HIPAA Compliant Email Marketing Rules Platforms and Setup

hipaa compliant email marketing guide featured image

๐Ÿ”‘ Key Takeaways

  • HIPAA marketing needs a signed BAA, encryption in transit and at rest, and PHI-free bodies.
  • Mailchimp, Constant Contact, and standard HubSpot exclude healthcare and refuse to sign a BAA.
  • The real risk is content: any subject line or merge field that names a condition creates PHI.
  • Keep marketing lists and clinical lists separate at the database level with role-based access.
  • Run broadcasts on a BAA marketing tool; run individual PHI email on a HIPAA email service.

HIPAA compliant email marketing means running patient outreach through a platform that signs a business associate agreement, encrypts data in transit and at rest, and applies content controls that keep protected health information out of the message body.

Most mainstream marketing platforms do not sign a BAA. This guide covers the platforms that do, the content boundaries that keep PHI out of broadcast mail, and how a HIPAA secure email service covers the individual patient communication side.

The compliance picture has three parts: platform, content, and consent. All three matter. A compliant platform running unrestricted content is still a violation.

Three Requirements Define HIPAA Marketing Compliance

Compliant email marketing has three requirements. A signed business associate agreement with the platform vendor. Encryption of message content and list data in transit and at rest. Content controls that exclude PHI from broadcast material.

The BAA covers the platform’s legal obligation to protect any PHI it processes on behalf of the covered entity. Without a BAA, the platform is not authorized to handle PHI at all.

Encryption covers the technical safeguard. The list of subscribers, the message templates, and the outbound content should all be encrypted at rest and in transit. TLS is the baseline for delivery. At-rest encryption on the platform storage matters for the list itself.

Content controls cover the human decision on what to include. Even a compliant platform cannot make PHI-in-broadcast safe. Practices set editorial rules and train marketing staff on the distinction between general health content and PHI.

Mainstream Marketing Platforms Do Not Sign a BAA

Mailchimp, Constant Contact, ActiveCampaign, and standard HubSpot Marketing Hub do not sign a business associate agreement in their base plans. The acceptable use policy on each explicitly excludes handling of protected health information.

Mailchimp’s terms of service state that customers cannot use the service to transmit PHI. Constant Contact’s terms carry the same restriction. ActiveCampaign requires a specific plan tier for the BAA. Standard HubSpot excludes healthcare use.

Practices using any of these platforms for healthcare marketing must keep PHI out of the message body, the subject line, and every personalization field. Content that references a specific condition, treatment, or clinical field creates a violation regardless of the technical protection applied.

The workaround is generic content only. Newsletters about health topics that apply to a wider audience are not PHI. Personal condition messaging belongs in a different channel with a BAA in place.

hipaa compliant email marketing in article illustration one

Platforms That Do Sign a HIPAA BAA

Several platforms offer a HIPAA-signed configuration through an enterprise tier or a healthcare-specific product line. The table below summarizes the current options.

Platform BAA Available Tier Required Fits Best For
HubSpot Yes with healthcare add-on Enterprise Larger practices with existing HubSpot
ActiveCampaign Yes on Enterprise Enterprise Automation-heavy workflows
Salesforce Marketing Cloud Yes with Health Cloud Enterprise Large health systems
Healthcare-focused platforms Yes, standard plans All tiers Small to mid practices
Mailchimp, Constant Contact, standard HubSpot No N/A Generic content only, no PHI

The right platform depends on practice size, existing tooling, and the level of clinical content in outreach. Large systems tend to use HubSpot or Salesforce with the healthcare tier. Smaller practices use healthcare-focused tools that bundle the BAA into the standard plan.

Content Controls Keep PHI Out of Marketing Mail

Content controls are editorial rules for what marketing mail can and cannot reference. The rules cover the subject line, the body copy, the personalization fields, and any linked landing pages.

Recommended patterns include:

  • Subject lines identify the practice, not the patient condition. A subject like “Your Practice Newsletter” is safe. “Your recent diabetes screening” is not.
  • Body copy addresses a wider audience with general health content. Condition-specific detail belongs behind a portal link, not in the message body.
  • Personalization fields use first name only. Clinical fields like diagnosis, medication, or provider name should not appear in merge tags.
  • Linked landing pages that carry clinical detail require patient authentication. Public marketing pages carry no PHI.
  • Images that show clinical procedures use stock or generic photography, not identifiable patient images.

Marketing staff review each broadcast against these patterns before sending. Practices with a formal review process document the review on a checklist attached to the send record.

Example

A three-location pediatric practice runs monthly newsletters through Mailchimp with 4,200 subscribers. The marketing coordinator drafts an autumn asthma awareness email that references "your child's recent inhaler prescription." Because that merge field pulls from the EHR and Mailchimp has no BAA, the send would violate HIPAA. The practice rewrites the copy as general seasonal asthma education with no clinical merge fields, keeps Mailchimp for the newsletter, and routes any prescription-specific outreach through a HIPAA email service tied to the EHR export.

List Hygiene Under HIPAA Is Stricter Than Standard Marketing

List hygiene under HIPAA has stricter rules than standard marketing. The list source matters. The consent capture matters. The access controls matter.

Patients who opted in on an intake form with clear language on marketing use are one category. Patients whose email came in through a clinical touchpoint without a marketing opt-in are another. Mixing the two creates a compliance problem.

Practices maintain separate marketing and clinical email lists. The marketing list has documented consent capture. The clinical list has documented clinical necessity. The two lists live in different systems and have different access controls.

Unsubscribe requests apply to the marketing list only. A patient who unsubscribes from marketing still receives clinical communication such as appointment reminders and lab results. The two channels operate independently.

Consent Capture on the Intake Form

Consent capture on the intake form is the standard method for building a HIPAA-appropriate marketing list. The form includes a specific checkbox for marketing communication with clear language.

Suggested consent language:

I agree to receive marketing communication from [Practice Name] about health topics, practice news, and general wellness content. I understand this is separate from clinical communication about my care, and I can unsubscribe from marketing at any time without affecting my clinical services.

The checkbox is unchecked by default. Patients opt in actively. The consent record ties to the patient record with a timestamp and the form version.

Practices without a compliant intake form should not use the clinical email list for marketing. See the guide on website content strategy for healthcare for the intake and consent side of the digital footprint.

hipaa compliant email marketing in article illustration two

HubSpot Healthcare Add-On Enables Compliant Marketing

HubSpot offers a healthcare add-on through the enterprise tier. The add-on includes the BAA and applies additional data handling controls to the account. Standard HubSpot subscribers do not have this configuration.

The add-on enables sensitive data fields, restricts export of contact data, and applies stricter access logging. The marketing dashboard, the workflows, and the reporting all operate under the enhanced controls.

Practices with an existing HubSpot subscription can request an upgrade to the healthcare configuration. The upgrade is not automatic. It requires a contract addendum and a configuration review by the HubSpot compliance team.

Practices without an existing HubSpot investment may find a healthcare-specific platform simpler. Healthcare-focused tools bundle the BAA into every plan and design the workflows around clinical use cases from the ground up.

Separating Marketing From Individual Patient Communication

The cleanest compliance posture separates marketing from individual patient communication. Two systems, two lists, two sets of controls.

The marketing system handles broadcast newsletters, general health content, and practice announcements. The recipient list is opted-in through the intake form or a subscribe page. Content stays clear of PHI. Delivery uses standard TLS through a BAA-signed platform.

The individual communication system handles one-to-one patient email that references specific care. Appointment confirmations, lab results, treatment plans, and follow-up questions all live here. Delivery uses message-level encryption through a HIPAA email service.

Mailhippo covers the individual communication side. It works with existing Gmail and Outlook accounts, includes the BAA, and delivers encrypted mail to patients through a one-click portal. The marketing side runs through a separate compliant platform.

๐Ÿ’กPro Tip: Split marketing and clinical lists at the database level

Mixing lists is how PHI slips into unencrypted broadcast mail. Store marketing consent in its own table with a timestamp, form version, and unsubscribe status. Query only that table when building broadcast segments. Clinical email addresses stay in the EHR and route through the HIPAA email service. Two databases, two access groups, zero accidental crossovers between the systems.

Automation Requires Extra Care Under HIPAA

Marketing automation adds triggered sends based on patient behavior. Under HIPAA, automation requires extra care because the trigger itself can reference PHI.

An automation that sends a follow-up after a specific diagnosis code is a PHI-driven trigger. An automation that sends a welcome sequence after list opt-in is not. The distinction matters for platform selection and content review.

PHI-driven automations belong in a compliant platform with the BAA in place. Non-PHI automations can run on any marketing platform with content controls to keep PHI out of the body.

Practices reviewing existing automation workflows should map each trigger to the source data and confirm whether the source is PHI. Any PHI-based trigger requires the compliant platform.

Audit Trail and Access Logging on the Marketing List

Access logging on the marketing list is a common gap. Practices often treat the marketing list as a normal contact database without audit controls. Under HIPAA, list access is part of the required access logging.

The log records who accessed the list, when, and what actions they took. Export events, edit events, and send events all belong in the log. Retention of the log follows the practice’s HIPAA retention policy.

Access to the marketing list is limited to marketing staff. Clinical staff do not need access. Cross-department access should require a documented reason and a supervisor approval.

Compliant marketing platforms include access logging as a standard feature. Non-compliant platforms may not. Practices using a non-compliant platform must layer the access log through a separate process, which is difficult in practice.

Building a Compliant Marketing Program From Scratch

A practice building a compliant marketing program from scratch follows a specific sequence. Pick the platform first. Configure the BAA. Set up the list with consent capture. Draft the editorial rules. Train the marketing staff.

The HHS Privacy Rule guidance covers the marketing use of PHI at a policy level. The Security Rule covers the technical safeguards. Together they set the framework for compliant program design.

Related reading covers the platform-specific compliance picture: hipaa compliant email marketing for dentists, hipaa compliant email service, hipaa compliant email, cisco hipaa compliant email, best hipaa compliant email, and free hipaa compliant email.

Practices building the wider healthcare marketing footprint coordinate the compliant marketing platform with a compliant site, portal, and individual communication channel. A healthcare marketing agency can pair the marketing strategy with the compliance stack from the start.

Frequently Asked Questions

What makes email marketing HIPAA compliant? +

Three things: a signed business associate agreement with the marketing platform, encryption of message content in transit and at rest, and content controls that keep protected health information out of the message body. The BAA covers the platform’s legal obligation to protect PHI. Encryption covers the technical safeguard. Content controls cover the human decision on what to include. Missing any one of the three creates a compliance gap. Practices also need list hygiene rules that separate marketing consent from clinical consent and log access to the marketing list.

Is Mailchimp HIPAA compliant? +

Mailchimp does not sign a business associate agreement and its acceptable use policy explicitly excludes handling of protected health information. Practices using Mailchimp for healthcare marketing must keep PHI out of the message body, the subject line, and the personalization fields. Content that references a specific condition, treatment, or clinical field creates a compliance violation even without a BAA. Practices that need patient outreach with clinical detail move to a platform that signs a BAA, such as an enterprise HubSpot healthcare tier or a dedicated healthcare marketing tool.

Is HubSpot HIPAA compliant? +

Standard HubSpot Marketing Hub does not include a business associate agreement. HubSpot offers a healthcare add-on through the enterprise tier that includes the BAA and applies stricter data handling controls. Practices need to enable the add-on and configure the account with healthcare mode before sending any content that touches PHI. Standard HubSpot subscribers using healthcare content without the add-on create a compliance risk regardless of the content review. Confirm the account tier and the healthcare configuration before using HubSpot for any patient-related outreach.

Can I use patient email addresses for marketing? +

Only with documented consent to marketing use. A patient whose email came in through an appointment intake form is not automatically consenting to marketing. Practices need a separate opt-in for marketing communication, either as a checkbox on the intake form with clear language or as a separate subscribe form. The consent record must be stored and accessible on request. Practices should also maintain a documented unsubscribe process. Sending marketing to a patient who only consented to clinical communication is a compliance violation and a privacy concern.

Can I include health information in a marketing email? +

General health education content that applies to a wider audience is not PHI and can appear in marketing content. Condition-specific content, treatment recommendations, or personalization fields that pull from clinical records create PHI and belong in a HIPAA-compliant individual communication channel. The line is whether the content identifies a specific patient’s health status. A newsletter about seasonal allergies is not PHI. A message that starts with “your recent test results” is PHI. Practices set editorial rules and train marketing staff on the distinction.

Do I need encryption for marketing emails? +

Broadcast marketing content that contains no PHI can travel under standard TLS without message-level encryption. The compliance requirement kicks in when the content or the personalization fields reference clinical information. A HIPAA-compliant marketing platform should still encrypt list data at rest and encrypt access to the marketing dashboard. Encryption of the outbound message body matters when the content includes anything that could identify a patient’s health status. Practices without a signed BAA on the marketing platform should keep all content generic and add PHI only to the individual encrypted channel.

What is the difference between marketing email and individual patient email? +

Marketing email is broadcast content to a list of subscribers, typically newsletters, promotions, and general education. Individual patient email is one-to-one communication that references a specific patient’s care, such as appointment confirmations, lab results, and treatment plans. The two channels have different compliance requirements. Marketing runs through a platform with a BAA and stays clear of PHI in content. Individual patient email requires encryption and typically runs through a HIPAA email service or a patient portal. Practices separate the two systems rather than trying to use one for both.

Is Email HIPAA Compliant and Secure in 2026

is email hipaa compliant secure 2025 guide featured image

๐Ÿ”‘ Key Takeaways

  • Standard email fails HIPAA on its own: TLS in transit doesn’t cover the inbox or the missing BAA.
  • Google and Microsoft sign BAAs on paid Workspace and 365 plans, but only after admin request.
  • Dedicated services like Mailhippo and Paubox include the BAA and one-click recipient reads.
  • TLS 1.2 or 1.3 covers the server hop only; auditors treat it as partial, not a full safeguard.
  • Covered entities still own training, access controls, log review, and the annual risk assessment.

Is email HIPAA compliant and secure in 2026. The short answer is that email can be HIPAA compliant with the right vendor coverage, technical safeguards, and internal policies. Free consumer email accounts are not HIPAA compliant, even when they use TLS.

This guide walks what standard Gmail and Outlook actually deliver, what a business associate agreement covers, what the covered entity still owes, and how a dedicated secure email service fits inside the compliance stack.

Start with what HIPAA requires and where standard email falls short.

What HIPAA Requires on Email in 2026

HIPAA sets a floor on how covered entities handle protected health information. Email is one channel that carries PHI, so it falls under the Security Rule.

The Security Rule covers administrative, physical, and technical safeguards. On the technical side, that includes access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Encryption sits inside transmission security as an addressable specification.

Addressable does not mean optional. It means the covered entity must implement the specification, or document why an alternative safeguard is equivalent. In practice, encryption is the safeguard. Auditors expect it on any email that contains PHI.

See the HHS HIPAA Security Rule reference for the full text and current guidance.

What Standard Gmail and Outlook Actually Deliver

Standard Gmail and Outlook accounts use TLS on the connection between the mail client and the mail server, and TLS on the connection between mail servers when both sides support it. That is transport encryption only.

The message body is not encrypted at rest inside the recipient inbox unless the sender applied Microsoft Purview Message Encryption, S/MIME, or a third party encryption service. Anyone with access to the recipient mailbox reads the message.

Free consumer accounts like gmail.com and outlook.com do not carry a business associate agreement. That alone rules them out for HIPAA regardless of TLS. Google Workspace and Microsoft 365 paid plans with a signed BAA carry the vendor side of the compliance boundary.

Sibling reading on the encryption status question sits at is email encrypted and at so email is encrypted but the host is not verified for the TLS trust question.

is email hipaa compliant secure 2025 in article illustration one

The Business Associate Agreement Requirement

A business associate agreement is a contract between a covered entity and a vendor that handles PHI on behalf of the covered entity. HIPAA requires it in writing.

Google Workspace administrators request the BAA through the Google Workspace admin console under Account, Legal and compliance, HIPAA Business Associate Amendment. Microsoft 365 tenants request it through the Microsoft 365 admin center or the Service Trust Portal.

The BAA lists the specific workloads covered. Google covers Gmail, Calendar, Drive, Meet, and other core services. Microsoft covers Exchange Online, SharePoint, Teams, and Purview Message Encryption on eligible plans. Confirm the exact list before assuming coverage.

Dedicated services like Mailhippo, Paubox, LuxSci, and Virtru sign a BAA in the base plan. That simplifies the vendor management on the covered entity side.

Compare Paths to HIPAA Compliant Email

The table below compares the three practical paths to HIPAA compliant email. Use it to shortlist based on team size and existing platform.

Factor Google Workspace with BAA Microsoft 365 with BAA Dedicated service
BAA in base plan Yes on all paid plans Yes on paid plans Yes on Mailhippo and similar
Message level encryption Hosted S/MIME on Enterprise Standard and up Purview on Business Premium and up Included in base plan
Recipient experience Inline in S/MIME clients Portal sign in or passcode One click link
Fits small practices Yes with plan match Yes with plan match Yes without plan change
Fits large enterprises Yes with full integration Yes with full integration Yes as a supplement
Setup time Days with admin work Days with admin work Hours on existing mailbox

All three paths deliver a HIPAA compliant email channel. The right pick depends on the platform already in use and the size of the team.

Example

A four-provider pediatric clinic used personal Gmail addresses to email vaccine records to daycare centers and pediatric specialists. During a state Medicaid audit, the reviewer flagged 42 messages sent from staff@gmail.com addresses over 18 months. No BAA existed with Google for those accounts. The clinic faced $8,700 in corrective action costs, migrated to Google Workspace Business Standard at $12 per user per month, signed the BAA in the admin console within one day, and layered Mailhippo on top for outbound patient PHI.

Google Workspace as a HIPAA Compliant Path

Google Workspace with a signed BAA covers Gmail, Calendar, Drive, Meet, and other core services. That includes free retention of audit logs and eDiscovery through Google Vault.

For message level encryption, Google Workspace Enterprise Standard and higher support hosted S/MIME. Administrators upload user certificates through the admin console. Gmail encrypts and decrypts messages inline for compatible recipients.

Business Starter and Business Standard plans include the BAA on Gmail but do not include hosted S/MIME. Practices on those plans need to add a dedicated encrypted email service or upgrade the plan.

is email hipaa compliant secure 2025 in article illustration two

Microsoft 365 as a HIPAA Compliant Path

Microsoft 365 with a signed BAA covers Exchange Online, SharePoint Online, Teams, OneDrive, and Purview Message Encryption on eligible plans.

Business Premium, Enterprise E3, Enterprise E5, and the E5 Compliance add on include Purview Message Encryption. Senders click the Encrypt button in the Outlook ribbon. External recipients open the message through the Microsoft portal.

Business Basic and Business Standard include the BAA on Exchange Online but do not include Purview. Tenants on those plans need to upgrade or add a dedicated encrypted email service.

Sibling reading on the concept side sits at what is email encryption and at how is email encrypted.

Dedicated HIPAA Compliant Email Services

Dedicated services layer on top of an existing Gmail or Outlook mailbox. They add an encrypted send workflow, one click recipient delivery, and a BAA in the base plan.

Mailhippo works with existing Gmail and Microsoft 365 accounts. Senders trigger encryption with a button or a subject keyword. Recipients open messages through a one click link without account registration. The BAA is included in the base plan.

This path fits small and mid size healthcare practices well. Setup takes hours rather than days. Staff train on a familiar Gmail or Outlook workflow with a small addition rather than a full platform migration.

Broader digital estate coverage for healthcare practices sits in the Redefine Web guide to healthcare website security features and the hub on healthcare marketing services.

๐Ÿ’กPro Tip: Sign the BAA before configuring any mail rule

Vendor coverage means nothing until the BAA sits in your compliance records with a countersigned copy. Microsoft and Google both require the covered entity to accept the agreement through the admin console. Accepting the BAA is one click. Skipping it is the single most common finding in OCR audits of small practices. Sign the BAA the same day the Workspace or 365 tenant is provisioned, and archive the signed PDF in the compliance binder.

What the Covered Entity Still Owns

The BAA covers the vendor side. The covered entity still owns the internal side of the compliance boundary. Missing any piece can fail an audit even with a perfect vendor.

  • Workforce training. Staff need training on what counts as PHI, when to use encryption, and how to identify phishing.
  • Access controls. Unique accounts per user, mandatory multifactor authentication, and role based access to mailboxes.
  • Audit logs. Message trace and access log retention with periodic review by a compliance officer or IT lead.
  • Risk assessment. Annual documentation of threats, vulnerabilities, and mitigations covering the email system.
  • Incident response. A written plan for breach handling including notification timelines and roles.
  • Retention and disposal. A policy that matches state and federal record retention rules, with secure disposal of expired mail.

These items are the covered entity work. The vendor cannot deliver them. Missing them fails audits regardless of vendor coverage.

Common Pitfalls That Break HIPAA Email Compliance

Several patterns cause practices to fall out of compliance even when they started with the right vendor and the right plan.

Sending PHI from a personal Gmail address to a work Google Workspace address. The personal account has no BAA, so the outbound leg breaks compliance.

Forwarding work mail to a personal address for convenience. Forwarding rules that route PHI to an outside account without a BAA violate HIPAA. Disable auto forwarding to external domains in the mail flow rules.

Sharing patient information through an intake form on a secure website but not verifying the email delivery from the form uses encryption. The HTTPS on the form does not extend to the email.

Using free encrypted email like personal Proton Mail. The encryption is strong, but there is no BAA on the free tier. Proton for Business paid plans include the BAA.

Practical Steps to Move From Standard Email to HIPAA Compliant Email

The move from standard to HIPAA compliant email is a two week project for most small practices. The steps are the same across paths.

  • Pick a path based on platform: Google Workspace with BAA, Microsoft 365 with BAA, or a dedicated service on top of the existing mailbox.
  • Sign the BAA through the vendor console and archive a copy with compliance records.
  • Enable multifactor authentication on every mailbox that touches PHI.
  • Turn on audit logging with a defined retention period matching internal policy.
  • Configure encryption on the send path, either through Purview, hosted S/MIME, or the dedicated service add on.
  • Train staff on the encrypted send workflow and phishing identification.
  • Document the workflow, the risk assessment, and the incident response plan in the compliance binder.

The HIPAA Journal encryption reference covers the audit angle for practices building the documentation set.

Frequently Asked Questions

Is Gmail HIPAA compliant in 2026? +

Free personal Gmail is not HIPAA compliant. Google Workspace with a signed business associate agreement is HIPAA compliant for the core services listed in the BAA, which includes Gmail. Covered entities must sign the BAA through the Google Workspace admin console, confirm the workloads covered, and configure the account with audit logging, retention, and appropriate access controls. Message level encryption on top of TLS is still expected for sends that contain protected health information. Sensitive attachments should carry their own encryption layer.

Is Outlook HIPAA compliant in 2026? +

Free personal Outlook.com is not HIPAA compliant. Microsoft 365 with a signed business associate agreement is HIPAA compliant for the workloads listed in the BAA, which includes Exchange Online. Covered entities on Business Premium or higher can use Microsoft Purview Message Encryption to add message level protection. Tenants on Business Basic or Business Standard need to upgrade the plan or add a dedicated encrypted email service. The BAA is requested through the Microsoft 365 admin center and stored with compliance records.

Is email encryption necessary for HIPAA compliance? +

HIPAA treats encryption as an addressable specification. A covered entity must implement encryption or document why an equivalent safeguard fits. In practice, auditors expect encryption on any email that contains PHI. TLS alone is a supporting control rather than a complete safeguard. Message level encryption from Microsoft Purview, S/MIME, PGP, or a dedicated service like Mailhippo satisfies the requirement cleanly. Not encrypting is possible only when the sender documents a specific alternative safeguard inside the risk assessment. That path is hard to defend on audit.

Is email over VPN encrypted for HIPAA purposes? +

A VPN encrypts traffic between the user device and the VPN endpoint. Once the email leaves the VPN endpoint, it travels over the internet with whatever transport encryption the mail server negotiates. The VPN protects the connection from the user laptop to the corporate network. It does not protect the message body once it leaves. HIPAA compliant email requires message level encryption regardless of VPN. Use a VPN for remote access to the mail system. Use message encryption for the send itself.

Is email through a secure website encrypted for HIPAA purposes? +

A secure website with HTTPS encrypts the connection between the user browser and the web server. Web form submissions travel encrypted to the server. Once the server sends the form data by email, the email path uses whatever encryption the mail system provides. HTTPS on the form does not extend to the email. Practices that collect intake data through a secure website should confirm the email delivery from the form to internal recipients also uses encryption. Direct integration with an encrypted email service closes that gap.

Why is email encryption important beyond HIPAA? +

Email encryption protects sensitive business communication from interception, prevents unauthorized access to messages at rest in recipient inboxes, supports contractual data protection commitments to clients and partners, and reduces liability in the event of a data breach. State privacy laws in California, Virginia, Colorado, and other states extend requirements beyond HIPAA. Sector rules cover legal, financial, and educational data. Encryption is a base control that satisfies multiple frameworks at once and reduces the audit burden across all of them.

Is email traffic encrypted between Google and Microsoft? +

Yes, in most cases. Google Workspace and Microsoft 365 both negotiate TLS 1.2 or TLS 1.3 on the connection between their mail servers. Messages between a Google Workspace user and a Microsoft 365 user travel over an encrypted connection between the two mail infrastructures. The message content is decrypted at each mail server for filtering and delivery. Message level encryption from S/MIME, Microsoft Purview, or a dedicated service protects the content end to end and prevents the intermediate servers from reading it.