Proofpoint is dedicated to protecting our customer’s privacy. We understand that sometimes that protection extends to Personal Health Information (PHI). PHI held by covered entities is protected by the HIPAA Privacy Rule and the Security Rule. Patients have rights under the Privacy Rule and under state law with respect to their PHI. The Security Rule requires that PHI be safeguarded to protect the confidentiality, integrity, and availability of PHI.
Disclosures of PHI are permitted for patient care and other important purposes, including treatment, payment, and healthcare operations. Examples of PHI include 18 data elements, including, but not limited to, the following: name, email address, social security numbers, medical record numbers, biometric identifiers, and phone numbers.
When customers engage Proofpoint as a vendor, it is possible that PHI belonging to our customer’s patients could pass through the Proofpoint Services when the customers use the Services. Proofpoint applies the minimum necessary concept required by HIPAA and only uses the minimum amount of information required to do our work. We also expect that our customers apply the same best practices when it comes to sharing of PHI.
Please keep in mind that if PHI is included in the email that passes through the Proofpoint Services as part of a customer’s use of the Services, it is unlikely Proofpoint personnel will ever access that PHI or even know it is there. The majority of emails pass through the Services in a matter of milliseconds and the email content itself is not retained. If a threat is detected or suspected, the email may be detained longer and certain data elements (e.g. email address of the sender and recipient, date, time, a summary of threats contained in the email) could be retained for up to 18 months.
The insights gained from the use of the Products and Services provided by Proofpoint are used to improve the Products and Services for all of Proofpoint’s customers. For the avoidance of doubt, such use does not include the sale or disclosure of a customer’s PHI.
Certain security Products provided by Proofpoint retain certain data elements used to provide the Service for 18 months following the conclusion of the agreement. Pursuant to the terms of the applicable agreement, Proofpoint shall protect PHI during such time and shall destroy any such PHI after said 18 months.
© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated April 27, 2022.