HIPAA Email Encryption: We Reviewed 7 Services and Found the Best

Trying to figure out the best way to handle HIPAA Email encryption?  How do you send PHI via email and still follow HIPAA?  And how do you send encrypted email in cloud services like Gmail or Office365?  These are two of the most common questions we get.

It’s an understandable question. Email has become the communication tool of choice in the digital age. Most workplaces rely on it heavily.

If you’re a HIPAA-regulated business, email use gets a lot more complicated. It’s even more complicated when you want to email PHI, or Protected Health Information.

Good news: it is possible to send PHI via HIPAA compliant email encryption, and we’re going to tell you exactly what it takes!

But before we jump right in, let’s review the basics.

What is PHI?

PHI stands for “Protected Health Information.”

PHI is anything that can identify an individual and provide information about their healthcare.

Think of it this way. If you’re emailing ANYTHING that someone can use to figure out medical information, it’s PHI.

For healthcare providers and business associates, PHI is everywhere. Even in places that you wouldn’t think to look, like notes on a calendar or files in a “Downloads” folder. This infographic does an awesome job demonstrating all of the different places where PHI can hide.

hipaa compliant email-unsecured-phi-locations
Hint: there are a lot of them.

What is HIPAA Email Encryption?

So, you get it: PHI is important. PHI is everywhere. So what do you do?

First, you need to understand the basics of encryption.

Encryption is at the heart of many of today’s data protection tools. It’s an effective way to shield data from prying eyes.

It’s not important to understand how encryption works.

All you need to know is that you start with an ultra-important secret message:

Be sure to drink your Ovaltine.

When it gets emailed out, it looks like this to anyone who tries to intercept it:

Version: BCPG C# v1.6.1.0



But then when your patient or customers gets the email, it automatically decrypts it to deliver Ovaltine joy!

Not too complicated, right?

Fine, I’m drinking my Ovaltine, but why does all this matter?

Under HIPAA, there are strict rules for sending PHI over email. There are two choices:

  1. You either need to be 100% sure that ONLY your recipient gets the email, or
  2. You need to get permission to send insecure email AND tell them about the risks.

#2 is a hassle. HIPAA compliant email encryption is the only way to guarantee #1. Period.

If you want to send PHI over email, you need to make sure that data is encrypted.

So how do you send secure email?

Like many things in life, it isn’t as straightforward as you might think.

Also like many things in life, it’s a perpetual trade-off between cost and convenience.

When you’re choosing a solution, think about ease-of-use in both sending and receiving. Sure, there are encryption solutions out there that are free or low cost.

But they aren’t worth it if they’re going to be inconvenient or disruptive.

The available solutions fall all over that spectrum. It’s up to you to decide which one will fit your needs best.

Here are a few options:

1) Get consent to email PHI

In a moment, we’ll get into some more complicated encryption solutions. But first, we want to note that HIPAA actually does give patients autonomy over their own data.

This means that there is one way that you can send PHI to a patient in an unencrypted email.

You have to:

    1. Inform your patient of the risks associated with sending their PHI in an unencrypted email.
    2. Get their explicit permission to with them through unencrypted email. Here’s an example of the kind of consent form they would have to sign.

hipaa compliant email consent form
Be careful, though.  You have to be absolutely 100% sure that you never accidentally email someone who hasn’t opted in. Because that, my friend, is a breach.

Want to explore this option? Here’s a great article that explains it in better detail.

2) The free options (don’t bother)

Unfortunately, our favorite email and productivity suite (Gmail) doesn’t support sending encrypted emails. That’s a must-have when it comes to sending PHI, but it will work fine if you want to just email non-PHI.

We did find one way to send encrypted email through Gmail, but it’s a huge pain. The tool, SecureGmail, requires you to give the recipient a password via a non-email method.

That sort of defeats the whole purpose of using email for patient communication. It may be just fine for sporadic personal use, but it’s definitely not scalable in a business setting.

Your mileage may vary, but we don’t recommend it.

There’s only one other completely free option, and that’s to not send PHI via email at all. You can use email for things like setting up appointments, but handle PHI only through phone calls and snail mail.

Unfortunately, those are your only solutions in the $0 price range.

3) The most advertised HIPAA email encryption: Virtru

Search online for “secure email,” and you’ll inevitably see the company Virtru mentioned.

The Virtru add-on is easy to add to your account (though not very easy to use).

Once you install it, here’s how it works:

If you’re using it inside of Gmail, it looks like this:

When the patient gets the email, here’s what it looks like:


Next, the user has to click the “Unlock Message” button.

Here’s where it gets a little annoying — the user then gets another email, which supposedly verifies that this is the correct email address.  Only after clicking the second email can your user access the actual message that was sent.

This double email is a double-edged sword.  On the one hand, it’s nice that they’re not making you remember yet-another username and password.  On the other hand, this “double email” approach is still pretty confusing for non-technical users (especially older patients!).

On the sending side, we’ve also found that medical practices can find the add-ons (they also make one for Microsoft Outlook) to be pretty confusing to install.  And you have to install yet another app if you want to send from your mobile phone.

Lastly, some of our customers have told us that the lowest-priced plan for which they will sign a HIPAA Business Associate agreement is for over $500/year, which puts them out of the reach of some small practices.  That’s not a lot to pay for HIPAA compliance, but it’s a lot to pay for just secure email.

4) The option from your IT guy

If you work with an IT company, they might be giving you a HIPAA email encryption add-on.  It might even be free.

Companies with names like Proofpoint, Mimecast, and Reflexion primarily focus on email security.  More specifically, they protect you from phishing attacks, viruses, and ransomware emails.

All of these companies are excellent at keeping your email safe (our favorite, Proofpoint, is what we recommend to clients), but they’re not that great at SENDING secure emails.

Here’s how most of them work:

When you want to send someone a secure email, you’ll use a keyword (like “[SECURE]”) in your subject line.  That’s the signal to the system to encrypt the email.

Here’s an example in Gmail, though it looks the same in whatever email service you use.  In fact, you can even do this on your mobile phone!

hipaa compliant email sending proofpoint

After sending it, you’ll get a nice confirmation back:

hipaa compliant email proofpoint confirmation

When your recipient gets the email, it will look like this:

hipaa compliant email proofpoint patient

The recipient clicks on the “View Encrypted Email” button.

Sounds easy, right?

Well, not so fast.  Your patient still needs to sign up for (and remember) a username and password.  Patients can find this confusing.

After they log in, they will see the secure email you sent.  They can also respond to it.

hipaa compliant email proofpoint patient email

This one was near the top of our list, but when we tried it with medical practices, we had too many people complain about having to remember usernames and passwords.  It can work for a really small practice that almost never sends sensitive data over email, but what if you forget to type in “secure”?  It’s too easy to make a mistake.

5) A clunky option for Microsoft fans: Office 365

Office 365 can send HIPAA compliant encrypted emails but, I warn you, it’s very clunky.  They’ve made some recent improvements in early 2019 which are described below, but it’s still awkward.

First, get Office 365.

When you send the email, it looks like this:

Office 365 Secure Email

See that button that says “Encrypt”?  Click that, and it’s just that easy!  After you click it, this little header will show up:

Office 365 Secure Email Encrypted

Sending a secure email on your side is pretty simple.  But when it gets to your recipient, that’s when it gets ugly.

Here’s what shows up on the other side:

Office 365 Secure Email Recipient Message

When you click on that, the patient or recipient sees this:

Office 365 Secure Email Log In

We’ve found that some older patients really struggle with this, and struggle to remember passwords.

You also need to remember (and train your staff) about how to tell when to send a secure email vs. a regular email.  It’s really easy to forget.

So while it CAN work (especially if you don’t send a lot of secure messages), it’s definitely not as easy to use as our favorite option below (#7).

6) Not safe for HIPAA? – SendSafely

SendSafely is another secure email service, though we wouldn’t recommend it for HIPAA email encryption. It specializes in enterprise email encryption and secure file sharing. It can integrate directly with your Gmail or Office 365 account. Alternately, you can send email through their internal portal.

We’ll be blunt: we don’t recommend this option for healthcare providers or HIPAA covered entities. While SendSafely mentions that they’re HIPAA compliant on their website, they don’t mention anything about being willing to sign a HIPAA business associate agreement.

Still, we’ll give you a tour of how it works ― in case you’re curious or if you’re looking for a solution for non-HIPAA reasons.

After you install and activate SendSafely, here’s an example of what happens in the Gmail user interface: 

Instead of encrypting the whole email, SendSafely just encrypts the attachment:

They do give you an interesting option to enable SMS verification. If you have your patient’s phone number, this could be useful. SMS verification is a great way to ensure the identity of the user. Keep it in mind if you want to go the extra mile in your email security.

On the receiving side, here’s what it looks like:

Simple, right?

As we said, we don’t recommend SendSafely for HIPAA-related purposes, because HIPAA just doesn’t seem to be a focus of theirs. There are better options for compliance-specific email.

But it’s a good one to keep in mind for comparison or for other future uses.

7) The easiest, best solution for HIPAA Email Encryption: Paubox

Paubox is an excellent service that will automatically encrypt all of your emails. It’s, by far, the best option we’ve found for HIPAA email encryption.  You’ll need a little help setting it up. But once it’s in place, it’s definitely the easiest for both you and your patients.

The best thing about Paubox is that you don’t have to tell it which emails to encrypt.  It automatically encrypts every email you send.

If your patient uses a modern email system like Gmail or Office365, they won’t even have to click anything. The email will appear in their inbox just like any other.


Paubox uses a trick called TLS encryption to transparently encrypt every email.  Actually, over 90% of the emails sent to or received from Gmail are actually encrypted already, according to Google.  Paubox manages the rest.

If your patient is using an older email system or an email system that isn’t set up the right way, however, they’ll either need to click a link or sign up for a username or password (your choice). But compared to the alternatives, this is still an extremely convenient option.

Bonus: it works with Google Mail or Office 365, too.  And mobile!  Not to steal Apple’s tagline, but it’s our favorite because “it just works.”  Easy for the patient, easy for the doctor.

We also really liked this service while researching this article, and decided to make it part of the solution that we implement for practices who become our clients.  Click here if you’d like to learn more or get a price quote.


Information around HIPAA email encryption has always been a bit murky. Lots of businesses aren’t sure whether they can safely email PHI.

As we’ve outlined above, the definitive answer is yes. It’s definitely possible to safely and securely send PHI via HIPAA email encryption.

But that’s only if you’re willing to put the time and money into finding a reliable method. Hopefully, this article has given you a clear overview of your options.

It may be a bit more complicated than sending a day-to-day personal email. And sure, it’s a bit more inconvenient. But with experimentation and research, lots of businesses have found encrypted email solutions that work wonderfully for them.

Interested in trying Paubox?

We offer a 30 days trial for new Paubox clients.  Check it out here 

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Other HIPAA Compliant Email Questions

Is yahoo mail HIPAA compliant?
Is Zoho HIPAA compliant email?
Is outlook HIPAA compliant?

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

16 thoughts on “HIPAA Email Encryption: We Reviewed 7 Services and Found the Best”

  1. 1. Virtru will not sign a BAA unless you are paying for their MUCH more expensive business version restoring the purchase of multiple accounts per month.. I believe it costs something like $60 per month.

    2. You can get GAME for Gmail/Google Apps accounts for $35 per year. It’s provided by zixcorp, in partnership with Google.

    3. Office 365 does not come or of the box with encryption. You must also sigh up for azure rights management and have that configured first. Also, there is a licensing issue with their office software that is included. Commercial businesses cannot install their five “free” copies of office shared by multiple users in a practice. While outlook.com or exchange online accounts can be shared and accessed across computers, you must purchase a separate office 365 account for each separate user in order to install and use office applications. A little gotcha they deliberately aren’t clear on.

  2. Good article. I have been using ProtectedTrust and it is very easy to use and implement. They even have an app that allows the login with fingerprint that I use all the time.

  3. Our practice uses SendSafely for HIPPA compliant email and file exchange, and we have a BAA in place with them. I believe the only requirement for them to sign the BAA is that you need to be using the business version (they won’t sign for FREE users).

    • That’s not quite right. No HIPAA-compliant email will let you use a free service so, correct, you cannot use the FREE version of Google Mail. However, we have tons of clients who are happily using the paid version of Google Mail (called Google’s G Suite), and we’ve set them up so they’re HIPAA compliant and using Paubox. It’s a great experience for practices and their patients, so it definitely works.

  4. This information is a little out-dated. With Office 365 encryption is included as part of most of the E1-E5 subscriptions and IRM is not required. You can also set up a rule to force TLS and if TLS isn’t available it can fall back to O365’s default encryption email (which you’re right isn’t the best but 98% of our email goes TLS already) but this is really no different than what Paubox is doing and charging a lot of money for.

    • Great feedback! We’ll take a look when we do our next update. We had looked at the option of doing forced TLS when we did the initial review, but it wasn’t supported at that time.

      • We did a little more digging on this. Based on talking to tech support, the new process in Office365 isn’t quite as smooth as the experience in Paubox. Apparently you can set up your Office365 domain to have mandatory TLS encryption. It will bounce any email back to the user if they try to send it to a domain that doesn’t have TLS properly configured. Then, they will need to re-send the message, but they will need to manually re-encrypt it using Office 365 Message Encryption. If you have users who are fairly tech-savvy, then this might work, but we still prefer the straight-through ease of Paubox.

  5. So a paid for G Suite account (with a BAA in place) and Gmail configured correctly; alone, is still not sufficient under HIPAA ? With all of this in place, one would still need a service like Paubox ?

    • Great question, Hayden — a lot of people miss the subtlety of this point.

      It depends on two things:
      1) Are you planning to send PHI outside of your company (to patients, other practices, insurance companies, billing companies, etc.)
      2) How carefully are you going to manage emails that do contain PHI?

      If you’re only ever going to email PHI within your company, and if your G Suite account is configured properly, then you shouldn’t need an additional secure email service (like those discussed in this article). Emails inside your four walls would be encrypted and therefore HIPAA compliant.

      However, if you’re going to email it outside of your company, then you definitely should think about a secure email service. There are some technical hacks you can use to figure out if an individual email address supports TLS encryption, but this falls apart if you have to email more than a few people each month.

  6. Great article!! It nailed all the points I was looking for, although I would have liked to see the sending-end and receiving-end pictures of Paubox, like the examples you gave for other services. If the user experience is so seemless, what in the interface assures the users that the email is indeed encrypted?

    I would love to read your follow up article! Will Paubox still be your go-to top choice? Thanks again!!

  7. Unfortunately Paubox has a minimum number of users needed. What do you suggest for a solo practitioner who is just starting and on a limited budget? Thanks

    • Hi – they don’t have a minimum number of users, but they do have a minimum monthly fee. We’ve found their pricing is pretty comparable to other secure email products, so if all secure email outside of your budget, you may want to not use email for handling PHI until you can afford it.


Leave a Comment