🔑 Key Takeaways
- HIPAA email needs three things: a signed BAA, strong encryption, and audit logging.
- Google Workspace Business Standard signs a BAA; free personal Gmail accounts never will.
- Microsoft 365 Business Standard and up sign a BAA covering Outlook, Teams, and SharePoint.
- Dedicated services like Mailhippo layer on Gmail or Outlook and include the BAA in base.
- GoDaddy Professional Email refuses BAAs; migrate before sending a single PHI message.
HIPAA compliant email platforms are mail services that support the required technical safeguards under the Security Rule and where the vendor signs a Business Associate Agreement with the covered entity. That combination is what makes an email service usable for protected health information.
The market includes major cloud providers, dedicated healthcare mail services, and gateway products that layer on top of Gmail or Outlook. This guide compares the practical options against the criteria a healthcare practice actually uses when choosing.
For a portal-based service that works on top of any existing mail provider and includes a BAA in the base plan, Mailhippo offers a HIPAA-focused secure email service designed for this use case.
What Makes an Email Platform HIPAA Compliant
Three components are required. A signed BAA with the vendor. Technical safeguards under the Security Rule. Administrative policies and workforce training.
Technical safeguards include encryption in transit and at rest, access controls, unique user identification, session timeouts, and audit logging. The HHS Security Rule lays out the full list.
Administrative safeguards include a security officer, workforce training, sanctions policy, incident response, and periodic risk assessment. These are practice-level responsibilities that no vendor covers.
Physical safeguards apply to on-premise components. Cloud-first practices with no on-premise servers meet most of these through the vendor data center. Practices with local backup drives or paper printouts still need physical safeguards for those items.

Google Workspace as a HIPAA Compliant Email Platform
Google Workspace supports HIPAA on Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits.
The admin signs the BAA through the Admin console under Account Settings, Legal and Compliance. Core services covered by the BAA include Gmail, Drive, Calendar, Meet, and Chat. Marketplace add-ons are outside the BAA unless individually BAA-covered.
Confidential mode is not end-to-end encryption. Google holds the keys. For a HIPAA workflow, confidential mode alone is not sufficient. Practices need either hosted S/MIME on Enterprise or a portal gateway.
Hosted S/MIME is available on Enterprise Standard and above. See Google Workspace admin help for the current setup steps. Related linked topic: HIPAA compliant email Gmail.
Microsoft 365 as a HIPAA Compliant Email Platform
Microsoft 365 supports HIPAA on Business Standard, Business Premium, and every Enterprise tier. Business Basic also includes the BAA for covered services but does not include the Encrypt button.
The BAA is signed through the Volume Licensing or Products and Services agreement. Microsoft publishes the covered service list in the HIPAA Implementation Guidance document available in the Microsoft Trust Center.
Microsoft Purview Message Encryption provides the Encrypt button in Outlook. Business Standard and above include the base Purview features. Business Premium adds automatic DLP rules that trigger encryption on sensitive data patterns.
Enterprise E5 adds advanced audit, eDiscovery, and Customer Lockbox. These support the administrative safeguards for larger practices with more complex compliance requirements. Related linked: HIPAA compliant email for a general overview.
A five-person dental practice on GoDaddy Professional Email discovers it has no BAA and cannot transmit PHI legally. They migrate to Google Workspace Business Standard at $12 per user per month, sign the BAA in the Admin console, and layer a portal-based gateway service at $8 per user monthly for external encryption. Total cost lands near $100 per month. The weekend cutover includes MX record changes, mailbox import from GoDaddy IMAP, and Monday morning staff training on the new send workflow.
Dedicated HIPAA Email Services
Dedicated HIPAA email services fall into two categories. Standalone mail providers that host the mailbox and deliver a full mail platform. Gateway services that layer on top of Gmail or Outlook.
Standalone providers include some healthcare-focused vendors that offer a hosted mailbox with a BAA. These require MX migration and usually cost more per user than Google Workspace or Microsoft 365.
Gateway services keep the existing mail provider. They add portal-based encrypted delivery for external recipients. Mailhippo is one example. The sender writes in Gmail or Outlook, and the service handles portal encryption when triggered.
Gateway services are the lower-friction choice when the practice does not want to migrate mailboxes. Related linked topic: HIPAA compliant email for therapists for a specialty-specific angle.

Providers That Are Not HIPAA Compliant
Several common providers do not sign BAAs and are not HIPAA-appropriate for PHI. This includes some that many practices assume are safe.
GoDaddy Professional Email does not sign a BAA. Yahoo Mail, personal Gmail, personal Outlook.com, personal iCloud, AOL, and most consumer-focused providers also do not.
Some hosting providers include email as a bundled service. Cheap shared hosting rarely includes a BAA. Practices should confirm the BAA in writing before storing or transmitting PHI on any bundled hosting mailbox.
Common non-compliant providers to watch for:
- GoDaddy Professional Email
- Yahoo Mail and Yahoo Mail Plus
- Personal Gmail, Outlook.com, iCloud Mail
- AOL Mail
- Bundled email from shared web hosts
- Free ProtonMail (paid Business tier does sign a BAA)
Cost of HIPAA Compliant Email Platforms
The cheapest paths start around $12 per user per month. Google Workspace Business Standard runs $12 per user per month with the BAA included. Microsoft 365 Business Standard runs $12.50 per user per month with the BAA included.
Business Premium tiers add automatic DLP encryption and more advanced audit. Google Workspace Business Plus runs about $18 per user per month. Microsoft 365 Business Premium runs about $22 per user per month.
Enterprise tiers add hosted S/MIME, advanced audit, and Customer Lockbox. Google Workspace Enterprise Standard runs about $23 per user per month. Microsoft 365 E5 runs about $57 per user per month.
Gateway services add roughly $5 to $10 per user per month on top of the base provider. For a five-user practice on Business Standard plus a gateway, the total is roughly $85 to $110 per month. Related linked: free HIPAA compliant email for a look at the limits of free options.
The BAA is the first legal requirement, not the encryption feature. Retain the countersigned copy, document the effective date, and confirm the covered service list. Auditors ask for this during risk assessment review, and its absence disqualifies the platform regardless of encryption strength. Complete BAA execution before configuring mailboxes, adding users, or migrating any PHI-carrying messages.
Feature Comparison Across the Main Platforms
The table below compares the platforms most practices consider.
| Platform | BAA Included | Native Encryption | S/MIME | Automatic DLP | Base Price |
|---|---|---|---|---|---|
| Google Workspace Business Standard | Yes | Confidential mode | No | No | $12 per user per month |
| Google Workspace Enterprise Standard | Yes | Confidential mode plus S/MIME | Yes | Yes | $23 per user per month |
| Microsoft 365 Business Standard | Yes | Purview Encrypt button | Yes with certificate | No | $12.50 per user per month |
| Microsoft 365 Business Premium | Yes | Purview plus DLP | Yes | Yes | $22 per user per month |
| Mailhippo gateway | Yes in base plan | Portal encryption | Not required | Trigger word or plugin | Sits on top of existing mail |
| GoDaddy Professional Email | No | None | No | No | Not for PHI |
Migration Steps When Moving to a HIPAA Compliant Platform
Migration follows a standard sequence. Sign the BAA with the new provider first. This creates the legal cover before any PHI moves.
Configure the tenant. Add users. Set retention. Enable audit logging. Configure encryption defaults. Enable MFA on all accounts.
Migrate mail. Google Workspace has a Data Migration Service that pulls IMAP mail from the old provider. Microsoft 365 has a similar migration wizard in the Exchange admin center. Both take hours to days depending on volume.
Cut over MX records after the migration completes. Update transactional mail sources like the practice management system, EHR, and appointment reminder services. Train staff on the new client and the encryption workflow. Related: HIPAA-conscious website design for practices also refreshing their public site.
Choosing the Right Platform for Your Practice
The right platform depends on three inputs. Where the practice already runs. How technical the recipient set is. Whether hosted S/MIME is a real requirement.
Practices on Windows with Active Directory usually stay with Microsoft 365. Business Standard covers the base HIPAA use. Business Premium adds automatic DLP for the extra assurance that PHI never sends unencrypted.
Practices on Mac or with Chrome-heavy workflows usually stay with Google Workspace. Business Standard covers the base HIPAA use. Adding a gateway service is usually cheaper than upgrading to Enterprise Standard for hosted S/MIME.
Mailhippo operates as the gateway option across both Google Workspace and Microsoft 365. It includes a BAA in the base plan, requires no per-user certificate management, and works uniformly on desktop and mobile. Practices building a public site alongside their email program can pair this with healthcare web design so the whole intake, contact, and email chain stays inside the same compliance boundary. Related linked topics: best HIPAA compliant email and HIPAA compliant emails for further reading.
Frequently Asked Questions
Three things. A signed Business Associate Agreement between the vendor and the covered entity. Technical safeguards that meet the Security Rule, including encryption in transit and at rest, access controls, audit logging, and session timeouts. Administrative safeguards including workforce training, sanctions policy, and incident response procedures. Encryption alone does not equal HIPAA compliance. The BAA is the legal component. The configuration is the technical component. The policies are the administrative component. All three are required.
Yes on Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits. The admin signs the BAA through Admin console under Account Settings. Business Starter does not include the BAA. Personal Gmail does not include the BAA. Core services covered by the BAA include Gmail, Drive, Calendar, Meet, and Chat. Marketplace add-ons are outside the BAA unless individually BAA-covered. Confidential mode alone is not sufficient for PHI. Hosted S/MIME on Enterprise adds true end-to-end encryption.
Yes on Business Standard, Business Premium, Enterprise E1, E3, E5, F1, F3, and Government plans. The BAA is signed through the Volume Licensing or Products and Services agreement. Business Basic includes the BAA for services covered by it, but does not include the Encrypt button. Business Premium adds automatic DLP rules that trigger encryption on sensitive data patterns. Enterprise E5 adds advanced audit and eDiscovery for HIPAA administrative safeguards. Microsoft 365 is the default choice for practices already on Windows or with Active Directory.
No. GoDaddy Professional Email does not sign a Business Associate Agreement. GoDaddy has stated publicly that Professional Email is not designed for PHI. Practices on GoDaddy Professional Email must migrate to Google Workspace Business Standard, Microsoft 365 Business Standard, or a dedicated HIPAA email platform before storing or transmitting PHI. Migration involves MX record changes, mailbox export and import, and updating any transactional mail sources that point at the old MX. A weekend cutover is typical for a small practice with a few mailboxes.
The cheapest options are Google Workspace Business Standard at about $12 per user per month and Microsoft 365 Business Standard at about $12.50 per user per month. Both include the BAA in the base plan. Dedicated HIPAA email gateways typically add $5 to $10 per user per month on top of the base mail provider. A practice can also run a base mail provider without the encryption feature and add a gateway service on top, which sometimes lowers the total per user cost compared to Enterprise-tier upgrades.
No. HIPAA does not require S/MIME. It requires encryption of PHI in transit and at rest that meets NIST guidance or provides equivalent protection. Portal-based encryption through Microsoft Purview, Google confidential mode with a BAA, or a third-party gateway all qualify. S/MIME is one option. Portal delivery is another. Practices with a stable set of peer clinical recipients often use S/MIME. Practices sending PHI to patients rely on portal delivery because patients do not hold certificates.
No. Free personal Gmail does not include a BAA. Google is explicit that only paid Workspace tiers cover Gmail under the HIPAA BAA. Free Gmail also lacks admin audit logging, retention policies, and access controls at the level HIPAA requires. Practices currently on free Gmail must move to Google Workspace Business Standard or another HIPAA-appropriate platform. The same rule applies to free Outlook.com, free Yahoo Mail, and free iCloud Mail. Regulated data does not belong on consumer-tier accounts.








