A question recently popped up in my inbox that others may find useful. It was concerning a digital health startup and their evaluation of Mailgun and Paubox Email API. They wanted to learn how the solutions stack up.
This post will compare and contrast Mailgun and Paubox as it relates to HIPAA compliant email.
About Mailgun
Mailgun was launched in 2010 as an API-based email delivery service, allowing companies to build email into their existing applications rather than building an email system from scratch. With Mailgun, customers can scale email campaigns, send transactional emails, and send email from within an application or website. It also provides advanced features such as real-time analytics, A/B testing, and email validation.
About Paubox Email API
Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.
Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.
Paubox launched in 2015 and currently has over four thousand customers in all 50 states.
Is Mailgun HIPAA compliant?
There are several things to consider when it comes to Mailgun and its ability to provide HIPAA compliant email.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity. A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We’ve written in the past about Mailgun and its stance on HIPAA compliance. In a nutshell, while Mailgun will sign a BAA with customers, the fine print reveals it does not cover much as it relates to their ability to provide HIPAA compliant email. For example, the company readily admits that by using their service, customers will likely be exposing sensitive patient data during email transmission, which is a HIPAA violation.
So when it comes sending HIPAA compliant email via Mailgun, it is not recommended from a risk standpoint.
Is Paubox HIPAA compliant?
Paubox was built around the Paubox Foundations, three big ideas, and a mission to become the market leader for HIPAA compliant communication.
Paubox provides a BAA for all paid and freemium customers.
In addition, the following solutions are HITRUST CSF certified:
While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.
Conclusion
Both Mailgun and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.
Mailgun however, is not tailored for U.S. healthcare. This is apparent both from its technical design and its compliance statements.
Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).
Hoala Greevy
