compliant?

So far so good for healthcare providers using Mailgun, right?  Unfortunately, the fine print paints a different picture.

Despite the HIPAA clause in its Terms of Service and the availability of a business associate agreement, Mailgun provides very little support to customers to ensure HIPAA compliance.

For example, in section 5.3, the BAA says that customers have an obligation “to implement and maintain appropriate safeguards as required for you to comply with the Security and Privacy Rules,” including “reasonably limiting the amount or type of information disclosed through the Mailgun Services.”

This puts the onus on customers to determine what’s appropriate to send via Mailgun, leaving them at risk of a breach due to human error.

SEE ALSO: Hacking and Human Error: Two Enemies of HIPAA Compliance

Mailgun also points out in section 5.4 that the customer is responsible for “encrypting PHI transmitted through the Mailgun services,” and goes as far as to say that using TLS encryption with a recipient that does not support it will result in an “unencrypted transmission.” (This isn’t true with Paubox—See below.)

Finally, all of these limitations must be disclosed to email recipients, which at best means a lot of fine print and at worst an adverse impact on their level of trust.


Mailgun is technically HIPAA compliant because it will sign a BAA, but it leaves all of the heavy lifting on the customer, from determining how to limit the information sent via its service, to ensuring email encryption, to providing recipients adequate disclaimers.

Avoid these problems with Paubox Email API

Email encryption is the preferred method for securing electronic protected health information (ePHI) to maintain HIPAA compliance.

Paubox Email API encrypts every email by default, so unlike Mailgun users, our customers don’t have to limit what information they share with patients.  And with our patented technology, our solution ensures HIPAA compliance even when an email recipient doesn’t support encryption.

SEE ALSO: Why Healthcare Businesses Choose the Paubox Email API

With our HITRUST CSF certified product, patients receive encrypted emails directly to their inboxes—no passwords or portals required.  Easy to implement with clear documentation, a developer’s experience is as seamless as the email recipient’s.

Try the Paubox Email API for FREE today.
Author Photo

About the author

Ryan Ozawa

Read more by Ryan Ozawa

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022