Is Yahoo Mail HIPAA Compliant?

You’re starting the process of meeting HIPAA Compliance for your busy practice. The biggest pieces are in place. Now it is time to consider the substantial question of email. No one is looking for HIPAA violations.

So, Is Yahoo Mail HIPAA Compliant?

When we evaluate email systems for HIPAA compliance, here’s the checklist we use:

1. HIPAA guidelines ask medical practices to go the extra mile to protect patient data. It starts with your provider signing a HIPAA business associate agreement (HIPAA BAA). Don’t go with a provider that refuses to sign one!
2. When your email is HIPAA compliant, it's configured so that it’s hard for hackers to access. That includes strong, unique passwords and multi-factor authentication.
3. Emails stored on your computer are encrypted.
4. The connection from your computer (e.g., Outlook, Apple Mail) or smartphone to your email server is encrypted.
5. Emails stored on your email server are encrypted.
6. Emails sent between people inside your company are encrypted.
7. Emails that contain PHI are encrypted when sent outside your company (or better yet, all emails are encrypted!).
8. They should also have a log management system in place to meet the logging requirements of HIPAA. This will help you create an audit trail and investigate a potential breach.
9. HIPAA email compliance also requires many layers of protection against phishing. It's important because it's the biggest threat to companies today. The best companies have two layers of protection against phishing.

So, lets look at Yahoo Mail Compliance and see how it compares to this checklist.

HIPAA Business Associate Agreements

Sadly, Yahoo Mail does not offer business associate agreements. We searched Yahoo’s site and a number of forums, and could find no mention of a HIPAA BAA.

Strong and Secured Passwords

Yes, Yahoo Mail passwords require that you use a relatively strong password. They also offer multi-factor authorization.

Emails stored on your computer are encrypted.

This isn’t relevant for Yahoo. All the emails are stored up in the cloud, and you access them from your browser. So emails are never stored on your computer (unless you download them or print them to PDF). So this is less a question for Yahoo to answer and more something you need to consider when making your computer HIPAA-compliant.

Connections from computer to server encrypted.

This is usually the case, though some of it is up to you. As with the previous question, the connection to Yahoo is encrypted as long as you are accessing it inside of your browser.

If you use something else (like Outlook or Apple Mail), then encryption will be something you set up when you first connect to Yahoo.

Emails stored on your Email server are encrypted.

We don't know. Yahoo doesn't explicitly say anywhere that we could find that they store emails in encrypted storage. Another warning sign and reason why they shouldn't be considered to be HIPAA compliant.

Emails sent in-house are encrypted.

As with the last one, we don't know. It's safe to assume that emails inside of Yahoo are probably encrypted with something called TLS encryption (which has become a de facto standard), but they don't specifically say that they do anywhere that we could find.

Logging Requirements

Yahoo likely has logs internally for everything that you do in your email. However, that’s not enough to be compliant with HIPAA. You can’t see the logs yourself, which is another reason that Yahoo isn’t HIPAA compliant email.

Protection from Phishing

It's safe to assume that Yahoo Mail has some basic protection against phishing (they do have a SPAM folder after all), but it is probably not suitable for healthcare agencies with HIPAA concerns.

You’ve probably already figured this out - Yahoo is not HIPAA compliant

Yahoo Mail does NOT meet HIPAA Compliance guidelines. There is a Yahoo Mail PRO that is available, but it suffers from the same problems listed above. If you are sending emails or emails with PHI using Yahoo Mail or Yahoo Mail Pro, you are at risk for a HIPAA violation.

These are our recommendations if you find yourself with Yahoo Mail HIPAA Compliance problems.

• Find an alternative to Yahoo that’s HIPAA compliant, like Microsoft365 or Google Workspace.
• It is not just a matter of selecting from a list, you need to be sure you are setting your systems up correctly to best protect your information, and that of your clients.
• Until you are positive you are HIPAA Compliant and secure, do not include Protected Health Information in any email, at all.

There are many resources out there to get your Email HIPAA Compliant. Yahoo Mail is NOT HIPAA Compliant.

If you need help, this is what we do.  Learn more about our HIPAA-Compliant Microsoft365 and HIPAA-Compliant Google Workspace offerings.