Encrypting Email in Outlook Using Native Tools and HIPAA Services

📅 March 9, 2026 ✍️ By Chris Almond ⏱️ 9 min read
encrypting email outlook guide featured image

🔑 Key Takeaways

  • Outlook encrypts three ways: Purview Message Encryption, S/MIME certificates, or Sensitivity Labels.
  • Purview needs Business Premium or higher and works for external recipients through a browser portal.
  • S/MIME needs a certificate on both sides but delivers true end-to-end encryption inside Outlook.
  • Sensitivity Labels auto-encrypt PHI at scale but require E3 or E5 licensing plus Purview setup.
  • Layer a per-seat HIPAA service on PHI senders instead of upgrading the whole tenant to Premium.

Outlook supports three built-in methods for encrypting email. Microsoft Purview Message Encryption, S/MIME certificates, and Sensitivity Labels each cover a different scenario. All three integrate with the standard Outlook compose experience.

This guide covers each method for encrypting email in Outlook, including the setup, the sender steps, and the recipient experience. It also covers when a separate HIPAA encrypted email service is a simpler fit.

The right method depends on plan level, recipient mix, and IT capacity. Read each section for the fit and pick the path that matches your practice.

Microsoft Purview Message Encryption Is the Default Path

Microsoft Purview Message Encryption is the default encrypted email path for Microsoft 365 Business Premium and higher plans. The sender uses the Encrypt button in the Outlook ribbon. Purview handles the encryption and delivery on the server side.

The sender opens a new message, clicks Options in the ribbon, clicks Encrypt, and picks either Encrypt-Only or Do Not Forward. Encrypt-Only allows the recipient to reply, forward, and print. Do Not Forward applies rights management and blocks those actions.

Purview supports recipients on Microsoft 365, Outlook.com, Gmail, and any other mail platform. External recipients on non-Microsoft platforms receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser tab.

The recipient signs in with a Microsoft or Google account or requests a one-time passcode. The decrypted message displays inline with attachments listed below. Detailed sender instructions are in the Microsoft support guide for encrypted messages in Outlook.

The Encrypt Button Requires Business Premium or Higher

The Encrypt button in Outlook is not available on every Microsoft 365 plan. The required plans are Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Apps for Enterprise with Azure Information Protection Premium, or the standalone Azure Information Protection Premium license.

Business Basic, Business Standard, and Microsoft 365 Apps for Business do not include the Encrypt button. Adding it requires either an upgrade or a per-seat license add-on. The cost adds up quickly for practices with dozens of mailboxes.

Practices on lower Business plans have two options: upgrade every seat that needs to send encrypted mail, or use a separate HIPAA email service that works alongside Outlook without changing the license structure. The math depends on how many seats actually need to encrypt.

Front-desk staff sending appointment reminders may not need encryption. Clinicians sending patient records probably do. Map the actual send flow before committing to a plan upgrade.

encrypting email outlook in article illustration one

S/MIME Provides End-to-End Message Encryption

S/MIME is the older, standards-based encryption method for Outlook. It uses X.509 certificates issued by trusted authorities. The sender encrypts with the recipient public key. The recipient decrypts with the matching private key.

Setup happens in the Outlook Trust Center. Go to File, Options, Trust Center, Trust Center Settings, Email Security. Add the certificate under Digital IDs. Choose the encryption algorithm and hash. Enable digital signing and encryption on outgoing messages if you want defaults applied automatically.

Certificates come from DigiCert, Sectigo, IdenTrust, or an internal certificate authority in an Active Directory deployment. Cost runs from around fifty dollars per user per year for standard certificates to several hundred for enterprise deployments with automated renewal.

S/MIME works well when both parties have certificates. It does not work when the recipient does not. This limits S/MIME to internal use inside organizations with a managed PKI, or to external partners with a formal certificate exchange arrangement.

Sensitivity Labels Automate Encryption Decisions

Sensitivity Labels are the enterprise path to encrypted email in Outlook. Administrators define labels in the Microsoft Purview compliance portal and configure content-scanning rules that flag messages containing PHI, financial data, or other regulated fields.

Applied labels can require encryption automatically, restrict forwarding, block download of attachments, and apply retention rules. The sender does not have to decide. The label is applied by policy based on the content of the message.

Deployment requires Microsoft 365 E3 or E5 licensing and Microsoft Purview Information Protection configuration. The setup is significant. Content patterns, sensitive information types, and label rules all need to be defined and tuned to the practice.

Sensitivity Labels pay back at enterprise scale. A health system with hundreds of users benefits from centralized policy. A small practice with ten users usually does not. The setup effort exceeds the value at that scale.

Example

A 12-person orthopedic clinic runs Microsoft 365 Business Standard for scheduling and internal chat. Only three clinicians actually send patient records. Upgrading all 12 seats to Business Premium would add $120 per month for the Encrypt button. Instead, the clinic keeps Business Standard for the full team and layers a HIPAA email service on the three clinician mailboxes at $10 each. Total added cost is $30 per month, the BAA is included, and general staff mail continues through Outlook untouched.

The Recipient Experience Is the Real Differentiator

The recipient experience varies across the three Outlook encryption methods. Purview messages open in a browser tab after sign-in or one-time passcode. S/MIME messages open in the mail client if the certificate is installed. Sensitivity Label messages open based on the label configuration.

The choice affects patient and vendor communications. External recipients on personal Gmail or Yahoo accounts see the Purview browser tab. That works but adds a step. External recipients with S/MIME certificates see the message inline in their client, but very few personal accounts have S/MIME set up.

Practices sending mostly to external recipients on mixed platforms usually pick Purview or a HIPAA email service. Both handle the external case with a portal or link fallback that does not require recipient setup.

Practices sending mostly to internal or partner recipients with managed PKI usually pick S/MIME for the inline experience. The choice matches the recipient mix.

encrypting email outlook in article illustration two

Encrypting Attachments Follows the Same Method as the Body

Attachments in Outlook encrypt through the same method as the message body. Purview encrypts attachments in the message envelope. S/MIME wraps attachments inside the encrypted message. Sensitivity Labels can also apply protection to attachments as a separate policy layer.

The recipient experience for attachments varies by method:

  • Purview Encrypt-Only allows download of attachments after decryption
  • Purview Do Not Forward blocks download and shows preview only
  • S/MIME attachments decrypt in the client and save locally as normal files
  • Sensitivity Labels can persist protection on the attachment even after download

Attachment size limits follow the sender platform. Outlook and Purview handle standard mail attachment sizes up to 150 megabytes on Microsoft 365 plans. Very large files should use OneDrive sharing links with rights management or a dedicated HIPAA file transfer service.

PHI-containing attachments still fall under HIPAA once the recipient decrypts the file. Downloaded local copies need the same protection as any other patient record. The encryption ends at the mail client boundary.

The BAA With Microsoft Covers the Platform Side

Microsoft signs a business associate agreement covering the Microsoft 365 services under the standard Microsoft 365 BAA terms. The BAA covers Exchange Online, SharePoint, OneDrive, Teams, and the encryption services under Microsoft Purview.

The BAA is available at no extra cost. Administrators accept the BAA in the Microsoft 365 admin center under the compliance section. The BAA becomes effective immediately and covers the tenant.

The BAA covers the Microsoft side. The covered entity is responsible for configuring the tenant correctly, maintaining access logs, training staff, and applying encryption to regulated content. HIPAA compliance is a shared responsibility. Microsoft handles the platform. The covered entity handles the practice-level configuration.

The HHS guidance on business associate agreements outlines the specific terms required. Practices should review the Microsoft BAA against the HHS requirements before signing.

💡Pro Tip: Map the actual PHI send flow before upgrading licenses

Front-desk staff sending appointment reminders rarely need encryption. Clinicians sending patient records almost always do. Before paying to add Business Premium across every seat, count how many people actually send PHI in a normal week. If it is a fraction of the team, a per-seat HIPAA service layered on those mailboxes costs less than a tenant-wide plan upgrade and keeps the rest of the workforce on the plan they already use.

Common Errors Break the Encryption Flow

Encrypting email in Outlook works reliably when configured correctly. Common errors that break the flow include license mismatch, missing certificate, and policy misconfiguration.

The most common issue is missing licensing. The Encrypt button does not appear on lower plans. Users try to send encrypted mail and the option is not available in the ribbon. Fix by upgrading the plan or adding the Azure Information Protection license.

S/MIME errors usually trace to certificate problems. Missing certificate, expired certificate, or certificate from an untrusted authority all break the encryption. Fix by installing or renewing the certificate through the Trust Center.

Policy misconfiguration on Sensitivity Labels is subtler. A label may not apply if the content pattern does not match, or a label may apply incorrectly on non-regulated content. Fix by tuning the sensitive information types and label rules in the Purview compliance portal.

HIPAA Practices Often Add a Second Layer

Healthcare practices often run Outlook alongside a dedicated HIPAA email service. Outlook handles day-to-day mail. The HIPAA service handles patient-facing messages that require verified encryption and a signed BAA specific to healthcare.

The two-layer approach separates concerns. General staff mail stays inside Outlook. Regulated mail routes through a service designed for the HIPAA case. Compliance auditors see clear separation between general and regulated flows.

The setup keeps Outlook simple. Users continue to send general mail through Outlook. They send patient records through the HIPAA service either from a browser interface or from an Outlook plugin. The audit trail comes from the HIPAA service.

This approach fits practices that use Outlook for scheduling, internal communication, and vendor mail, but need a dedicated tool for patient-facing PHI. It matches the workflow more closely than forcing every message through the Purview Encrypt button.

Mailhippo Fits Alongside Outlook for HIPAA Sends

Mailhippo secure email service works with existing Outlook accounts and adds a HIPAA-compliant encryption path without changing the Microsoft 365 plan. The signed BAA is included in the base plan. Recipients open messages through a one-click link with no account creation.

The sender uses Outlook for general mail. When a message contains PHI, the sender routes it through Mailhippo either from a browser interface or from an add-in. The message encrypts, delivers to the recipient link, and logs the send in the audit trail.

This split fits small and mid-size practices that already run Microsoft 365 Business Basic or Business Standard and do not want to upgrade every seat to Business Premium just to enable the Encrypt button. The Mailhippo per-seat rate covers the HIPAA-critical mail without disrupting the base Outlook plan.

The broader compliance picture also includes healthcare website security features and patient portal configuration. Encrypted email is one layer. The full stack covers websites, forms, and internal systems together.

Frequently Asked Questions

How do I encrypt an email in Outlook? +

Open a new message in Outlook. Click Options in the ribbon. Click Encrypt and choose Encrypt-Only or Do Not Forward. Encrypt-Only lets the recipient reply, forward, and print. Do Not Forward blocks forward and print. Write the message, add recipients, and click Send. Microsoft Purview handles the delivery. Internal Microsoft 365 recipients see the message inline. External recipients receive a notification with a Read the message button that opens the encrypted content in a browser tab.

Does encrypting email in Outlook require a license? +

Microsoft Purview Message Encryption requires Microsoft 365 Business Premium or higher, Microsoft 365 Apps for Enterprise with Azure Information Protection, or a standalone Azure Information Protection Premium subscription. Business Basic and Business Standard do not include the Encrypt button. Organizations without the required license can send encrypted mail through a separate HIPAA email service that works alongside Outlook without changing the license structure.

What is the difference between Encrypt-Only and Do Not Forward? +

Encrypt-Only encrypts the message content in transit and at rest. The recipient can reply, forward, and print. Do Not Forward encrypts the content and applies rights management that blocks forward, print, and download. Do Not Forward is the tighter option for regulated content. The sender chooses based on the sensitivity of the message. Both options use the same recipient experience: a browser tab on outlook.office365.com with sign-in or passcode verification.

How do I use S/MIME in Outlook? +

Install a certificate from a trusted authority. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Add the certificate under Digital IDs. Enable Encrypt contents and attachments for outgoing messages if you want default encryption on every send. Otherwise, click the Encrypt button in each new message. S/MIME needs a certificate for every recipient. Outlook stores recipient certificates from signed messages you have received. Recipients without a certificate cannot decrypt the message.

Can I encrypt attachments in Outlook? +

Yes, Microsoft Purview and S/MIME both encrypt attachments along with the message body. Recipients open attachments after the same verification path used for the message. Do Not Forward blocks download of attachments and shows them in a portal preview only. Practices sending large attachments containing PHI should confirm the attachment size limits of the sending platform. Purview handles standard mail attachment sizes. Very large files should use a HIPAA-compliant file transfer service instead of email.

What happens if the recipient does not have a Microsoft account? +

The recipient can sign in with a Google account, sign in with a Yahoo account, or request a one-time passcode delivered to the email address the message was sent to. The one-time passcode option works for any address. The recipient does not need a Microsoft account or a Microsoft 365 subscription. The passcode arrives in a second email within a minute. The recipient enters it in the browser tab to decrypt the message.

Is encrypting email in Outlook enough for HIPAA? +

Not on its own. HIPAA compliance requires a signed business associate agreement, which Microsoft includes with the standard Microsoft 365 BAA. It also requires access logging, workforce training, encryption at rest and in transit, and correct Purview configuration. The Encrypt button covers the transmission layer. The covered entity is responsible for the surrounding controls. Practices without a dedicated IT team often use a HIPAA email service that includes the BAA and simpler configuration in the base plan.

Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →