25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Compliant Email Providers

Posted By on Jan 14, 2026

HIPAA compliant email providers are vendors of email services that have the capabilities to support HIPAA compliance either as an all-in-one service or as an add-on to an existing service.

HIPAA Compliant Email ServicesNot all HIPAA compliant email services work in the same way and it is important to understand the differences between services before committing to a subscription.

When a HIPAA covered entity or business associate communicates Protected Health Information (PHI) via email, it is important safeguards are in place to protect the confidentiality, integrity, and availability of the PHI. Exceptions exist when a patient or plan member requests communications by unsecure email (§164.522(b)) or when some safeguards are not considered necessary under the HIPAA Security Rule’s “flexibility of approach” standard (§164.306(b)).

Because of the logistical challenges in applying different sets of safeguards to emails that contain PHI and those that do not contain PHI, most HIPAA covered entities and business associates apply the same HIPAA email rules to all email communications. This means the requirements for HIPAA compliant email may have to be applied to all sent, received, and stored emails, and to all members of the workforce regardless of their access to or use of PHI.

What are the HIPAA Email Requirements?

Other than when exceptions apply, the HIPAA email requirements are that whenever PHI is contained in the content of an email or in an attachment to an email, the service used to send, receive, or store the email must have safeguards in place such as access controls and audit controls. In addition, security measures must be in place to protect the confidentiality of PHI at rest and in transit, and to ensure that PHI is not improperly modified or disposed of. Anti spam software should be in place to protect again phishing.

Access and audit controls are fairly standard among most email services regardless of whether they support HIPAA email compliance or not. For example, most services require user authentication (i.e., login credentials) and timestamped sent and received emails. To support HIPAA compliance, these services would need to be configured to force automatic logoff and create event logs so it is possible to identify if an email containing PHI is modified or deleted, and who by. Workforce members should also receive training on using HIPAA compliant email services securely.

With regards to protecting the confidentiality of PHI at rest and in transit, most HIPAA compliant email services support encryption to NIST recommended standards (see Table 3.1). Some also support “point of passage” archiving that saves an immutable copy of each email as it passes through the mail server. The archive service can prove useful for responding to patients or plan members exercising their PHI access rights or that request an accounting of disclosures.

Dedicated HIPAA Secure Email Providers for Healthcare

The best known HIPAA secure email providers for healthcare are Microsoft and Google. However, it is not possible to use Outlook or Gmail as HIPAA secure email providers unless an organization subscribes to a qualifying Microsoft Office 365 account or an enterprise Google Workspace account. Both options include capabilities to support HIPAA compliance for email, but larger subscription plans contain a number of services which organizations will pay for, but may never use.

There can also be issues with the types of encryption both secure email providers for healthcare use to protect the confidentiality of PHI in transit. For example, Microsoft has recently stopped supporting TLS 1.0 and 1.1. This means emails using these encryption protocols sent to Outlook accounts will be rejected by the inbound server or converted into a non-TLS (unencrypted) format for delivery depending on how the sending and receiving servers are configured.

Organizations looking to use S/MIME encryption as an alternative (which encrypts the contents of emails rather than the connection between sender and receiver) may also encounter issues. These issues include, but are not limited to, the lack of consistent S/MIME support among email providers, the administrative overhead of managing S/MIME certificates, and the non-readability of email content by anti-virus scanners, email archiving solutions, and DLP tools.

Other HIPAA Compliant Email Providers

HIPAA Compliant Email ServicesBecause of the potential issues with Microsoft, Google, and other “off-the-shelf” secure email providers for healthcare, further providers have emerged offering solutions that overcome the potential issues. Some HIPAA compliant email providers may require organizations to migrate some or all of their email accounts in order to support compliance with HIPAA, while others offer plug-ins to encrypt data and/or connections using proprietary protocols.

Of the HIPAA compliant email providers offering-plug ins, the best ones are those that require no user interaction to encrypt or read an email. These eliminate the necessity for users to remember to click a button when sending or replying to an email, and enable recipients to read emails without clicking on a link to visit a portal – a scenario which may cause recipients unfamiliar with the secure service to ignore the email for fear of clicking an unrecognized link.

It is possible to find long lists of allegedly HIPAA compliant email providers by conducting an Internet search. However, concerns exist that some vendors develop software and then find a purpose for it, rather than identifying a HIPAA compliance issue and developing a solution to the issue. It is recommended that organizations take advantage of free trials whenever possible and test each vendor’s HIPAA knowledge before committing to an email solution that may not be appropriate.

HIPAA compliant email providers that offer a free trial for their products include (*):

HIPAA Compliant Email Providers – thehipaajournal.com

Paubox

Paubox is a rare example of an off-the-shelf HIPAA compliant software solution and is market leader in HIPAA-compliant email. There are no complicated procedures to install the software or configure the service to support HIPAA compliance. Paubox can be deployed alongside an existing email service or used as a standalone HIPAA secure email service. To help organizations decide which is best for their needs, Paubox offers potential customers a fourteen-day free trial.

Proton Mail

Proton Mail only encrypts emails by default when emails are sent to other Proton users. If sending an email to a non-Proton user, it is necessary to protect the email with a password and let the recipient know what the password is so they can read it. Proton Mail is a little more complicated to set up and configure; and, although the company offers free personal accounts, it does not advertise free trials of enterprise plans.

LuxSci

LuxSci provide HIPAA compliant email, whether for high volume personalized HIPAA compliant marketing, or just to automatically encrypt every email you send. LuxSci offers their unique SecureLine™ flexible encryption technology which supports the full range of email security requirements for your business. Their solution for email can be implemented in as little as ten minutes and is the most comprehensive on the market.

Hushmail

Hushmail is an email encryption service that automatically encrypts emails between Hushmail users. If sending an email containing PHI to a non-Hushmail user, it is necessary to manually encrypt the email and the recipient can only access the email via a web portal. Hushmail advertises a 14 day free trial, and has a money back guarantee if a customer cancels their subscription within sixty days.

MailHippo

MailHippo is possibly the easiest HIPAA compliant email service to use, but has limited integration capabilities with other productivity and communication solutions. MailHippo also uses the “secure portal” method of email delivery, which may be acceptable for smaller practices, but not for larger healthcare organizations. MailHippo offers a thirty day free trial to prospective customers, but please note the trial does not include a full feature set.

Aspida Mail

Aspida Mail is a web based email service that automatically encrypts emails composed with the word “encrypt” in the subject line or email body. There is no free trial offer for prospective customers, but it is  much less expensive than its competitors. However, the potential exists for PHI to be sent unsecured (i.e., by forgetting to type “encrypt”) and first time recipients have to go through a multi-step process to access encrypted emails.

(*) Information correct at the time of publication.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more