You’re starting the process of meeting HIPAA Compliance for your busy practice. The biggest pieces are in place. Now it is time to consider the substantial question of email. No one is looking for HIPAA violations.
When we evaluate email systems for HIPAA compliance, here’s the checklist we use:
So, lets look at Yahoo Mail Compliance and see how it compares to this checklist.
Sadly, Yahoo Mail does not offer business associate agreements. We searched Yahoo’s site and a number of forums, and could find no mention of a HIPAA BAA.
Yes, Yahoo Mail passwords require that you use a relatively strong password. They also offer multi-factor authorization.
This isn’t relevant for Yahoo. All the emails are stored up in the cloud, and you access them from your browser. So emails are never stored on your computer (unless you download them or print them to PDF). So this is less a question for Yahoo to answer and more something you need to consider when making your computer HIPAA-compliant.
This is usually the case, though some of it is up to you. As with the previous question, the connection to Yahoo is encrypted as long as you are accessing it inside of your browser.
If you use something else (like Outlook or Apple Mail), then encryption will be something you set up when you first connect to Yahoo.
We don't know. Yahoo doesn't explicitly say anywhere that we could find that they store emails in encrypted storage. Another warning sign and reason why they shouldn't be considered to be HIPAA compliant.
As with the last one, we don't know. It's safe to assume that emails inside of Yahoo are probably encrypted with something called TLS encryption (which has become a de facto standard), but they don't specifically say that they do anywhere that we could find.
Yahoo likely has logs internally for everything that you do in your email. However, that’s not enough to be compliant with HIPAA. You can’t see the logs yourself, which is another reason that Yahoo isn’t HIPAA compliant email.
It's safe to assume that Yahoo Mail has some basic protection against phishing (they do have a SPAM folder after all), but it is probably not suitable for healthcare agencies with HIPAA concerns.
Yahoo Mail does NOT meet HIPAA Compliance guidelines. There is a Yahoo Mail PRO that is available, but it suffers from the same problems listed above. If you are sending emails or emails with PHI using Yahoo Mail or Yahoo Mail Pro, you are at risk for a HIPAA violation.
There are many resources out there to get your Email HIPAA Compliant. Yahoo Mail is NOT HIPAA Compliant.
If you need help, this is what we do. Learn more about our HIPAA-Compliant Microsoft365 and HIPAA-Compliant Google Workspace offerings.