Is MailHippo HIPAA Compliant?

Compliant Tools
October 19, 2021
Emailing is a key part of any organization's operations but it can also open your organization up to significant risk, unless you use a specialist, privacy-focused email provider, like MailHippo.

Is MailHippo HIPAA Compliant?

Email is a key part of daily operations in almost any work environment. Sending off a quick message is convenient, efficient, and practically second nature. However, emailing brings up a few challenges when you’re dealing with sensitive personal information.

It is important to recognize that you have lost virtually all control once an email has left your inbox. If anything is sent out to the wrong person, the typical email provider has no means of getting it back. And if anyone gets into your inbox, either through an unsecured device or a successful phishing attempt, they’ll have free reign.

Privacy breaches like these are extremely damaging in terms of exposure to individuals’ personal data, plus there are legal ramifications and a damaged brand image to be aware of. The stakes are high for your company and anyone whose information may be leaked.

This is why more people are turning to privacy-focused solutions like specialized email providers. MailHippo is one of these options that is gaining increased popularity.

What is MailHippo?

MailHippo is a HIPAA-compliant email provider, offering a secure way to send sensitive messages and attachments. This service gives end-to-end encryption for everything sent through it.

You access their portal from a computer or smartphone, then send an email like normal. Your recipient is sent an email notification informing them that a secured message is waiting and providing a link that takes them to MailHippo’s portal where they can view and reply to the message.

If you’ve sent something out to the wrong person or just want to retrieve information, MailHippo offers a message recall feature. This key feature is currently only available on their paid plans.

You can receive secure messages from other people, without them first receiving an email from you. MailHippo uses an ingenious secure message link that will take them to a personal MailHippo webpage where they can send you messages and attachments.

This link can be placed on your website or tucked into non-secure email signatures, social media messages, or newsletters. This is convenient if you need to receive HIPAA-compliant inbound messages from people who aren’t likely to have their own secure email provider.

You can also use MailHippo to securely send interactive, singable PDF files.

What Makes an Email Provider HIPAA Compliant? 

HIPAA expects any healthcare provider, organization, or other entity handling PHI to keep the information private, restricted, secure, and confidential at all times, with physical, administrative, and technical safeguards in place.

HIPAA doesn’t work on an honor system. Anyone handling PHI needs to keep a recorded access history and be able to prove the information’s security status.

What Makes MailHippo HIPAA Compliant?

MailHippo goes out of its way to protect any sensitive information that passes through or is held on its platform.

Through MailHippo you can trust that all personal health information is physically protected. They don’t rent server hosting from providers like Amazon Web Services or Microsoft Azure but rather own, operate, and maintain all their servers which are housed in a state-of-the-art data center. This center is locked down with biometrics, card key access, 24/7 monitoring, and other measures.

Their encryption method provides the electronic safeguarding that HIPAA compliance requires. MailHippo changes the way messages are sent. Typically, messages sent between email provider servers travel unencrypted. They are usually only encrypted in the journey to and from an email reader and the server.

MailHippo keeps the message as an encrypted record on its web portal. Then it simply points the email recipient to a secure log-in. The actual message never travels, ensuring its security. These messages are completely encrypted during their journey to MailHippo’s platform where they are safely stored.

As an extra layer of electronic protection, MailHippo encrypts the keyring that holds the record decryption keys.

MailHippo monitors and logs the PHI’s access history. They record every time a message or attachment is opened or read, noting the user, time, date, and user’s IP address.

They also protect personal health information from destruction with a backup solution that keeps records at their data center and offsite at a remote location.

The MailHippo team is well-versed in HIPAA compliance. They’ve had decades in the healthcare IT industry to get it right.

MailHippo is a robust platform that can make your emails HIPAA compliant. But there’s one thing to do before your use of it qualifies as being HIPAA compliant. That step is getting your business associate agreement in place.

Why Do I Need a Business Associate Agreement?

HIPAA requires covered entities and business associates to create contractual agreements with any third party who is given access to the protected health information (PHI) that your company creates, processes, or stores. These contracts are known as business associate agreements (BAAs) and are designed to specify each party’s responsibilities when it comes to PHI.

Any covered entity or business associate that is engaging with another organization in a manner where they will share access to PHI must enter into a formal, written business associate agreement with that organization. In this agreement, your business associate will agree to safeguard sensitive information according to HIPAA standards.

MailHippo makes this easy for you, by integrating this contract into their registration process. Even better, business associate agreements are available on all their plans, even the free level.

Once you’ve put this in place, every message or attachment you send through them will be HIPAA compliant.


That is how you manage your email usage in a HIPAA compliant manner. However, there are many other ways to inadvertently violate HIPAA standards through poor administrative policies, employee slipups, or even the loss or misplacement of a company device. 

Ad hoc tool use doesn’t create the seamless, end-to-end protection you need as a covered entity or business associate. That’s something only a full-fledged compliance program will establish.

There are many facets to this, which aren’t always obvious without experience. That’s where we come in.

Accountable lets you effortlessly navigate HIPAA, minimize your risk factors, actively manage your privacy program, and take care of everything you need to build trust.

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals