๐ Key Takeaways
- Modern Outlook uses Purview from the Encrypt ribbon. Outlook 2013 and older still route via S/MIME.
- Personal Gmail has only Confidential Mode. Workspace Enterprise adds hosted S/MIME for true E2E.
- Attachments inherit message encryption, or lock the file first with Acrobat, Word, or 7-Zip AES-256.
- Office 365 Encrypt needs Business Standard or higher plus Azure Rights Management on the tenant.
- A gateway skips per-user certs, works from Gmail or Outlook, and ships a BAA in the base plan.
Encrypting an email is a different set of steps in every mail client. Outlook has a button. Gmail has two paths that look similar but work differently. Outlook 2013 uses an older S/MIME workflow. Attachment encryption is its own separate topic.
This guide covers each of them in order. It also flags the HIPAA implications for practices sending PHI. For a cross-client path that works uniformly, a gateway service delivers encrypted email to any recipient without version dependencies.
Every section stands on its own with the menu paths named directly. Skip to the client and version that matches your setup.
Encrypt an Email in Modern Outlook on Microsoft 365
Modern Outlook on Business Standard and above adds an Encrypt button to the compose window. The service is Microsoft Purview Message Encryption.
Open Outlook. Start a new message. Click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward from the dropdown.
Write the message and click Send. The recipient receives an email with a link. They authenticate with Microsoft, Google, or a one-time passcode and read the message in a browser.
Business Basic tier and free personal Outlook.com do not have the Encrypt button. Related linked topic: how do you encrypt emails for a broader coverage of alternatives.
Encrypt an Email in Outlook 2013 With S/MIME
Outlook 2013 supports S/MIME natively but has no Purview Encrypt button. The workflow uses the Trust Center and a client-installed certificate.
Install an S/MIME certificate in the Windows personal certificate store. Open Outlook. Go to File, Options, Trust Center, Trust Center Settings, Email Security.
Under Encrypted email, click Settings. Pick your signing certificate and your encryption certificate. Choose whether to sign or encrypt by default. Click OK.
To encrypt a single message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key. This workflow also applies to Outlook 2016, 2019, and Outlook LTSC 2021 when S/MIME is the chosen path.

Encrypt an Email in Gmail With Confidential Mode
Gmail confidential mode is available on all Google Workspace tiers and personal Gmail. Click the lock and clock icon at the bottom of the compose window.
Set an expiration date from the dropdown. Choose whether to require a passcode. Passcode by SMS is the higher-security option. Click Save.
Write the message and click Send. The recipient receives a link. They open it in a browser, enter the passcode if required, and read the message in a hosted view.
Confidential mode is not end-to-end encryption. Google holds the keys. The mode prevents forwarding, copying, and printing. It does not seal the content against the provider. For HIPAA-scoped mail, confidential mode alone is not sufficient.
Encrypt an Email in Gmail With Hosted S/MIME
Hosted S/MIME is the Gmail path to true end-to-end encryption. It requires Google Workspace Enterprise Standard, Enterprise Plus, Education Standard, or Education Plus.
The admin uploads root and intermediate CA certificates in the Google Admin console under Apps, Google Workspace, Gmail, User Settings, then S/MIME. Enable S/MIME for the organizational unit.
Each user uploads their personal certificate through Gmail settings under Accounts. Once configured, a lock icon appears next to the recipient field. Green means encryption is possible.
Recipients on personal Gmail, Business Standard, or Business Plus cannot receive hosted S/MIME messages. The encrypted content arrives as an unopenable attachment. See Google Workspace admin help for the current tier list.
A physical therapy clinic on Microsoft 365 Business Premium builds an automatic DLP rule in the Purview compliance portal. The rule matches the US HIPAA template and triggers when outbound messages contain MRN patterns or SSN patterns. Action: apply Do Not Forward automatically. A new hire forgets to click Encrypt when replying to an insurance verifier and pastes a partial MRN into the body. The DLP rule fires server-side, encrypts the message, and creates an audit log entry the compliance officer reviews weekly.
Encrypt an Email Attachment for Extra Protection
The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. This is sufficient for most cases.
For extra protection, encrypt the file itself before attaching. This adds a second layer that survives even if the message encryption fails or the recipient forwards the message to an unencrypted inbox.
Common attachment encryption tools:
- Adobe Acrobat for PDF password protection with AES-256
- Microsoft Word, Excel, PowerPoint via File, Info, Protect Document, Encrypt with Password
- 7-Zip for archive password protection with AES-256
- Apple Preview for basic PDF password protection on macOS
Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password. Related linked topic: encrypt an email.

Encrypt an Email in Office 365 With Automatic DLP Rules
Office 365 supports automatic encryption through Data Loss Prevention rules on Business Premium and Enterprise tiers. This removes the human step of clicking Encrypt.
The admin opens the Microsoft Purview compliance portal. Under Data Loss Prevention, create a new policy. Choose a template for U.S. Health Insurance Act (HIPAA) or a custom policy with SSN, MRN, or ICD patterns.
Configure the action. Apply Do Not Forward, Encrypt-Only, or a custom rights template when a match is found. The policy can also block the send or require justification.
Automatic DLP encryption reduces the risk of staff forgetting to click Encrypt on a sensitive message. It also creates audit trail evidence that the covered entity applied technical safeguards under the HHS Security Rule.
Encrypt an Email With PGP Using FlowCrypt
FlowCrypt is a browser extension that adds PGP support to Gmail. It works on personal Gmail and any Google Workspace tier.
Install the extension from the Chrome or Firefox web store. Create a keypair when prompted. Back up the private key to a hardware token or an encrypted vault.
Send a secure message from the FlowCrypt compose window inside Gmail. The extension encrypts the body with the recipient public key if it is in the FlowCrypt cache. If not, the extension prompts for the recipient key or sends through the FlowCrypt password-protected fallback.
PGP is not native to any major business mail workflow. FlowCrypt fills that gap for teams that want end-to-end encryption without moving to Google Workspace Enterprise. It is not commonly used in regulated healthcare settings.
Staff forget to click Encrypt on sensitive messages, especially during busy scheduling windows or shift handoffs. A single missed click is a HIPAA breach. Configure DLP rules in the Microsoft Purview compliance portal or Google Workspace Data Loss Prevention to match SSN, MRN, ICD-10, and custom keyword patterns. Apply Encrypt or Do Not Forward automatically when a match is found. This removes the human factor from compliance and creates audit trail evidence during OCR investigations.
Encrypted Email Options Compared
The table below compares the main paths a business considers.
| Method | Client Support | Recipient Setup | End-to-End | HIPAA Fit |
|---|---|---|---|---|
| Outlook Encrypt (Purview) | M365 Business Standard+ | Passcode or SSO | No, portal | Yes with BAA |
| Outlook S/MIME | Outlook 2013+ | Certificate install | Yes | Peer traffic |
| Gmail confidential mode | All Workspace | Passcode | No | Not sufficient alone |
| Gmail hosted S/MIME | Workspace Enterprise+ | Certificate install | Yes | Yes |
| FlowCrypt PGP | Gmail via extension | PGP key exchange | Yes | Rare in healthcare |
| Gateway (Mailhippo) | Any provider | Passcode | Portal-based | Yes with base plan BAA |
HIPAA Notes on Encrypting Email in Practice
Encryption is one technical safeguard among many. HIPAA requires access controls, audit logging, session timeouts, workforce training, and a signed BAA with each business associate.
Automatic DLP triggers reduce the risk of missed manual encryption. Portal delivery removes the recipient-side certificate requirement. Both are practical for a real HIPAA workflow.
Verify recipient identity before sending PHI. A wrong email address is a HIPAA breach even when the message is encrypted. Document policies and train staff. See related healthcare security features context.
Retention matters. Encrypted mail counts as PHI storage. Retention policies must match state medical board rules and the six-year HIPAA administrative retention requirement.
When a Gateway Is the Better Fit
Managing S/MIME certificates across a small team is meaningful operational work. Certificate expiration, mobile provisioning, and cross-platform trust chains all take time.
A gateway service removes the certificate step. The sender writes in the normal client. A trigger word or plugin button triggers encryption. The recipient reads in a browser.
Mailhippo works this way on top of Gmail or Outlook. It includes a BAA in the base plan. It works uniformly on desktop and mobile without version dependencies. See related how to encrypt an email for the broader walkthrough. Practices building a compliant public-facing site can pair this with HIPAA-conscious website design so intake, contact, and email flows stay inside the same compliance boundary.
Frequently Asked Questions
On Microsoft 365 Business Standard and above, open a new message and click the Options tab in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The recipient receives a link and authenticates with Microsoft, Google, or a one-time passcode. On older Outlook versions with S/MIME, install a certificate through the Trust Center under Email Security, then click the encrypt icon in the compose window before sending. The two paths produce different recipient experiences.
Click the lock and clock icon at the bottom of the compose window for confidential mode. Set expiration and passcode. Write and Send. This is not end-to-end encryption. For true end-to-end on Google Workspace Enterprise, the admin configures hosted S/MIME and each user uploads a personal certificate. A lock icon then appears next to the recipient field. Green means encryption is possible. For personal Gmail, install a plugin like FlowCrypt to add PGP support. Confidential mode alone is not HIPAA-appropriate.
The attachment inherits the encryption of the message when sent through Outlook Encrypt, S/MIME, or a portal gateway. For separate protection, encrypt the file before attaching. Open the PDF in Adobe Acrobat, choose Protect, set a password. Open the docx in Word, choose File, Info, Protect Document, Encrypt with Password. For archives, use 7-Zip with AES-256. Share the password out of band by phone or text, never in the same email chain. Verify recipient identity before releasing the password.
Open Outlook on desktop, mobile, or the web. Start a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only or Do Not Forward. Write and Send. The Encrypt button is available on Business Standard, Business Premium, Enterprise E3, Enterprise E5, and Government plans. Admins configure encryption templates in the Microsoft Purview compliance portal. Automatic encryption through DLP rules is available on Business Premium and Enterprise plans, which triggers Encrypt when messages match sensitive data patterns like SSN or MRN.
Outlook 2013 supports S/MIME but not Microsoft Purview Message Encryption. Install an S/MIME certificate in Windows through the personal certificate store. Open Outlook, go to File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted email, click Settings, pick your certificate, and choose to sign or encrypt by default. To encrypt a specific message, click the encrypt icon in the compose ribbon before sending. Recipients need S/MIME support in their client and a cached copy of your public key.
Set a policy. Encrypt any message containing PHI, PII, or financial data. Use S/MIME for peer recipients who hold certificates. Use portal encryption or Outlook Encrypt for external recipients on any provider. Verify recipient email address before sending. Confirm identity by phone before releasing any attachment password. Log the send in the practice communication system if required by policy. Train staff on the trigger words that identify sensitive content and the correct encryption path for each recipient type.
Yes, with portal-based encryption. Outlook Encrypt, Gmail confidential mode, and third-party gateways all use a portal model where the recipient receives a link, authenticates with a passcode or SSO, and reads the message in a browser. The recipient needs only a modern browser and the passcode. S/MIME and PGP require setup on both sides because the recipient client must decrypt with a private key it holds. Portal delivery is the model to use when the recipient set is variable or non-technical.