HIPAA & BAA ยท Secure email
Is Paubox HIPAA compliant?
Yes. Paubox signs a Business Associate Agreement with every customer and requires a BAA to be in place before accounts are provisioned to send PHI.
Key facts
- BAA available: Yes โ with a signed BAA
- What it takes: All paid plans
- Official source: Paubox Business Associate Agreement (BAA) โ https://www.paubox.com/business-associate-agreement (verified 2026-06)
How to use Paubox in a HIPAA-compliant way
- Sign up for a Paubox plan (Standard, Plus, or Premium).
- Review the Paubox BAA at paubox.com/business-associate-agreement.
- Agree to / execute the BAA, which Paubox requires before encrypted email is enabled.
- Configure your email to meet the HIPAA Security Rule technical safeguards.
- Retain a copy of the signed BAA for your compliance records.
Important caveats
- A signed BAA does not by itself make your overall workflow HIPAA compliant; you must still configure and use the service appropriately.
- The BAA covers Paubox's email encryption services; other PHI handling outside Paubox is your responsibility.
- Paubox uses its own standard BAA rather than signing customer-provided agreements.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Paubox correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Paubox.
Frequently asked questions
Does Paubox sign a BAA?
Yes. All paid plans A signed BAA is required before any PHI is involved.
Is Paubox HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Paubox offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Paubox with PHI?
A signed BAA does not by itself make your overall workflow HIPAA compliant; you must still configure and use the service appropriately.
