Office 365 Email Encryption Setup and HIPAA Configuration

📅 June 26, 2026 ✍️ By Chris Almond ⏱️ 9 min read
office 365 email encryption guide featured image

🔑 Key Takeaways

  • Purview Message Encryption ships with Business Premium, E3, E5, or Apps for Enterprise plus AIP.
  • Admin activation runs in about 30 minutes: enable Azure RMS, verify Purview, set default template.
  • External recipients open through outlook.office365.com with Microsoft, Google, or passcode sign-in.
  • HIPAA on Office 365 needs four steps: sign the BAA, enable Purview, apply labels, retain audit logs.
  • For a few PHI senders, a per-seat HIPAA service beats a tenant-wide Business Premium upgrade.

Office 365 email encryption runs on Microsoft Purview Message Encryption. The service ships with Business Premium and higher plans. It powers the Encrypt button in the Outlook ribbon and handles external recipient delivery through a browser portal.

This guide covers the Office 365 email encryption setup, the license structure, the recipient experience, and the HIPAA configuration. It also covers the fit for a separate encrypted email service when the Office 365 plan does not include the Encrypt button.

The choice depends on plan level, seat count, and how many staff need to send PHI. Read each section and match the approach to the actual practice flow.

Purview Message Encryption Powers the Encrypt Button

Microsoft Purview Message Encryption is the underlying service for the Encrypt button in Outlook. The button appears in the Options ribbon on new messages. Users click Encrypt and pick Encrypt-Only or Do Not Forward.

Encrypt-Only encrypts the message content in transit and at rest. Recipients can reply, forward, and print. Do Not Forward applies rights management and blocks forward, print, and download. The sender picks based on the sensitivity of the content.

Both options deliver to internal Microsoft 365 recipients inline. Both options deliver to external recipients through a notification email with a browser tab open on outlook.office365.com. The recipient experience is consistent across the two options.

Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook.

License Tiers Determine Access to Encryption

The Encrypt button in Office 365 is not available on every plan. The license tier determines whether the feature appears in Outlook. Practices should confirm the plan level before assuming encryption is available.

The plans that include Purview Message Encryption are:

  • Microsoft 365 Business Premium
  • Microsoft 365 E3 and E5
  • Office 365 E3 and E5
  • Microsoft 365 Apps for Enterprise with Azure Information Protection Premium
  • Standalone Azure Information Protection Premium P1 or P2

Plans that do not include the Encrypt button are Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Apps for Business, and Office 365 E1. Users on these plans do not see the Encrypt button in Outlook.

Adding the button requires either a plan upgrade or a per-seat Azure Information Protection Premium license add-on. The choice depends on how many features of Business Premium the practice needs beyond encryption.

office 365 email encryption in article illustration one

Tenant Setup Takes Thirty Minutes on a Fresh Deployment

Enabling encryption on a fresh tenant takes about thirty minutes. The setup happens entirely in the Microsoft 365 admin center. No changes to individual mailboxes or client software are required.

The steps are: sign in as global administrator, activate Azure Rights Management under Settings and Org settings, verify Message Encryption availability under the compliance section, configure the default template that recipients see, and confirm license assignment for the users who will send encrypted mail.

Existing tenants with Azure Information Protection already licensed do not need additional activation. The Encrypt button appears in Outlook after the client restart. Administrators can push the setting through Group Policy or MDM to ensure consistent behavior across the fleet.

Test the setup with a small pilot group before rolling out to all users. Send an encrypted message to an external recipient. Confirm the notification, the browser tab, and the decrypted message. Fix any policy or template issues before wide rollout.

Comparing Office 365 Encryption Options at a Glance

Office 365 supports several encryption methods with different fit profiles. The right choice depends on recipient mix, plan level, and administrative overhead.

Method Recipient Setup Plan Required Best Fit
Purview Message Encryption Browser tab, sign-in or passcode Business Premium or higher External patient and vendor mail
S/MIME Certificate pre-installed Any plan with desktop Outlook Internal mail with managed PKI
Sensitivity Labels Depends on label configuration E3 or E5 Enterprise policy-based encryption
Mail flow rule Encrypt-Only Same as Purview portal Business Premium or higher Automated encryption on patterns
Third-party HIPAA service One-click portal link Any Office 365 plan Small practices on Business Basic or Standard

Practices with mostly external recipients on personal accounts choose Purview or a third-party HIPAA service. Practices with mostly internal or partner mail choose S/MIME. Enterprise deployments use Sensitivity Labels for policy-driven automation.

Map the send flow before committing. How many external recipients per week. How often the recipient list changes. How many staff need to send encrypted mail. The answers point to the right method.

Example

A 20-seat internal medicine group on Microsoft 365 Business Basic at $6 per seat needs the Encrypt button for four physicians who send referral records. Upgrading all 20 seats to Business Premium at $22 adds $320 per month. Adding Azure Information Protection Premium P1 at $2 per seat on the four physicians adds $8 per month, but the practice manager finds a dedicated HIPAA service at $10 per seat covers the same four physicians for $40 with a bundled BAA and simpler admin, and chooses that path.

The BAA Is Included in Every Microsoft 365 Tenant

Microsoft signs a business associate agreement covering the Microsoft 365 services under the standard BAA terms. The BAA is available at no extra cost. Administrators accept it in the Microsoft 365 admin center.

The BAA covers Exchange Online, SharePoint Online, OneDrive for Business, Teams, and the Purview compliance services. It applies to the tenant from the acceptance date forward. New services added to the tenant fall under the BAA automatically if Microsoft lists them as covered.

The BAA does not cover consumer services like Outlook.com or Hotmail. Practices using consumer accounts for patient mail need to move to a business tenant to fall under the BAA. This is a common misconfiguration that HIPAA auditors flag.

The HHS guidance on business associate agreements lists the terms required. Confirm the Microsoft BAA against the HHS requirements at the time of tenant setup.

office 365 email encryption in article illustration two

Sensitivity Labels Automate the Encryption Decision

Sensitivity Labels are the automated version of the Encrypt button. Administrators define labels in the Microsoft Purview compliance portal and configure rules that flag messages containing PHI or other regulated fields.

Applied labels can require encryption automatically, restrict forwarding, block download of attachments, and apply retention rules. The sender does not have to decide. The label is applied by policy based on the message content.

Deployment requires Microsoft 365 E3 or E5 licensing and Purview Information Protection configuration. Content patterns, sensitive information types, and label rules all need to be defined. This is a significant setup effort.

Sensitivity Labels pay back at enterprise scale where hundreds of users benefit from centralized policy. Small practices usually do not see the same payback and use the manual Encrypt button or a third-party service instead.

Mail Flow Rules Enforce Encryption on Patterns

Mail flow rules in Exchange Online provide a middle ground between manual Encrypt and full Sensitivity Labels. Administrators create rules in the Exchange admin center under Mail flow, Rules.

Rules match on conditions such as message subject containing a keyword, recipient domain matching a known partner, sender belonging to a specific group, or content matching a sensitive information type. Matched messages apply the Encrypt-Only or Do Not Forward template automatically.

This automation removes the sender decision on the most common regulated flows. A rule that encrypts every message with subject line containing [PHI] covers a large fraction of patient-record sends without training staff on the Encrypt button.

Mail flow rules also work as a safety net alongside manual Encrypt. If a sender forgets to click Encrypt but includes a PHI pattern in the body, the rule catches the message and applies encryption automatically.

💡Pro Tip: Do the license math on actual PHI senders only

The plan-wide upgrade calculation is the default vendor pitch. The correct calculation is per-mailbox for only the seats that actually send PHI. Count those seats, then compare three numbers: the Business Premium upgrade cost for that subset, the Azure Information Protection Premium P1 add-on cost for that subset, and a dedicated HIPAA service cost for that subset. The dedicated service often wins on small clinician counts because the BAA and admin are already bundled.

GoDaddy-Provisioned Office 365 Follows the Same Structure

Office 365 licenses provisioned through GoDaddy follow the same plan and feature structure as direct Microsoft licenses. The Encrypt button appears on the same Business Premium and higher plans. The BAA is available in the same admin center.

Practices that provisioned Office 365 through GoDaddy sometimes cannot find the compliance settings because the admin panel is a subset of the full Microsoft 365 admin center. In that case, administrators can access the full center at admin.microsoft.com using the same credentials.

The BAA and the Purview settings are available in the full admin center. GoDaddy does not restrict access to compliance features. The initial setup routes through the GoDaddy dashboard, but administrators can move to the Microsoft admin center for full configuration.

Practices that need the Encrypt button and are on a GoDaddy Business Basic subscription should upgrade to Business Premium in the GoDaddy dashboard, or add per-seat Azure Information Protection through the Microsoft admin center.

Practices on Lower Plans Have Three Practical Options

Practices on Business Basic or Business Standard face a choice when they need encrypted email for HIPAA. The Encrypt button is not available on their plan. They have three practical options.

Option one is a full plan upgrade to Business Premium. This adds encryption, advanced threat protection, and device management at around ten dollars extra per seat per month. It fits practices that will use the other Business Premium features beyond encryption.

Option two is a per-seat Azure Information Protection Premium P1 add-on. This adds encryption without upgrading the base plan. Cost runs about two dollars per seat per month. It fits practices that only need encryption and not the other Business Premium features.

Option three is a dedicated HIPAA email service that works alongside Office 365. The service handles PHI-containing mail through its own encryption and BAA. Office 365 handles general mail. This fits practices where only a fraction of staff handle regulated content.

Mailhippo Works Alongside Office 365 for HIPAA Mail

Mailhippo secure email service works alongside Office 365 without changing the plan structure. The signed BAA is included in the base plan. Practices keep Office 365 for general mail and use Mailhippo for patient-facing PHI.

The sender uses Office 365 for internal communication, scheduling, and vendor mail. When a message contains PHI, the sender routes it through Mailhippo either from a browser interface or from an Outlook add-in. The message encrypts, delivers to the recipient link, and logs the send in the audit trail.

The recipient opens the message through a one-click link with a one-time passcode delivered to the same email address. No account creation, no password reset, no software install. This is the shortest recipient path among common HIPAA options.

The broader compliance stack pairs encrypted email with HIPAA-compliant website design and patient portal configuration. Encrypted email is one layer of the stack. The full stack covers the practice end to end.

Frequently Asked Questions

How do I enable email encryption in Office 365? +

Sign in to the Microsoft 365 admin center as a global administrator. Navigate to Settings, then Org settings, then Microsoft Azure Information Protection. Activate Rights Management if it is not already active. Assign Azure Information Protection Premium licenses or confirm that Business Premium or E3 licenses are in place. Purview Message Encryption becomes available once the licenses are assigned. Users see the Encrypt button in Outlook on the next session. The activation applies at the tenant level and covers every licensed mailbox.

Is Office 365 email encryption HIPAA-compliant? +

Yes, when configured correctly. Microsoft signs a business associate agreement covering Exchange Online, SharePoint, OneDrive, Teams, and Purview services. Administrators accept the BAA in the admin center. Once accepted, Office 365 encryption meets the HIPAA transmission security standard. The covered entity is responsible for configuring policies to encrypt every PHI send, maintaining access logs, training staff, and applying access controls on mailboxes. HIPAA compliance is a shared responsibility between Microsoft and the covered entity.

What plans include Office 365 email encryption? +

Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Apps for Enterprise with Azure Information Protection Premium, and Office 365 E3 and E5 all include Purview Message Encryption. Business Basic, Business Standard, and Microsoft 365 Apps for Business do not include the Encrypt button. Adding it requires either a plan upgrade or a per-seat Azure Information Protection Premium license. GoDaddy-provisioned Office 365 licenses follow the same tier structure as direct Microsoft licenses.

How much does Office 365 email encryption cost? +

The Encrypt button is included in Microsoft 365 Business Premium at around twenty-two dollars per user per month, Business Basic at six dollars, and Business Standard at twelve dollars. Upgrading from Business Standard to Business Premium adds ten dollars per seat per month. A per-seat Azure Information Protection Premium P1 license runs about two dollars per seat. Practices with dozens of seats often find the total cost of a plan upgrade higher than the cost of a dedicated HIPAA email service that includes the BAA.

How do external recipients open Office 365 encrypted emails? +

External recipients receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser tab. The recipient signs in with a Microsoft account, signs in with a Google account, or requests a one-time passcode delivered to the same email address. The passcode arrives in a second email within a minute. Enter the passcode in the browser tab. The decrypted message displays inline with attachments listed below. Reply from the portal encrypts the reply back to the sender.

Can I set default encryption on every outgoing message? +

Yes, through Exchange Online mail flow rules. Administrators create a rule in the Exchange admin center under Mail flow, Rules. The rule applies to messages that match specific conditions, such as containing PHI patterns or being sent to a specific external domain, and applies the Encrypt-Only or Do Not Forward template. This automates encryption without requiring the sender to click the Encrypt button. Sensitivity Labels provide a more advanced version of the same automation with content-based classification.

What is the difference between Purview Message Encryption and S/MIME in Office 365? +

Purview Message Encryption is server-side and works with any recipient through a browser portal. S/MIME is client-side and requires certificates installed for both sender and recipient. Purview is easier for external recipients because they need no certificate. S/MIME provides true end-to-end encryption because only the recipient with the matching private key can decrypt, including Microsoft. Practices choose Purview for external mail and S/MIME for internal mail with high sensitivity, or use both in combination.

Leave a Reply

Your email address will not be published. Required fields are marked *

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →