Is Mailgun HIPAA-Compliant? BAA, PHI, and Secure Email Options Explained

Mailgun's HIPAA Compliance Overview

Short answer: Mailgun is not a HIPAA-designated service out of the box. Without a signed Business Associate Agreement, you must not send Protected Health Information (PHI) through the platform. HIPAA’s Security and Privacy Rules—especially the HIPAA Privacy Rule and the Security Rule—require contractual assurances and technical safeguards that go beyond standard email delivery features.

Mailgun offers solid security practices common to leading email service providers, such as TLS encryption in transit, authentication controls, and auditing. Those controls can reduce risk but do not, by themselves, satisfy HIPAA obligations in the absence of a BAA. Treat Mailgun as suitable for non-PHI use cases (for example, marketing or de-identified notifications), not for messages that contain ePHI.

If your organization operates in healthcare, align your use of Mailgun with a strict “no PHI in email” stance unless and until a written BAA (or Business Associate Addendum) is executed. Build your program so emails contain no health details, and direct patients to a secure portal for sensitive content.

Business Associate Agreement (BAA) Details

A Business Associate Agreement (often called a Business Associate Addendum) is the contract that makes a vendor a Business Associate under HIPAA. It allocates responsibilities for safeguarding PHI, breach notification, subcontractor oversight, and data return or destruction. Without a signed BAA, a vendor should not receive, process, or store PHI on your behalf.

Mailgun does not provide a standard, self-serve BAA and therefore should not be used to send PHI. If you believe you have a negotiated enterprise agreement, confirm—in writing—the permitted use of PHI, data flow diagrams, encryption expectations, retention terms, and incident-handling commitments before enabling any PHI-related workflows.

In practice, most organizations use Mailgun only for non-PHI communications. When PHI is unavoidable, transition to alternatives that allow a signed BAA or implement message-level encryption with a different channel designed for ePHI.

Handling Protected Health Information (PHI)

PHI includes identifiers (like name, email, phone, address) combined with health-related details (diagnoses, treatments, appointment types, lab results). Under the HIPAA Privacy Rule, even seemingly harmless context can turn an email into PHI if it reveals something about a person’s health status, care, or payment for care.

What to avoid in emails sent through Mailgun

• Any diagnosis, condition, medication, test result, or treatment detail.
• Appointment reminders that disclose provider specialty or purpose (for example, “oncology follow-up”).
• Insurance or payment information that links a person to care.
• PHI in subject lines, headers, URLs, webhooks, or logs.

Safer patterns you can adopt

• Send de-identified notifications that contain no health context and direct recipients to a secure portal.
• Use one-time tokens and short-lived links; keep the email body generic (“You have a new message”).
• Exclude PHI from templates, personalization fields, suppression lists, and event metadata.
• Restrict who can author templates and review content before it’s approved for production.

Customer Obligations for Compliance

HIPAA compliance is a shared-responsibility model. As the Covered Entity or Business Associate, you own risk analysis, workforce training, vendor management, and technical safeguards. If no BAA is in place with Mailgun, your obligation is to prevent PHI from touching the service at all.

Key actions to implement under the Security and Privacy Rules:

• Perform a HIPAA risk analysis and document data flows to ensure Mailgun never handles PHI.
• Train staff to recognize PHI and enforce a strict “no PHI in email” policy.
• Configure data loss prevention rules upstream to block PHI before it reaches your email pipeline.
• Set retention controls so logs and message content are minimized and purged on schedule.
• Maintain BAAs with every vendor that does handle PHI; do not assume coverage via a parent platform or reseller.

Email Security Measures by Mailgun

Mailgun supports strong baseline controls that help protect non-PHI communications. These include TLS encryption in transit, API key management, role-based access, two-factor authentication, IP allowlisting, and domain authentication (SPF, DKIM, DMARC). Used properly, these reduce exposure to interception, spoofing, and account abuse.

For compliance evidence, organizations often request a SOC 2 Type II Report and related artifacts. Many providers make such reports available through Security Portal Access after a mutual NDA. Remember: SOC 2 validates control design and operating effectiveness; it does not substitute for a HIPAA BAA.

These measures are valuable but do not make Mailgun HIPAA-compliant. Without a signed BAA, you should architect your workflows so Mailgun never processes PHI, even transiently.

Secure Email Transmission Practices

Enforce transport security

• Require TLS encryption for outbound SMTP and API-driven sends; refuse delivery (or quarantine) when a recipient server lacks modern TLS support.
• Adopt MTA-STS and TLS-RPT for stronger downgrade-attack resistance and visibility into failed TLS handshakes.
• Use modern ciphers and TLS 1.2+; disable legacy protocols wherever possible.

Add message-level protection when needed

• For any content that could be PHI, do not send it via Mailgun. Use a secure patient portal or end-to-end encryption solution that is covered by a BAA.
• If you must reference sensitive information by email, keep it generic and place details behind an authenticated session, with short token lifetimes and no PHI in the link itself.

Reduce accidental disclosures

• Strip PHI from subjects, headers, custom variables, and webhooks; keep event metadata minimal.
• Avoid attachments; where unavoidable for non-PHI content, ensure encryption at rest in your own systems and rapid expiration of any hosted assets.
• Segment traffic by purpose (marketing, operational, de-identified alerts) to apply stricter policies to higher-risk streams.

Compliance Documentation and Reporting

Maintain evidence that supports your compliance posture even when you avoid PHI in email. Typical artifacts include a SOC2 Type II Report, penetration test summaries, subprocessor lists, data retention schedules, and change-management records. Request Security Portal Access to review available documents and map controls to your risk register.

Operational reporting should capture delivery outcomes, TLS enforcement rates, authentication alignment (SPF/DKIM/DMARC), and anomalous activity. Define incident response runbooks for email accounts and API keys, and rehearse containment steps such as key rotation, domain pause, and traffic segmentation.

Conclusion

Mailgun can play a secure role in your communications stack for non-PHI messages when you enforce TLS encryption, minimize metadata, and maintain strong operational controls. However, without a signed Business Associate Agreement, you must not send Protected Health Information. Use de-identified emails that point to a secure portal, keep thorough documentation, and align your program with HIPAA’s Security and Privacy Rules.

FAQs.

Does Mailgun sign a Business Associate Agreement?

No. Mailgun does not offer a standard BAA (or Business Associate Addendum). Without a signed BAA, you should not send PHI through the service. If you believe you have a negotiated enterprise contract, confirm in writing that a BAA is fully executed and understand the permitted uses before transmitting any PHI.

How does Mailgun secure PHI during email transmission?

Mailgun supports TLS encryption for transport security, but the platform is not intended to handle PHI without a BAA. The safe approach is to avoid sending PHI altogether: keep emails generic, place sensitive details behind an authenticated portal, and use one-time tokens or message-level encryption with a HIPAA-eligible service.

What are customer responsibilities under HIPAA when using Mailgun?

You must prevent PHI from entering Mailgun unless a BAA is signed, complete a HIPAA risk analysis, train staff, enforce DLP controls, and document retention and incident response. Implement TLS enforcement, remove PHI from subjects and metadata, and maintain governance over templates, logs, and access.

Can Mailgun guarantee encrypted email delivery to all recipients?

No. TLS depends on the recipient’s mail server. You can require TLS and reject delivery when unavailable, but end-to-end encryption is not guaranteed. For guaranteed confidentiality of PHI, use a secure portal or a message-level encryption solution covered by a BAA and keep emails de-identified.