Is SaneBox HIPAA compliant?

SaneBox is email organization software that offers HIPAA compliance as a part of its services to healthcare customers. 

What is SaneBox?

SaneBox is an email management software designed for individuals and businesses seeking to streamline email communication and reduce email overload. It offers a unique set of features aimed at improving email productivity and organization, such as analyzing email behavior to determine email importance, moving unimportant emails to a separate folder called SaneLater, and providing a digest summary of those emails. SaneBox also includes features like email snoozing, one-click unsubscribe, reminders for unresponsive contacts, and managing email attachments by moving them to cloud storage services.

See also: Is Simply.Coach HIPAA compliant?

SaneBox and a business associate agreement

HIPAA stipulates that a business associate agreement (BAA) is required according to HIPAA regulations. The BAA outlines the responsibilities of third-party vendors when handling protected health information (PHI). Any software or service that stores, processes, or transmits PHI on behalf of a healthcare entity is considered a business associate and should, therefore, sign a BAA. Given SaneBox's functionalities, such as email management and organization, which may involve the handling of PHI in healthcare communications, it would be categorized as a business associate when used within healthcare settings.

Upon reviewing SaneBox's website, we found that they explicitly state their willingness to sign a BAA with healthcare entities. Specifically, their Security FAQ section mentions: "We would absolutely enter into a BAA."

See also: HIPAA Compliant Email: The Definitive Guide

SaneBox and Data Security

Physical Access Controls

• Access approval and recording at the perimeter, building, and data center suites.
• Pre-approved access requests via a ticketing system.
• ID checks at reception with a photo ID requirement (passport/driving license).
• 24/7 CCTV and on-site security monitoring.
• Biometric and key-fob controls at all entry/exit points for recording all movements.
• Access control with expiration dates and times.
• Roof-to-ceiling enclosures to prevent unauthorized physical access within Data Center suites.
• Racks are locked at all times and require staff members to unlock them.
• Cabling is secured within overhead cable trays.

Network Security

• No public internet connections to service and database machines.
• Users must establish a VPN connection to the private network, which uses data encryption and security mechanisms.
• Individual cryptographically strong SSH keys are required for access to a bastion host.
• Bastion host with enhanced security measures and custom software.
• SSH protocol for authentication, encryption, and data integrity.
• Access to service machines through SSH keys, with all access logged and audited.
• Bank-quality encryption for data on the server.

Data Security

• User email is never resident on SaneBox's servers.
• Email content remains inaccessible to SaneBox servers.
• Email credentials/authentication information is bank-quality encrypted in the database.
• A strong passcode is required to start up the software.
• Master startup passcode known to only a few trusted employees.
• Calculation of email importance is done algorithmically, not by individuals.
• Servers calculating email importance are unavailable for inbound internet connections.

Is SaneBox HIPAA compliant?

SaneBox demonstrates a commitment to data security through its security measures, including multi-layered physical access controls, network security practices, and data security protocols. Furthermore, their willingness to sign a BAA with healthcare entities shows their commitment to complying with HIPAA standards and safeguarding PHI.

Based on these factors, SaneBox is HIPAA compliant.

See also: Is Practice Fusion HIPAA compliant?