ProtonMail Encrypted Email Explained for Business and HIPAA Use

📅 April 15, 2026 ✍️ By Chris Almond ⏱️ 9 min read
protonmail encrypted email guide featured image

🔑 Key Takeaways

  • Proton runs end-to-end between Proton accounts and zero-access at rest. External sends need a code.
  • HIPAA on Proton needs a paid business plan plus a signed BAA. The free tier never qualifies for PHI.
  • Password portal replies stay trapped inside Proton, breaking Gmail and Outlook thread history.
  • Proton uses OpenPGP under the hood, hides key management, but locks external contacts to the vendor.
  • Adding a TLS gateway to Google Workspace or Microsoft 365 beats migrating four mailboxes to Proton.

ProtonMail encrypted email is one of the most recognized names in consumer secure email. The service applies end-to-end encryption between Proton accounts and zero-access encryption on stored mail. That combination is why journalists, activists, and privacy-focused professionals adopted it early.

Businesses ask a different question. They want to know if encrypted email from Proton clears HIPAA, fits an existing Gmail or Outlook workflow, and holds up when the recipient is on a normal inbox. This post answers those three questions with plain detail.

The short answer is that ProtonMail encrypted email works well for Proton-to-Proton exchange and acceptably for external recipients through a portal. For a healthcare practice on Microsoft 365, the fit depends on how often staff send PHI to outside inboxes.

ProtonMail Uses Two Encryption Models in Parallel

Proton applies end-to-end encryption to messages between two Proton accounts. The sender client encrypts the message with the recipient public key before it leaves the device. Only the recipient private key can decrypt it.

For stored mail, Proton uses zero-access encryption. The account password derives the private key on the user device. Proton stores the encrypted mail on its servers and does not hold the plaintext or the key material to decrypt it.

These two models are often confused. End-to-end covers transit between two Proton users. Zero-access covers everything at rest, including mail that arrived from Gmail or Outlook in plain form and was encrypted on receipt by Proton.

Neither model encrypts every field. Sender, recipient, subject line for external mail, timestamp, and IP metadata remain visible to Proton for routing and abuse handling. Users evaluating protonmail encrypted email for regulated work should account for that metadata exposure.

Password-Protected Messages Reach External Recipients

Most business recipients are not on Proton. Sending them a secure message uses the password-protected message feature. The sender writes the message, clicks the lock icon, sets a password, and optionally adds a hint.

The recipient receives a notification email with a link. They open the link in a browser, enter the password, and read the message inside a Proton-hosted portal. Replies happen inside that portal, not in the recipient normal inbox.

Password sharing has to happen through a separate channel. Sending the password inside the same email chain defeats the purpose. Phone call, text, or an in-person handoff are the practical options for password delivery.

The portal step is the operational friction most teams report. Staff on the receiving end often ask for the message in plain email instead. Practices that plan to use protonmail encrypted email for outbound PHI need a policy that forbids that fallback.

protonmail encrypted email in article illustration one

HIPAA Compliance Requires a Signed BAA on a Business Plan

ProtonMail is not automatically HIPAA-compliant. A covered entity must sign a Business Associate Agreement with Proton. Proton offers the BAA on Proton for Business plans, not on free personal accounts.

Sending PHI from a free Proton account is a HIPAA violation regardless of encryption strength. The signed BAA is what makes Proton a business associate under 45 CFR 164.502(e). Without it, the covered entity carries the full liability for any exposure.

Signing the BAA covers the service. It does not cover configuration. The practice still owns access controls, session timeouts, audit log review, and workforce training. The HHS Security Rule lays out the technical safeguards a covered entity must apply.

Retention is another common gap. Proton offers configurable retention, but the default may not match a state medical board rule. Admins should review retention against the state records law before turning users loose on protonmail encrypted email for PHI.

ProtonMail Runs on OpenPGP Underneath

ProtonMail uses OpenPGP as the underlying protocol for message encryption between Proton accounts and for external users who supply a PGP public key. This is the same OpenPGP standard documented by the IETF in RFC 4880.

What Proton adds is automation. Key generation happens on account creation. Key storage lives inside the encrypted account. Key exchange with other Proton users happens transparently. Users never see a keyring or a fingerprint.

That transparency is the main difference from a manual PGP setup like Thunderbird with Enigmail. The cryptography is the same. The user experience is different by a wide margin.

The tradeoff is portability. Moving off Proton means exporting keys, importing them into another PGP client, and re-establishing trust with every external contact. A useful encrypted email definition includes the operational reality of key portability, not only the algorithm. See how to send encrypted email for the practical workflow comparison.

Example

A four-provider mental health practice on Google Workspace Business Standard weighs a full move to Proton for Business against keeping Gmail and adding a gateway. Migration would move mailboxes, calendars, contacts, and delegation rules for four clinicians and support staff. The office manager tallies 30 hours of migration work plus per-user retraining on the Proton portal. Adding a HIPAA gateway on top of the existing Gmail accounts takes an afternoon of setup, keeps threading intact for daily internal traffic, and gets the BAA signed the same week.

Free ProtonMail Accounts Have Real Limits for Business Use

The free tier gives one address, 1 GB of storage, and 150 messages per day. Custom domain support is not available. Support is community-based. No BAA is offered.

Those limits work for a personal user. They fail for a clinic. A three-person practice will hit the daily message cap by mid-morning during a normal appointment cycle.

Paid business plans start with more storage, custom domain support, more addresses per user, and access to the BAA. Pricing tiers change over time, so verify current pricing on the Proton for Business page before quoting internally.

Common free-tier gaps that surface later:

  • No custom domain, so all mail sends from a proton.me address
  • No BAA, blocking any legitimate PHI use
  • 150-message daily cap on outbound
  • 1 GB total storage across mail, calendar, and drive
  • No priority support when delivery fails
protonmail encrypted email in article illustration two

Proton for Business Supports Custom Domains

A professional healthcare practice needs to send from clinic-name.com, not a shared proton.me address. Proton for Business plans support custom domains through standard DNS records.

Setup runs through the Proton admin console. The admin adds the domain, receives an ownership TXT record, and adds MX, SPF, DKIM, and DMARC records at the DNS provider. Propagation takes minutes to hours depending on the registrar.

Google sender guidelines for Gmail and Microsoft Exchange Online guidance both call for aligned SPF and DKIM. A Proton-hosted domain with correct SPF, DKIM, and DMARC lands in the inbox for most recipients on the first send.

Existing tenants on Google Workspace or Microsoft 365 face a migration decision when moving to Proton. Mailboxes, calendars, contacts, and delegation rules all have to move. That migration cost is a common reason practices keep Google or Microsoft and add a HIPAA gateway on top instead.

ProtonMail Versus Standard TLS-Only Email

Regular Gmail and Outlook use TLS between mail servers when both sides support it. TLS protects the message in transit. The provider holds the plaintext at rest and can decrypt any stored mail.

ProtonMail adds zero-access encryption at rest. That is the meaningful difference for a privacy-focused user. If Proton is subpoenaed, it can turn over ciphertext but not readable content of stored mail.

For a HIPAA workflow, both models can qualify with the right BAA and configuration. The security posture of the whole stack matters more than any single layer. Email is one component of the PHI chain, alongside EHR, storage, and endpoint controls.

What TLS-only fails to cover is external delivery to a non-secure recipient. That is where a portal-based or gateway-based encryption layer becomes necessary regardless of which mail provider the practice uses.

💡Pro Tip: Never send the portal password in the same email chain

ProtonMail password-protected messages only work if the password travels through a separate channel from the notification link. Sending both in the same email defeats the encryption because anyone who intercepts the link also gets the password. Deliver the password by phone call or SMS to a verified number. Practices sending PHI must verify recipient identity before releasing any password, which the HIPAA BAA holds the covered entity responsible for regardless of encryption strength.

Encrypted Email Meaning Depends on the Threat Model

Encrypted email is a broad label. The encrypted email meaning shifts based on what the sender is protecting against and who they consider a threat.

Against a passive network snoop, TLS in transit is often enough. Against a compromised provider or a lawful order, only end-to-end or zero-access encryption keeps content sealed. Against a phishing attack on the recipient, no encryption model helps because the recipient hands over the credentials voluntarily.

A useful encrypted email definition for healthcare covers three layers:

  • Encryption in transit between mail servers, usually TLS 1.2 or 1.3
  • Encryption at rest on the provider, either provider-held or zero-access
  • Encrypted delivery to external recipients through a portal or S/MIME

ProtonMail covers layers two and three natively. See how to send an encrypted email for the walk-through on the portal step from a sender view. A gateway product covers layer three on top of Gmail or Microsoft 365 without moving the mailbox.

Feature Comparison Across Common Encrypted Email Options

The table below summarizes how ProtonMail compares to a native Microsoft 365 or Google Workspace tenant with encryption features enabled.

Feature ProtonMail Business Microsoft 365 with Purview Google Workspace with S/MIME
End-to-end encryption inside org Yes, native OpenPGP Optional with S/MIME Optional with S/MIME
Zero-access at rest Yes No, provider holds keys No, provider holds keys
External recipient delivery Password portal Portal or one-time passcode S/MIME certificate exchange
Custom domain support Yes on paid plans Yes Yes
BAA offered Yes on Business plans Yes on Business Premium and above Yes on Business Standard and above
Third-party app ecosystem Limited Broad Broad

A practice already invested in Microsoft or Google will find the migration cost of a full switch to Proton hard to justify unless zero-access at rest is a stated requirement.

When ProtonMail Fits and When a Gateway Fits Better

ProtonMail fits a solo practitioner or a small clinic starting from scratch on email. The account, the BAA, and the encryption story all come from one vendor. Setup is fast.

It fits any user whose threat model includes the provider itself. Zero-access at rest is what Proton offers that Microsoft and Google do not.

A gateway on top of Gmail or Outlook fits a practice already running on Google Workspace or Microsoft 365. The mailbox does not move. Users keep their existing inbox and their existing threading. The gateway handles encrypted delivery to external recipients. See how to troubleshoot encrypted email when deliverability fails.

Mailhippo operates as this kind of gateway. It sits alongside Gmail or Outlook, includes a BAA in the base plan, and handles the external recipient step with one click. For practices comparing options, the deciding factor is usually whether the existing mail platform is going to move. If it is not, a gateway is the lower-friction path. Practices that also need a compliant public-facing site can pair this with HIPAA-conscious healthcare website design so the whole intake chain stays consistent.

Frequently Asked Questions

What does ProtonMail encrypted email actually encrypt? +

ProtonMail encrypts the message body and attachments end-to-end when both sender and recipient hold Proton accounts. For external recipients, it encrypts the stored message with a user-set password and delivers a portal link. Subject lines are not end-to-end encrypted on messages sent to non-Proton addresses. Metadata such as sender, recipient, timestamp, and IP are visible to Proton for routing and abuse prevention. Proton itself cannot read the body of a stored message because the account password derives the private key.

Is ProtonMail HIPAA compliant by default? +

No. HIPAA compliance requires a signed Business Associate Agreement and specific configuration by the covered entity. Proton offers a BAA only on Proton for Business plans, not on free personal accounts. A signed BAA covers the transmission and storage of protected health information through the service. The covered entity still owns the responsibility for user access controls, audit logs, retention policies, and workforce training. Sending PHI from a free Proton account is a HIPAA violation regardless of encryption strength.

How does ProtonMail differ from Gmail confidential mode? +

Gmail confidential mode does not use end-to-end encryption. Google can read the message body and metadata because Google holds the keys. Confidential mode adds expiration, revocation, and a passcode step, but the content is stored on Google servers in a form Google can decrypt. ProtonMail uses zero-access encryption for stored mail, meaning the private key is not accessible to Proton without the user password. That difference matters for regulated data such as legal, financial, or medical records.

Can I send encrypted email from ProtonMail to a Gmail user? +

Yes. The sender composes the message in Proton, clicks the lock icon, sets a password, and optionally adds a hint. Gmail receives a plain notification with a link. The Gmail recipient clicks the link, opens the Proton-hosted portal in a browser, enters the password, and reads the message. Replies happen inside the portal. The password must be shared out of band, such as by phone or text, so Gmail interception of the notification link alone does not expose the content.

What are the main downsides of ProtonMail for a business? +

The portal-based flow for external recipients breaks normal inbox habits and threading. Third-party integrations for CRM, e-signature, and helpdesk tools are thinner than Gmail or Outlook because Proton runs on its own protocol layer. Onboarding an existing team means migrating mailboxes, calendars, and contacts. Search inside encrypted mail is client-side only, which slows large mailboxes. Users often revert to plain email when the portal step feels slower than a normal reply.

Does ProtonMail work with a custom domain? +

Yes, on paid Proton for Business plans. The admin adds the domain, configures MX, SPF, DKIM, and DMARC records at the DNS provider, and verifies ownership. After verification, users receive addresses on the custom domain. Custom domains are required for a professional healthcare practice to send from clinic-name.com rather than a proton.me address. The DNS setup is well documented in Proton support and typically takes under an hour for a domain with a single mail provider.

Is ProtonMail safer than PGP set up manually? +

For most users, yes, because manual PGP setups fail on key management. ProtonMail generates and stores keys inside the account, handles rotation, and exchanges public keys with other Proton users automatically. Manual PGP requires each user to install a plugin, generate a keypair, back up the private key, and exchange fingerprints with every contact. The cryptography is the same underneath. The operational risk is where the two diverge. A lost private key on manual PGP means lost mail forever.

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →