๐ Key Takeaways
- Encrypted mail splits three ways: consumer inbox replacements, business tiers, HIPAA add-ons.
- Free ProtonMail and Tuta cap at 150-200 sends daily and never include a BAA for regulated use.
- HIPAA needs a signed BAA on the platform; personal Gmail and consumer ProtonMail do not qualify.
- Recipient experience varies from one-click portals to password exchanges and drives response.
- Choose on five factors: platform, volume, compliance, recipient literacy, and per-seat budget.
Encrypted email providers fall into three groups. Consumer end-to-end providers run a full replacement inbox. Business-tier platforms layer encryption on standard business mail. HIPAA-focused services add encryption and compliance controls on top of existing Gmail or Outlook accounts.
This guide covers the main providers in each group, the trade-offs on price and recipient experience, and where a dedicated encrypted email service fits the healthcare use case.
The right choice depends on the existing mail platform, the compliance requirements, and the tech literacy of the recipient population. There is no single best provider across all buyers.
Three Categories of Encrypted Email Providers
Consumer end-to-end providers include ProtonMail and Tuta. Both offer full replacement inboxes with encryption built in between users of the same platform. Both are based in Europe with strong privacy positioning.
Business-tier platforms include Microsoft 365 with Purview Message Encryption and Google Workspace with client-side encryption. Both layer encryption on the existing business mail platform and include a BAA available for HIPAA scenarios.
HIPAA-focused services include Mailhippo and similar tools that work alongside an existing Gmail or Outlook account. They add encryption, the BAA, and compliance controls without replacing the underlying mail platform.
The categories address different buyers. Consumer providers fit personal privacy needs. Business platforms fit organizations with an existing Microsoft or Google investment. HIPAA services fit practices needing compliance without an enterprise upgrade.
Free Encrypted Email Options Are Limited
Free encrypted email is available from ProtonMail Free and Tuta Free. Both offer limited storage and outbound volume that fit personal use but not business use.
ProtonMail Free offers 500 megabytes of storage and 150 outbound messages per day. Tuta Free offers 1 gigabyte of storage and 200 outbound messages per day. Both hit the limits quickly under any professional use.
Free tiers do not include a business associate agreement. Practices needing HIPAA compliance cannot use a free consumer account regardless of the encryption strength. The BAA is a separate contractual matter.
Personal Gmail, personal Outlook, and free Yahoo accounts do not offer true message-level encryption. Gmail’s confidential mode and Outlook’s basic TLS provide partial protection but do not meet HIPAA transmission requirements on their own.

Consumer Providers Focus on End-to-End Encryption
ProtonMail runs a full end-to-end encryption model between users of the ProtonMail platform. Messages between two ProtonMail accounts encrypt automatically. Users hold the keys client-side.
Tuta uses a similar end-to-end model between Tuta accounts. The company runs its own encryption stack and cannot decrypt user messages. Both providers publish their code as open source.
External recipients on non-ProtonMail or non-Tuta accounts receive a password-protected link. The sender shares the password through a separate channel. This creates friction for reaching regular Gmail or Outlook users.
Consumer providers fit users who value privacy and who correspond primarily with other users of the same platform. Business users sending to patients on standard email addresses often find the friction too high for daily use.
Microsoft 365 and Google Workspace Cover Business Encryption
Microsoft 365 Business Premium and higher plans include Purview Message Encryption. The sender clicks Options, then Encrypt, in the Outlook compose ribbon. Purview handles the delivery and the recipient portal.
Google Workspace Enterprise Plus and Education Plus include client-side encryption. The sender clicks a lock icon in the Gmail compose window. Content encrypts in the browser before it reaches Google servers. Keys stay outside Google through a customer-controlled key service.
Both platforms sign a BAA for business tenants. The BAA covers the platform’s handling of PHI processed on behalf of the covered entity. Consumer tiers of both platforms do not include the BAA.
Detailed setup for Microsoft Purview is in the Microsoft support guide for encrypted messages. Google client-side encryption setup is in the Google Admin console.
Provider Comparison at a Glance
The table below summarizes the main providers across price, encryption method, HIPAA support, and recipient experience.
| Provider | Encryption Method | HIPAA BAA | Recipient Experience |
|---|---|---|---|
| ProtonMail | End-to-end (same-platform) | Business tier only | Password portal for external |
| Tuta | End-to-end (same-platform) | Not standard | Password portal for external |
| Microsoft 365 Purview | Portal-based (server encrypts) | Yes on business tenant | Portal sign-in or passcode |
| Google Workspace CSE | Client-side (browser encrypts) | Yes on business tenant | Portal with key service |
| Mailhippo | Gateway encryption | Yes in base plan | One-click portal, no account |
The comparison highlights that recipient experience varies more than encryption strength. All five options provide strong encryption. The difference is what the recipient has to do to read the message.

HIPAA Email Providers Bundle Compliance Into the Plan
HIPAA email providers such as Mailhippo bundle encryption, the BAA, access logs, and recipient portal into a single plan. The buyer does not have to piece together the compliance stack from separate components.
The service works alongside an existing Gmail or Outlook account. The sender writes mail in the familiar interface. Outbound mail routes through the encryption gateway. The recipient gets a one-click portal to read the message.
The BAA is signed as part of onboarding. The access logs run automatically. Practices without dedicated IT get the full compliance stack without configuring individual pieces.
The trade-off is a routing dependency on the service. Outbound mail runs through the service infrastructure. Uptime and continuity of the service become part of the practice’s operational picture.
Recipient Experience Drives Adoption for Patient Communication
The recipient experience matters more for patient communication than for internal or business partner mail. Patients have varying tech literacy. A workflow that requires the patient to install a certificate or exchange a password fails at the population level.
The one-click portal experience matches how patients already use online banking, telehealth, and pharmacy portals. The recipient clicks a link, verifies identity with a one-time passcode or sign-in, and reads the message.
Providers that offer this experience include Microsoft 365 Purview and dedicated HIPAA services. ProtonMail and Tuta external delivery requires more steps. S/MIME requires a certificate on the recipient side, which rules it out for patient use in almost all cases.
Practices building patient communication workflows should test the recipient view before selecting a provider. The sender view is not the recipient view. A five-minute test with a patient using a personal Gmail account reveals what the actual experience will be.
Cost Differences Between Provider Categories
Pricing varies by category and by tier within each category. The list below shows current price ranges for each option.
- ProtonMail personal plans start around $4 per month with additional storage and features.
- Tuta personal plans start around $3 per month with similar tiering.
- Microsoft 365 Business Premium is $22 per user per month including Purview Message Encryption.
- Google Workspace Enterprise Plus starts around $30 per user per month for client-side encryption.
- Dedicated HIPAA email services range from $10 to $25 per user per month depending on volume and features.
Practices already on Microsoft 365 or Google Workspace often find the incremental cost of adding encryption is a plan upgrade rather than a new subscription. Practices without an existing platform find a dedicated HIPAA service more cost-effective per seat.
HIPAA Compliance Beyond the Encryption Provider
The encryption provider covers one part of the HIPAA compliance picture. The covered entity is still responsible for the surrounding controls: access logging, workforce training, incident response, and correct configuration.
The HHS Security Rule guidance lays out the framework. Encryption is one required technical safeguard. Administrative and physical safeguards remain separate obligations.
Practices building the full posture around encrypted mail also need to cover the site, patient portal, and intake forms. See the guide on healthcare website security features for the site-side controls.
The email provider handles the mail. The site handles the intake. The portal handles the ongoing care communication. Together they form the compliant digital footprint.
Choosing a Provider Comes Down to Five Factors
The choice among providers comes down to five factors. Existing mail platform in use. Volume of encrypted mail sent. HIPAA or other compliance requirements. Recipient population and tech literacy. Budget for licensing or subscription.
Practices already on Microsoft 365 or Google Workspace often add encryption at the platform level. The incremental cost is an upgrade. The workflow stays inside the existing tools.
Practices without a business mail investment often pick a HIPAA-focused service. The service bundles encryption, BAA, and portal into one plan. No enterprise upgrade required.
Consumer providers fit personal use and cross-provider testing. Business users typically outgrow the free tiers within weeks. Related reading covers specific provider comparisons: best encrypted email providers, secure encrypted email providers, encrypted email, best free encrypted email providers, hipaa encrypted email healthcare providers, and free hipaa compliant email providers.
Practices pairing the encryption provider decision with a wider healthcare digital strategy work with a healthcare marketing agency that coordinates mail, site, and portal into a single compliant footprint.