What makes the MailHippo secure email platform HIPAA compliant?

Better question: what makes any secure email messaging service HIPAA compliant?

This question is well addressed by looking at the HIPAA Security Rule, initially enacted by Congress in 2003 and further enhanced as part of the HITECH Act of 2009. The law states that ePHI (electronic protected health information) must be safeguarded in several ways to ensure the integrity, security and confidentiality of patient health records. (More information on the security rule may be found here on the HHS.gov website.)


Electronic protected health information (ePHI) must be physically secured.

Either by means of lock and key or another physical mechanism, ePHI may only be physically accessed by authorized personnel. This means that physical safeguards must be in place to prevent unauthorized physical access to patient health records.

MailHippo uses industry-best HIPAA, PCI DSS, VISA, SSAE 16 and SOC 2 compliant state-of-the-art data centers to house our servers, which host the MailHippo platform. We do not farm out our hosting to 3rd parties like RackSpace, Amazon Web Services, or Microsoft Azure. All MailHippo server equipment is owned, operated, and maintained by the MailHippo team. This means NO unauthorized third parties have access to this equipment or the ePHI data it houses. (You can find out more about MailHippo’s data center here.)


The Security Rule states ePHI must be electronically safeguarded.

Electronic patient health records must be secured by passwords and other means necessary to prevent unauthorized access. The rule does not explicitly state that the records must be encrypted. However it states that ePHI must be secured in a manner to prevent electronic access; which implies encryption of these records as a necessity.

MailHippo uses the latest encryption technology, ensuring email body and attachments are encrypted while in transit and at rest. Learn more about MailHippo security and encryption here.


Access to ePHI must be logged.

This means any time a user opens and reads an email or email attachment, this action must be recorded. Information must include date and time, location, and who accessed the message.

MailHippo keeps track of all access to messages including the authorized user, time and date, their IP address and exactly what records they accessed.


The Security Rule requires that ePHI is safeguarded from intentional or unintentional destruction.

Implicitly, there must be at least two copies of an electronic patient health record; one located onsite and one offsite. All this to ensure the integrity of the records in the event of a loss.

MailHippo implements a robust backup solution which safeguards the MailHippo platform securely both on-site at our data center and offsite to a secure remote location. This system ensures data integrity and business continuity of the MailHippo platform.


Business Associates (MailHippo) must have in place proper HIPAA policies and procedures.

For example, these procedures may address what actions are necessary in the event of a data breach or unauthorized access to ePHI records. Furthermore, they can indicate what training the staff has related to HIPAA as well as other items.

With decades of Healthcare Information Technology experience, the MailHIppo team has in place--and fully implements--our HIPAA policies and procedures.


A Business Associate Agreement (BAA) must be in place.

The Security Rule requires that a Business Associate Agreement (BAA) is executed between the covered entity (you) and the information technology service provider (MailHippo). This agreement is there to ensure that both parties understand the requirements of the HIPAA Security Rule and that both agree to enforce those rules.

MailHippo issues a Business Associate Agreement as part of our registration process. This ensures that every healthcare provider subscribing to our platform has a valid BAA agreement in place.

So with all of this information about HIPAA under your belt, we encourage you to explore the solutions for HIPAA-compliant email availible on the market today. Look and ask questions. Reach out to the MailHippo team with your inquiries here. We hope these points assist you in making an informed decision and that you choose MailHippo for your HIPAA compliant messaging needs.

© 2024 MailHippo, Inc.
2637 E. Atlantic Blvd.
#1063 Pompano Beach, FL  33062

View our Privacy Policy or contact our Customer Service team.