HIPAA-compliant email · The definitive guide
The 7 regulatory requirements, the 9 top providers (including Patient Protect's integrated secure messaging), and the decision framework for picking the right one. 43% of healthcare breaches involve email — most practices are missing at least three of the seven requirements.
Updated May 20, 2026 · Reviewed by Patient Protect Editorial · Independent
What is in this guide
9
Providers
7
Requirements
6
Profiles
Top of the list
Patient Protect Secure Messaging
Integrated compliance platform
Paubox
Healthcare-purpose-built
Hushmail for Healthcare
Healthcare-purpose-built
+ 6 more, ranked by fit — see the full list below.
The risk
Every email containing patient information is a potential breach vector. Standard email was designed for convenience, not security — and HIPAA was written for security, not convenience.
Standard email sends PHI in plaintext between servers. Any intermediary can read the content. TLS encryption only works if both sender and recipient servers support it — and there is no guarantee they do.
43% of healthcare breaches involve email (Verizon DBIR, 2024).
Personal email accounts have no role-based access, no session timeouts, and no device management. Anyone with the password can read every message from any device, indefinitely.
Shared passwords on email accounts are flagged in 1 in 3 OCR audits.
Standard email providers do not log who accessed a message, when, or from where. When OCR requests evidence of your safeguards, you have nothing to show.
Failure to produce audit logs is a standalone HIPAA violation.
Emails sit in inboxes and trash folders indefinitely. Former employees retain access on personal devices. PHI accumulates in places your practice no longer controls.
Average email account contains 3+ years of unmanaged PHI.
What HIPAA requires
HIPAA does not ban email. It requires that email systems used for PHI meet specific technical and administrative safeguards under 45 CFR Part 164, Subpart C. Missing any one of these can result in a violation.
All email containing ePHI must be encrypted using TLS 1.2+ in transit and AES-256 at rest. If the recipient's server does not support TLS, the message must not be sent — or must use a portal-based secure delivery.
Your email provider processes ePHI on your behalf, making them a business associate. You must have a signed BAA before any patient data flows through the system. Gmail, Outlook, and Yahoo personal accounts do not offer BAAs.
Each user must have a unique login. Multi-factor authentication (MFA) is required. Shared accounts, shared passwords, and auto-login on unmanaged devices are violations.
Your email system must log who sent and received messages, when, and from what device. These logs must be retained for a minimum of six years per HIPAA requirements.
Rules must detect and block outbound messages containing PHI patterns (SSNs, MRNs, DOBs) sent to unauthorized recipients or personal accounts.
Email retention periods must be defined and enforced. Deleted messages must be purged on schedule. Staff cannot maintain personal archives of patient communications.
If staff access email from mobile devices, those devices must be managed — remote wipe capability, screen lock requirements, and encryption enforced.
The 9 providers ranked
Each provider below operates an active BAA program and supports the seven requirements above. Ranking reflects how each fits independent-practice workflows — not absolute superiority. The right provider depends on practice size, existing stack, and whether you want patient communication built into your compliance program or running as a separate inbox. The decision framework after the list maps each profile to a recommendation.
How we ranked these providers
1. BAA program reality, not marketing copy
Every provider listed has an active, public BAA program. We exclude vendors that advertise “HIPAA features” without offering a BAA at any tier.
2. Coverage of all 7 requirements
Encryption (transit + rest), BAA, access controls and MFA, audit logging, DLP, retention, and device management. Providers that fail more than one are not listed.
3. Independent-practice fit, not enterprise feature count
Ranking favors providers that work for practices without a dedicated IT or compliance team. The most powerful platform is not the best fit if a solo practice cannot configure it.
No paid placements. No affiliate commissions. Patient Protect Secure Messaging is listed at the top because it is the only option in this list that integrates patient communication with the broader compliance program — disclosed as our product, not editorial preference.
Integrated compliance platform
BAA: Yes — included with platform subscription, no add-on required
Best for: Practices that want HIPAA-compliant patient communication built into the broader compliance program — encrypted messaging, audit logging with content hash on every send, role-based access (8 defined roles), and BAA tracking in one platform. Browser-based; no staff phones or personal apps required.
Configuration trap: Patient Protect Secure Messaging handles patient communication, not staff-to-external-recipient SMTP. Practices typically pair it with Microsoft 365 or Google Workspace for inbox-style email and use Patient Protect for the patient-facing channel where audit, retention, and access controls matter most. The platform also tracks the BAA on whichever email provider you choose.
Healthcare-purpose-built
BAA: Yes — included on all paid plans
Best for: Practices that want zero-friction encryption with no patient-side portals. Automatic TLS with fallback portal if the recipient server cannot negotiate TLS.
Configuration trap: Paubox routes through its own infrastructure; verify the BAA scope covers all Paubox products you use (Email Suite, Marketing, Forms). The base BAA does not automatically cover every optional add-on.
Healthcare-purpose-built
BAA: Yes — purpose-built for healthcare
Best for: Solo and small-group practices that need encrypted patient web forms alongside email. Includes intake forms, e-signatures, and HIPAA-compliant storage.
Configuration trap: Feature set is intentionally simpler than Microsoft 365 / Google Workspace. Practices needing deep DLP rules, eDiscovery, or enterprise admin will outgrow it.
Healthcare-purpose-built
BAA: Yes — HITRUST CSF certified
Best for: Larger practices and groups that need secure email plus SaaS (HIPAA-compliant secure forms, hosted file sharing, archiving). Strong on bulk email and healthcare marketing under BAA.
Configuration trap: Multiple tiers — Standard, Premier, and custom. Verify which products your BAA covers; LuxSci's enterprise platform extends well beyond email.
General-purpose with BAA
BAA: Yes — via Microsoft Online Services BAA on Business and Enterprise plans
Best for: Practices already standardized on Microsoft 365 for Office, Teams, and SharePoint. Single BAA covers the whole stack. Strong on enterprise DLP via Microsoft Purview.
Configuration trap: BAA must be accepted in the Admin Center. Default settings do not enforce HIPAA-grade DLP, retention, or MFA. Personal Outlook.com and Microsoft 365 Family never qualify. See our Microsoft Teams HIPAA guide for the broader Microsoft stack.
General-purpose with BAA
BAA: Yes — via Google Workspace BAA on paid plans
Best for: Practices on Google Workspace for collaboration. Gmail covered under the same BAA as Drive, Calendar, Meet, and Vault.
Configuration trap: Free Gmail never qualifies. BAA must be accepted in Workspace Admin Console. Default settings do not enforce HIPAA-grade controls; DLP, Vault retention, and Context-Aware Access must be configured separately. Full breakdown at our Google Workspace HIPAA guide and Is Gmail HIPAA compliant.
Encryption layer
BAA: Yes — encryption layer with signed BAA
Best for: Practices that want to keep their existing email (Gmail, Outlook, etc.) but add policy-based encryption, key control, and DLP on top. Virtru acts as a layer rather than a replacement.
Configuration trap: Virtru protects messages it encrypts. Messages sent without Virtru rules still travel through the underlying provider in plaintext. The BAA must be paired with the underlying email provider's BAA — Virtru alone does not make Gmail compliant.
Encryption add-on
BAA: Yes — encryption add-on with signed BAA
Best for: Practices that send a moderate volume of encrypted patient email and want a simpler bolt-on to their existing email rather than a full migration.
Configuration trap: Recipient experience depends on whether they have a Delivery Trust account or read messages via the secure portal — train staff and patients on the workflow before deployment.
End-to-end encrypted
BAA: Yes — Business and Enterprise plans with BAA on request
Best for: Practices that want end-to-end encryption with Swiss data residency and zero-knowledge architecture. Strong for behavioral health and other specialties where patient privacy expectations are elevated.
Configuration trap: End-to-end encryption only works between ProtonMail users by default; messages to external addresses use TLS-based encryption unless the password-protected message feature is enabled per send. Train staff on which to use when.
Free Gmail, Yahoo, AOL, and personal Outlook.com accounts neverqualify for HIPAA compliance — no BAA is offered for any of them at the consumer tier.
Decision framework
The right provider depends less on feature lists than on fit. Match the profile that describes your practice today.
Profile
Recommendation
Patient Protect Secure Messaging (built in)
If you are already on the Patient Protect platform, secure messaging is included. Patient communication runs through the same audit, BAA, and training surface as the rest of your compliance program. No second vendor relationship to manage.
Profile
Recommendation
Healthcare-purpose-built (Paubox or Hushmail for Healthcare)
Lowest setup burden, automatic encryption, intake forms included. You will not need to configure DLP rules from scratch.
Profile
Recommendation
Keep your existing platform and accept the BAA in admin
Switching platforms is expensive and disruptive. The BAA is free; the configuration work (DLP, MFA, retention) is the actual project.
Profile
Recommendation
Microsoft 365 Enterprise or Google Workspace Enterprise
Centralized admin, advanced DLP (Microsoft Purview or Google Vault), Context-Aware Access, and integration with EHR and identity providers.
Profile
Recommendation
ProtonMail Business or LuxSci
End-to-end encryption (Proton) or HITRUST certification (LuxSci) raise the assurance bar for patient populations with elevated privacy expectations.
Profile
Recommendation
Add Virtru or Identillect as an encryption layer
Bolt-on encryption with a BAA preserves your existing mailbox while adding policy-based encryption and DLP. Underlying provider still needs its own BAA.
Common mistakes
Most email-related HIPAA violations are not platform failures. They are configuration and workflow gaps inside otherwise-compliant systems.
Companion guides
The eight ranked providers above span platforms with their own HIPAA configuration guides. Read the platform-specific breakdowns when evaluating each.
Why free Gmail never qualifies and what Workspace requires.
Read →
Plan tiers, BAA, and admin lockdown across the Workspace stack.
Read →
Microsoft 365 BAA scope across Teams, Outlook, OneDrive, and SharePoint.
Read →
Marketing email and HIPAA — where the BAA applies and where it does not.
Read →
Where email fits alongside SMS, secure messaging, video, and patient portals.
Read →
Reference the definitions of BAA, ePHI, TLS, MFA, and every other term used above.
Read →
FAQ
There is no single best provider — the right choice depends on practice size, existing stack, and whether you want patient communication built into your compliance program or running as a separate inbox. Patient Protect Secure Messaging is the integrated option for practices that want messaging, audit logging, role-based access, and BAA tracking in one platform. Paubox and Hushmail for Healthcare lead for solo practices that want zero-configuration encryption. Microsoft 365 and Google Workspace lead for practices already on those platforms. LuxSci and ProtonMail Business serve specialties with elevated privacy expectations. Virtru and Identillect are encryption layers for practices that cannot migrate.
Standard email is not HIPAA compliant. Email can be made compliant when sent through a platform with a signed BAA, encryption in transit and at rest, access controls, audit logging, and DLP policies configured. The platform alone is not enough — organizational policies and staff training are required.
Yes, if you use a HIPAA-compliant email system with proper encryption and have a signed BAA with your email provider. The patient should be informed that email carries inherent risks, and you should document their consent to receive communications via email. Never include PHI in subject lines.
Free Gmail is not HIPAA compliant — Google does not offer a BAA for personal accounts. Google Workspace (Business, Enterprise) can be HIPAA compliant after signing the BAA in the Admin Console and configuring DLP, MFA, and retention policies. Full detail at /post/is-gmail-hipaa-compliant.
Personal Outlook.com is not HIPAA compliant. Microsoft 365 Business and Enterprise plans can be HIPAA compliant after accepting the Microsoft Online Services BAA in the Admin Center and configuring DLP via Microsoft Purview, MFA, retention, and Conditional Access policies.
Per-user pricing ranges roughly $5 to $50 per month depending on provider and tier. Paubox Standard is in the $30 per user range, Hushmail for Healthcare starts around $14, Microsoft 365 Business Premium is approximately $22, Google Workspace Business Standard is approximately $12. Encryption add-ons like Virtru are typically $5 to $15 per user on top of an existing email plan. Confirm current pricing with each vendor.
OCR penalties for email-related HIPAA violations range from $100 to $50,000 per violation, up to roughly $1.9 million per year per violation category. Individual violations can be aggregated — a practice sending unencrypted emails daily could face penalties for each message.
No. Encryption is one of seven requirements. HIPAA also requires access controls, unique user authentication, audit logging, a signed BAA with the email provider, data retention policies, DLP, and staff training. Encryption alone does not equal compliance.
Not necessarily. Google Workspace and Microsoft 365 can both meet HIPAA requirements when properly configured with a BAA. Dedicated healthcare email providers like Paubox, Hushmail, and LuxSci offer simpler setup and healthcare-specific features like encrypted web forms, but they are not required if your existing platform meets the standards.
Consumer AI tools do not sign BAAs. Pasting PHI from an email into ChatGPT, Claude, or Gemini is a reportable disclosure even if the underlying email was sent compliantly. Patient Protect publishes the open-source HIPAA Shield Chromium extension at github.com/patient-protect/hipaa-shield to catch this at the moment of paste.
From email picker to compliance program
Picking the right email provider is one decision. Patient Protect runs the program around it — BAA tracking, DLP-policy enforcement, audit-log review, workforce training on what staff can and cannot send, and incident response when email-related breaches happen.
14-day free trial · Credit card required · Cancel any time
