🔑 Key Takeaways
- Every mail platform encrypts differently; personal Gmail and Outlook.com have no native option.
- Microsoft 365 Business Premium exposes an Encrypt button that triggers Purview at the server.
- Gmail Confidential Mode restricts forwarding but auditors reject it as real body encryption.
- S/MIME and PGP require the recipient to hold a matching key, which caps their real reach.
- Compliance needs a signed BAA, retained logs, and policy encryption, not per-message clicks.
To encrypt an email means scrambling the message body and attachments so only the intended recipient can read them. The steps vary by mail platform and by how strong the encryption needs to be.
This guide walks through the practical methods in order of increasing security, covers the cost of each, and explains where each fits. For practices sending patient information, dedicated encrypted email services are usually the shortest path.
Skip to the section that matches your mail platform if you already know which one you use. Otherwise, read from the top to compare.
The five ways to encrypt an email you might encounter
Encryption for email comes in five practical forms. Each targets a different scenario, and knowing the differences prevents wasted setup effort.
- TLS between mail servers, on by default across Gmail, Outlook.com, and Microsoft 365.
- Confidential Mode in Gmail, which restricts actions but does not encrypt the body.
- Microsoft Purview Message Encryption in Outlook, triggered by the Encrypt button.
- S/MIME and PGP end-to-end encryption, using certificates or key pairs.
- Gateway-based encryption services that route mail through a compliant server.
TLS is baseline. Confidential Mode is not real encryption. Purview and S/MIME are the Microsoft- and Google-native strong options. Gateways are the third-party option that works on any account.
Related coverage on the same territory is in to encrypt an email and can I encrypt an email.
How to encrypt an email in Outlook using the Encrypt button
Microsoft 365 Business Premium and Enterprise plans include Purview Message Encryption. The user experience is a single button in the compose window.
- Open Outlook and start a new message.
- On the desktop app, click Options in the ribbon, then Encrypt.
- On Outlook web, click the three-dot menu in the compose window, then Encrypt.
- Choose an encryption policy from the dropdown, such as Encrypt Only or Do Not Forward.
- Compose and send the message as normal.
Internal recipients on the same tenant read the message directly in Outlook. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode.
The Microsoft Purview Message Encryption documentation covers the policy options and setup steps in more depth. Sibling coverage in how do you encrypt an email outlook covers the same flow from a different angle.

How to encrypt an email in Gmail with hosted S/MIME
Gmail on Google Workspace Enterprise Plus supports hosted S/MIME, which encrypts messages end-to-end using certificates. It is the only Google-native option that meets healthcare compliance.
The admin enables S/MIME encryption for outgoing email in the Google Admin console. Each user uploads a personal certificate through their Gmail settings.
Once configured, composing a message shows a lock icon next to the recipient field. If the recipient’s certificate is available, the icon shows green and the message will encrypt automatically.
Recipients without a certificate fall back to standard TLS delivery. That fallback is why S/MIME alone is not sufficient for a full compliance program.
The Google Workspace S/MIME setup guide covers the certificate policies. For the Outlook variant of the same standard, see encrypting an email outlook.
How the main platforms compare on cost and compliance
The right platform depends on the existing subscription, the compliance requirement, and the recipient’s technical skill. A side-by-side view helps narrow the choice.
| Method | Monthly cost per user | Meets HIPAA | Recipient friction | Setup effort |
|---|---|---|---|---|
| Outlook Encrypt button (M365 Business Premium) | Around $22 | Yes, with BAA | Low, portal fallback | Low |
| Google Workspace Enterprise Plus S/MIME | Around $30 plus certificate cost | Yes, with BAA | High, needs recipient certificate | High |
| PGP via Mailvelope on any plan | Free, plus mail plan cost | Case by case documentation | Very high, needs PGP client | Medium |
| Gateway service on any plan | $5 to $15 | Yes, BAA in base plan | Low, portal fallback | Low, DNS record |
For a solo practice, the gateway path costs the least and meets compliance out of the box. For a Microsoft 365 tenant already at Business Premium, the Encrypt button is already paid for and adds nothing more. Google Workspace Enterprise Plus is the most expensive path per user.
A solo dermatologist on Google Workspace Business Standard needs to send a pre-op consultation summary to a patient using yahoo.com. Confidential Mode is available but Yahoo does not honor the SMS gate, and Confidential Mode fails the HIPAA encryption test regardless. Upgrading to Workspace Enterprise Plus for hosted S/MIME would cost about $30 per user plus certificate management. The dermatologist adds a $10-per-mailbox gateway service through a DNS change instead, signs the BAA, and continues composing in Gmail while every outbound message routes through automatic encryption.
Encrypting an email containing PHI
Protected health information carries specific HIPAA obligations. Encrypting an email that contains PHI is one part of a larger compliance stack.
The mail vendor needs to sign a Business Associate Agreement. The encryption needs to meet TLS 1.2 or higher for transmission and AES-256 or similar for at-rest storage.
Every send and open needs to appear in a retained audit log. Workforce training under the Security Rule needs to cover which channels are approved for PHI.
A single Encrypt button click on Outlook or a lock icon in Gmail satisfies the encryption piece. It does not satisfy the BAA, the audit log, or the training piece by itself.
Gateway services designed for healthcare cover all three technical pieces automatically. Sibling coverage in encrypt an email containing PHI covers the PHI-specific angle.
Encrypting an email through a gateway service
Gateway services encrypt outbound mail at the server, which removes the user decision. The setup is a DNS change rather than a client configuration.
- Sign up with the vendor and receive an SPF record and DKIM key.
- Add both records to the DNS zone for the practice domain.
- Wait for DNS propagation, usually within a few hours.
- Send a test message and verify it routes through the vendor’s server.
- Sign the Business Associate Agreement or Data Processing Agreement provided by the vendor.
Once configured, every outbound message from the mailbox routes through the vendor’s gateway. The gateway applies the encryption policy before releasing the message.
End users see no change. Staff continue composing in Gmail or Outlook, and the encryption happens invisibly. Mailhippo is one example of that model.
The HIPAA Journal breakdown of compliant email covers the vendor-selection criteria in more depth.

Encrypting an email with a PGP browser extension
PGP through a browser extension works on any mail account, including personal Gmail and Outlook.com. It is the strongest end-to-end option and the most flexible for individuals.
Install Mailvelope from the Chrome or Firefox extension store. The extension generates a PGP key pair on first run and stores the private key locally in the browser.
Share the public key with correspondents through a keyserver or a signed message. Both sides need each other’s public keys before encryption works.
Composing in Gmail then shows a Mailvelope button. Clicking it opens a secure editor inside the browser. The message is encrypted locally before being pasted into the Gmail compose window.
The tradeoff is friction. Every recipient needs a PGP client, which excludes patients and most business correspondents. PGP fits technical audiences and individual privacy scenarios rather than mainstream healthcare.
Encrypting attachments separately from the message body
Sometimes only the attachment carries sensitive data. Password-protecting the attachment lets the email travel through any provider.
- Compress the file with 7-Zip, WinRAR, or Windows built-in compression, and enable AES-256 encryption.
- Set a strong password of 12 characters or more.
- Attach the encrypted archive to the email.
- Share the password over a phone call, SMS, or in-person conversation.
The mail server does not see the file contents, so the file travels through Gmail or Outlook as opaque data. The recipient extracts the archive with the shared password.
This method is not HIPAA compliant on its own because it produces no audit trail and the password channel is often insecure. It fits one-off file transfers between organizations without a shared encryption service.
Relying on staff to click Encrypt on the right messages fails predictably during busy hours. A single missed click on a message containing PHI counts as a HIPAA violation. Route every outbound message through a gateway that encrypts by policy at the server. The user experience does not change, the audit log captures every send, and the failure mode where someone forgets the button disappears entirely.
Verifying an outbound message actually went out encrypted
An encrypted send is only useful if the encryption held. Both Gmail and Outlook provide ways to verify.
In Gmail, open the sent message and click the three-dot menu, then Show Original. The header displays the TLS status of the delivering connection.
In Outlook desktop, right-click the message and choose Message Options. The header lines show Received records with TLS version details.
For Purview or S/MIME messages, the sent view shows a lock or shield icon in the header. Clicking the icon shows the encryption policy applied.
If none of those indicators appear, the message either traveled without encryption or fell back to a lower tier than expected. Sibling coverage in what happens when you encrypt an email outlook covers the outbound side.
When to encrypt every message versus specific messages
User-driven encryption depends on the user deciding correctly each time. Compliance frameworks treat that decision as a weakness because a single missed message counts as a violation.
The alternative is policy-based encryption at the gateway. Every outbound message routes through the encryption layer, regardless of whether the user clicked a button.
Policy-based encryption uses rules to decide what to protect. Rules can trigger on keywords, recipient domain, sender department, or data classification labels. The user does not need to know the rule was applied.
For healthcare practices, policy-based encryption on every outbound message is the safer default. It removes the failure mode where a staff member forgets to click Encrypt on a specific message.
The right method for your workflow
Choosing the right method comes down to the mail platform, the compliance requirement, and the recipient list.
Microsoft 365 Business Premium tenants can use the Encrypt button in Outlook. The BAA is in place if the tenant is configured correctly, and the recipient side is handled through the portal.
Google Workspace tenants on Enterprise Plus can use hosted S/MIME. Lower tiers need a gateway service or a browser extension.
Practices on any mail plan needing compliance in a solo or small clinic setting default to a gateway service. The cost is the lowest, the setup is the shortest, and the audit trail is built in.
Practices reviewing email decisions alongside the broader patient outreach can pair the choice with a look at healthcare digital marketing services to align intake, messaging, and encryption under a single vendor stack. For the mailbox itself, Mailhippo secure email service covers the loop end to end.
Frequently Asked Questions
On Microsoft 365 Business Premium or higher, click the Encrypt button in the Outlook Options ribbon. That is the shortest path. On Google Workspace Enterprise Plus, hosted S/MIME encrypts automatically once your certificate is installed. On any other plan, install a browser extension like Mailvelope for PGP or sign up for a gateway service that adds encryption through a DNS change. The gateway approach is the simplest across the board because it works regardless of the platform and does not require the recipient to have any special setup.
No. TLS encryption between mail servers is on by default for Gmail, Outlook.com, and Microsoft 365, which handles routine messages. You only need message-level encryption for content that includes protected health information, financial account data, personal identifiers of EU residents, or Controlled Unclassified Information. If the message would cause a compliance obligation on exposure, encrypt it. If it would not, TLS is enough. That said, gateway services often encrypt everything by default because deciding message by message is where most breaches happen.
Only if you use end-to-end encryption. TLS encryption protects the message on the wire between mail servers, but the provider stores the message decrypted on its own servers and can read it. Microsoft Purview and gateway services encrypt at the server, which prevents casual access but still gives the provider decryption capability. S/MIME and PGP encrypt at the sender’s device with the recipient’s public key, so the provider never holds the decryption key. That is the only model that hides the message from the provider.
Yes, if you use a gateway service or Microsoft Purview Message Encryption. Both handle recipient-side decryption automatically through a portal link and a one-time passcode. The recipient needs no certificates, keys, or account. If you use S/MIME or PGP without a portal fallback, the recipient must already have a matching certificate or key. That is why S/MIME and PGP are practical inside organizations and impractical for reaching patients or one-off external contacts.
The message body and attachments are encrypted on the Microsoft server before delivery. Internal recipients on the same tenant read the message directly in Outlook because the encryption keys travel inside the tenant. External recipients receive a notification email with a Read the message button. Clicking the button opens outlook.office.com, where the recipient signs in with Microsoft, Google, or a one-time passcode. Once signed in, the message body appears in the browser. The Reply button in the portal sends secure replies back through the same channel.
Usually not. Most encryption methods, including S/MIME, PGP, and Microsoft Purview Message Encryption, encrypt only the message body and attachments. The subject line stays in plain text because mail servers use it for routing, filtering, and threading. Sensitive information should therefore stay out of the subject line even when the message body is encrypted. Some experimental protocols encrypt the subject as well, but interoperability with mainstream mail clients drops sharply when they do, so mainstream services do not implement it.
The cost-effective path is a gateway-based compliant email service, which typically runs $5 to $15 per mailbox per month and includes the Business Associate Agreement in the base plan. A solo practitioner or small clinic can operate compliantly at that price point. The alternatives cost more. Google Workspace Enterprise Plus runs around $30 per user for hosted S/MIME. Microsoft 365 Business Premium runs about $22 per user. Both require certificate management or admin configuration on top. The gateway approach avoids both.








