What Is an Encrypted Email

what is an encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • An encrypted email is scrambled ciphertext only the recipient private key can unlock.
  • Transport encryption protects the wire; message encryption protects the stored copy.
  • Asymmetric keys let senders encrypt with a public key only the private key can decrypt.
  • HIPAA, GLBA, and similar rules demand verified encryption plus a signed vendor BAA.
  • Portal delivery beats S/MIME for one-off patient sends because no keys change hands.

An encrypted email is a message that has been scrambled with a cryptographic key so only the intended recipient can read it. The sender applies encryption, the message travels as ciphertext, and the recipient decrypts it back to readable form.

This matters because standard email was designed in the 1980s without built-in encryption. Anyone with access to the network path or the mail server could read the content. Encryption fixes that gap.

Understanding what an encrypted email is starts with two questions. What is being encrypted, and who holds the keys?

Encryption Converts a Message into Unreadable Ciphertext

Encryption takes plaintext, the readable message, and applies a mathematical function called a cipher along with a key. The output is ciphertext, a sequence of bytes that looks like random noise to anyone without the key.

Modern email encryption uses algorithms like AES-256 for symmetric encryption and RSA-2048 or higher for asymmetric encryption. These are the same algorithms that protect online banking, government communications, and enterprise data storage.

The recipient reverses the process. They apply the matching decryption function with the correct key, and the ciphertext becomes readable plaintext again. Without the key, the ciphertext is effectively random data that cannot be reversed by brute force with current computing.

The security of the whole system depends on protecting the key. If an attacker steals the recipient private key, the attacker can decrypt every message sent to that recipient. Key management is why encrypted email deployments require careful setup.

Two Layers of Email Encryption Exist

Email encryption operates at two layers. The transport layer protects the connection between mail servers. The message layer protects the content of the message itself.

Transport encryption uses TLS, the same protocol that protects HTTPS websites. When two mail servers connect, they negotiate a TLS handshake and encrypt the traffic in flight. An observer on the network sees only ciphertext.

Message encryption uses S/MIME, PGP, or a portal-based service. The sender encrypts the message content before it leaves their client. The mail server stores ciphertext. Only the recipient with the matching key can decrypt.

The difference matters for compliance. Transport encryption protects the connection but not the stored copy. Message encryption protects both. For regulated content, message encryption is the standard because it removes the mail server from the trust boundary.

what is an encrypted email in article illustration one

TLS Is the Default Transport Encryption for Modern Email

Every major mail provider, Gmail, Outlook, Yahoo, Apple, and the rest, uses TLS by default. When a sending server contacts a receiving server, it attempts a TLS handshake. If both sides support it, the connection is encrypted.

The user does not enable TLS. The client shows a padlock icon when it is in effect. Gmail shows a gray padlock for TLS, green for S/MIME, red for unencrypted.

TLS has a critical weakness. It is opportunistic. If the receiving server does not support TLS, the sending server delivers the message in plaintext by default. The sender may not see any warning, and the client padlock may still show as green in the Sent folder because the initial hop was encrypted.

This behavior means TLS alone cannot guarantee an encrypted send. For regulated content, opportunistic TLS is not sufficient. According to NIST SP 800-45, verified end-to-end encryption is required for sensitive email.

S/MIME Uses Certificates from a Trusted Authority

S/MIME, or Secure/Multipurpose Internet Mail Extensions, is the built-in message encryption standard for Outlook, Apple Mail, and Gmail on Workspace Enterprise. It uses X.509 certificates issued by a trusted certificate authority.

Each user has a public key certificate that is shared with correspondents and a private key that stays local. When someone sends an encrypted message, they encrypt with the recipient public key. Only the recipient private key can decrypt.

Signing is a separate function that uses the same certificates. A signed message includes a signature computed with the sender private key. Any recipient can verify the signature using the sender public key. This proves the message came from the claimed sender and was not modified in transit.

S/MIME suits organizations that can coordinate certificate deployment across all users. Certificate authorities such as DigiCert, Sectigo, and IdenTrust issue certificates for annual fees between roughly $20 and $100 per user.

Example

A cardiologist sends a patient discharge summary to a referring family physician on a small independent practice mail server. Native TLS fails because the receiving server disabled TLS after a misconfigured update. Without a verified method in place, the message would have sent in plaintext. The cardiologist uses a portal-based service that detects TLS unavailability and delivers a browser-based link instead. The referring physician clicks, enters a one-time passcode by email, and reads the summary without any certificate or software installation on their side.

PGP Uses Locally Generated Keys and Personal Trust

PGP, or Pretty Good Privacy, is the open-source alternative to S/MIME. It uses public-private key pairs generated locally by the user. There is no certificate authority. Users trust each other keys directly.

The sender exchanges public keys with the recipient through a side channel, verifies the key fingerprint, and then encrypts messages with the recipient public key. The recipient decrypts with their private key. The private key is protected with a passphrase.

PGP has stronger algorithmic flexibility than S/MIME but a steeper learning curve. Recipients unfamiliar with key exchange will not decrypt a PGP message without setup. Thunderbird, Mailvelope, and GPG Suite provide user interfaces that simplify most of the workflow.

PGP suits technical correspondents, security researchers, journalists working with sources, and internal teams that can standardize on key exchange procedures. It is the wrong tool for reaching general external recipients like patients.

what is an encrypted email in article illustration two

Portal-Based Encrypted Email Removes Recipient Setup

Portal-based services solve the recipient friction problem. The sender writes and sends from their normal client. The service intercepts the message, encrypts it, and delivers over TLS when supported or through a portal link when TLS is unavailable.

Mailhippo works this way. The recipient receives a notification email with a click-to-open link. They enter a one-time passcode sent to their phone or email, and they read the message in a browser. No account creation. No key management. No software install.

For HIPAA, the service includes a signed BAA in the base plan and logs every message access. This is the model most healthcare organizations use because patients and external providers cannot be expected to manage keys or install plug-ins.

The tradeoff is that the encryption happens at the service, not on the sender client. For most healthcare and business contexts, this is acceptable because the service holds a BAA and provides audit logs. For extremely sensitive content, S/MIME with local keys remains the highest-assurance model.

Encrypted Email Is Required for Regulated Content

HIPAA, the US health privacy law, requires encryption in transit for any electronic transmission of protected health information across public networks. The rule is technology-neutral, but auditors expect a verified encryption method with a signed business associate agreement.

GLBA, the financial-services privacy law, imposes similar transmission requirements for customer financial data. PCI DSS covers card data. State privacy laws such as CCPA and NYDFS add their own requirements.

Native TLS in Gmail or Outlook does not automatically meet these standards because of the opportunistic fallback. A HIPAA-compliant service closes the gap by refusing to send in plaintext and delivering through a portal fallback when TLS is unavailable.

For healthcare organizations, this pairs with broader compliance work covered in healthcare website security features and healthcare marketing services.

๐Ÿ’กPro Tip: Protect Private Keys Like Passwords

Modern encryption algorithms are resistant to brute force with current computing. The practical attack surface is not the cipher, it is the private key. Store S/MIME private keys in hardware-backed storage like a smart card or hardware security module when possible. Use strong passphrases on PGP private key files. Revoke certificates and keys promptly when a device is lost or staff leave. Log key access for anomaly review.

Recipient Experience Varies by Encryption Method

The recipient sees a different experience for each method. TLS is invisible when it works. The message arrives in the inbox looking normal. Nothing signals that transport encryption was applied.

S/MIME shows a lock icon in supported clients. The client decrypts using the recipient certificate and displays the plaintext inline. In an unsupported client, the recipient sees ciphertext or an unopenable attachment.

PGP requires a supported client with the recipient private key installed. Thunderbird, Mailvelope, and GPG Suite decrypt inline. Without the tools, the recipient sees a PGP-formatted block of ciphertext.

Portal-based services deliver a notification email with a click-to-open link. The recipient clicks, authenticates with a one-time passcode, and reads in a browser. This is the lowest-friction path for any recipient without prior setup.

Key Management Is the Practical Security Boundary

The mathematics of modern encryption are resistant to brute force with current computing. AES-256 and RSA-2048 are considered secure through the near future. The practical attack surface is key management, not cipher-breaking.

An attacker who steals a private key can decrypt every message sent to that recipient. Key protection includes strong passphrases on private keys, hardware-backed key storage such as smart cards or hardware security modules, and prompt revocation of keys when a device is lost or an employee leaves.

  • Store private keys in hardware-backed storage when possible.
  • Use strong passphrases on private key files.
  • Revoke certificates and PGP keys promptly on departure or device loss.
  • Log and monitor key access for anomalous activity.

For portal-based services, the equivalent controls are account access management, multi-factor authentication, and audit logging. The service holds the encryption keys, so the sender must trust the service and verify the audit trail.

Choose an Encryption Method Based on Recipient and Content

The right encryption method depends on the recipient technical setup and the content sensitivity. Match the method to the practical situation.

  • Internal team, no regulated content: TLS is sufficient.
  • Internal team, regulated content, certified users: S/MIME.
  • Technical external correspondents, high sensitivity: PGP.
  • External recipients without technical setup, regulated content, HIPAA scope: portal-based service.

For deeper coverage on specific methods, see the sibling guides what does encrypted email mean, what does it mean to encrypt an email, and what happens when you encrypt an email in Outlook.

The one-line summary is that an encrypted email is a message only the intended recipient can read. The method behind that outcome shapes the setup cost, the compliance posture, and the recipient friction. Choose deliberately.

Frequently Asked Questions

How can I tell if an email I received is encrypted? +

Look at the message header or the indicator in your mail client. Gmail shows a padlock icon on encrypted messages, green for S/MIME, gray for TLS, red for unencrypted. Outlook shows a padlock or a lock icon when S/MIME or Purview Message Encryption is in use. Portal-based services deliver a distinct notification email that says a secure message is waiting behind a link. If none of these indicators are present, the message likely relied on opportunistic TLS or was sent in plaintext.

Are encrypted emails safe to store on the mail server? +

Yes, when the encryption method is message-level rather than transport-only. S/MIME and PGP produce ciphertext that the mail server stores without being able to decrypt. Portal-based services store content on the vendor infrastructure with access controls. TLS does not qualify because it only protects the transport; once the message reaches the server, it sits as plaintext in storage. For HIPAA-relevant retention, message-level encryption is the standard.

Can encrypted emails be intercepted? +

An encrypted email can be intercepted in the sense that ciphertext can be captured. Without the decryption key, the intercepted content is unreadable. Modern encryption algorithms including AES-256 and RSA-2048 are considered infeasible to break with current computing. The practical risk is not brute-forcing the cipher; it is stealing the private key from the recipient device or fooling the sender into encrypting to an attacker key. Key management is the security-critical part of an encrypted email deployment.

What is the difference between an encrypted email and a password-protected email? +

An encrypted email uses cryptographic algorithms to make the content unreadable without a decryption key. A password-protected email typically wraps the message or an attachment in a container that requires a password to unlock. The password approach is weaker because passwords are shared through side channels, often the same email thread. Encrypted email uses key pairs or trusted portals to authenticate without exchanging shared secrets through the message itself.

Do I need to encrypt every email? +

No. Encryption is a technical control matched to a specific risk. Routine internal correspondence, non-sensitive external messages, and public communications do not need message-level encryption. TLS provides adequate protection for the vast majority of email in flight. Encryption becomes necessary when the content is regulated, such as PHI, financial account information, or personally identifying data. Apply encryption selectively based on content sensitivity, not universally to every message.

Can I encrypt an email attachment separately from the message? +

Yes. Some workflows encrypt only the attachment, typically a document containing sensitive data, and send the encrypted file with a plaintext message body. The recipient decrypts the attachment separately using a password or key. This is a partial approach; the message body still travels in the clear. For regulated content, encrypt the message body itself, either through S/MIME, PGP, or a portal-based service that treats attachments as part of the encrypted payload.

How long does an encrypted email stay secure? +

The encryption stays secure for as long as the underlying algorithm is considered resistant to attack and the private key stays private. AES-256 and RSA-2048 or higher are expected to remain secure through at least the current decade. Post-quantum cryptography is an active area of research because quantum computers may eventually break RSA. For today, the practical time horizon of a well-encrypted email is measured in decades, provided the recipient private key is not stolen.

Proton Mail Encrypted Email Explained for 2026

proton mail encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Proton Mail encrypts every stored message end-to-end; Proton servers see only the ciphertext.
  • External recipients hit a password portal, which drops adoption fast for high-volume patient mail.
  • Proton supports PGP interoperability through contact-card public keys for cross-system exchange.
  • Proton Business Plus at $12.99 per user per month includes a BAA; Free and Plus tiers do not.
  • Practices sending 200 messages a week face portal password tickets; zero-step services fit better.

Proton Mail encrypted email uses end-to-end encryption by default on every message stored on its servers. The sender private key stays on the sender device, and the recipient private key stays on the recipient device.

Proton positioned the service as a privacy-first alternative to Gmail and Outlook. The cryptographic model attracted journalists, security researchers, and privacy-conscious individuals first, then expanded into business plans that include a business associate agreement for regulated users. Practices evaluating encrypted email options often compare Proton Mail against portal-based services and zero-step alternatives.

This guide walks through how Proton Mail encryption actually works on the wire, what the different Proton Mail plans cover, and where practices with heavy external mail volume face friction.

Proton Mail encrypted email cryptographic model

Proton Mail generates a key pair on the user device at account creation. The public key uploads to Proton servers and appears in the user profile. The private key stays on the device, encrypted with a hash of the account password.

Every message stored on Proton servers uses one of two encryption states. Messages between Proton accounts encrypt with the recipient public key, decrypt only with the recipient private key. Messages from external senders encrypt at rest with the recipient public key after arrival.

The model means Proton Mail cannot read stored messages even under legal request. The Swiss court can subpoena the metadata and any unencrypted account information, but not the message body of encrypted messages.

The tradeoff is account recovery. Losing the account password without an active recovery method also loses access to every encrypted message in the mailbox. Proton warns about this state at signup and offers a recovery phrase to mitigate the risk.

Proton Mail encrypted email to Proton Mail recipients

Messages between two Proton Mail accounts encrypt automatically without any sender action. The composer detects the recipient Proton public key and applies encryption in the browser or app before the message leaves the sender device.

The recipient sees a lock icon at the top of the message. Clicking the lock shows the cryptographic details, including the signing key fingerprint and the encryption algorithm.

Reply and forward inside Proton Mail also stay encrypted end to end. The sender does not need to remember to enable encryption because the default is on for every Proton-to-Proton exchange.

This flow gives Proton Mail its strongest security guarantee. Practices with a homogeneous Proton Mail user base get end-to-end encryption without any user education or password sharing step.

proton mail encrypted email in article illustration one

Proton Mail encrypted email to non-Proton recipients

Messages to Gmail, Outlook, or other non-Proton recipients require the sender to enable password-based encryption in the composer. The sender picks a password and shares it out of band with the recipient.

Proton Mail sends a notification email to the recipient with a portal link. The recipient clicks the link, enters the shared password, and reads the message inside the browser. The portal supports reply, which sends the reply back through the same portal encrypted with the same password.

The portal step is the biggest source of friction for high-volume senders. A patient who forgets the password calls the office. A patient who does not read the notification email misses the message entirely.

The reply to encrypted email workflow describes how the portal reply flow handles common cases like attachments, quoted text, and multi-message threads.

Proton Mail encrypted email PGP interoperability

Proton Mail supports PGP for interoperability with other encrypted email systems. Senders upload a recipient PGP public key to a Proton contact card. Outbound messages to that contact encrypt with the recipient key.

Inbound PGP messages decrypt with the Proton Mail private key when the external sender used the Proton public key. Proton Mail publishes its public keys through the Proton Web Key Directory endpoint at proton.me/.well-known/openpgpkey.

PGP interoperability makes Proton Mail workable for security researchers, journalists, and technical users who already exchange keys. Configuring PGP takes patience and a working understanding of key management.

For general healthcare use, PGP key exchange is too complex to scale across a patient population. Most patients cannot generate a PGP key, and asking them to do so violates the reasonable and appropriate standard in the HIPAA Security Rule.

Example

A privacy-focused therapy practice in Portland moved to Proton Business Suite at $12.99 per seat for four clinicians and one office manager. Internal case notes travelled end-to-end encrypted with no configuration. External patient mail hit friction fast: 200 encrypted messages per week meant 200 portal password sessions, and the office manager fielded 30 patient calls in the first week about lost passwords. The practice kept Proton for internal mail and layered Mailhippo for outbound patient messages. Patient support calls dropped to two per week within a month.

Proton Mail Business plans and HIPAA eligibility

Proton Mail Free at $0 per month and Proton Mail Plus at $4.99 per user per month do not include a business associate agreement. Neither plan can be used for PHI.

Proton Business Suite at $12.99 per user per month includes a signed BAA. The BAA covers Proton Mail, Proton Drive, Proton Calendar, and Proton VPN. Practices accept the BAA in the admin console during onboarding.

Configure the required admin settings after accepting the BAA. Enable two-factor authentication on every account. Set the Proton retention window to meet the six-year Privacy Rule requirement. Disable Bridge access for accounts that do not need IMAP or SMTP relay through desktop clients.

Reference the current plan matrix at Proton Business plans and the sample BAA provisions at HHS sample BAA provisions before adoption.

proton mail encrypted email in article illustration two

Google Mail encrypted email comparison

Gmail encrypts every message in transit with TLS on every Workspace tier. That is the baseline layer. Confidential mode adds link expiry and passcode options on every tier as a second layer, though the message content stays readable to Google.

Gmail S/MIME on Enterprise Plus adds certificate-based encryption. Users install an S/MIME certificate in the Workspace admin console. Outbound messages to recipients with a public certificate encrypt automatically.

Gmail signs a BAA on paid Workspace plans configured for HIPAA. The BAA covers Gmail, Drive, Calendar, Meet, and other core services. Practices sending real PHI usually stack a portal-based encryption service on top for cases when the recipient does not have S/MIME.

Compared with Proton Mail, Gmail treats encryption as opt-in. Proton Mail treats encryption as the default. See encrypted email service by proton for a deeper feature comparison against alternatives.

Canary Mail and third party encrypted email clients

Canary Mail is a third party mail client for iOS, Mac, and Windows that adds S/MIME and PGP encryption on top of any IMAP or Exchange account. Users install Canary Mail, connect their Gmail or Outlook account, and generate keys inside the client.

Canary Mail does not run its own mail server. The underlying mail service handles storage and BAA obligations. Canary Mail is a UI layer on top of the existing account.

Canary Mail Pro at $49 per year adds unlimited encryption features and read receipts. The free tier limits encryption to a small number of messages per month.

Users on apple mail encrypted email setups sometimes prefer Canary Mail for the tighter S/MIME integration. Canary Mail on the desktop bridges to iOS through iCloud sync of the certificate store.

๐Ÿ’กPro Tip: Disable auto-forwarding on every PHI-carrying Proton account

Auto-forwarding rules to non-Proton accounts strip the end-to-end encryption on the forwarded copy. A clinician who forwards case notes to a personal Gmail for offline reading defeats every cryptographic guarantee Proton Mail provides. Open the account settings, remove any active forwarding rule, and disable the option at the admin level so users cannot re-enable it. Document the change in the risk register as evidence of a technical safeguard applied to prevent unauthorized disclosure of PHI.

Encrypted zip as a fallback for encrypted mail

Encrypted zip attaches a password-protected archive to a normal email. The sender shares the password through a separate channel like SMS or phone. The recipient extracts the archive with the password.

The pattern works everywhere and does not require any special mail server or client. Security depends on password strength and the out-of-band password channel.

HIPAA compliance treats encrypted zip as a reasonable and appropriate safeguard when configured with AES-256 encryption and a strong password. The Windows built-in zip does not support AES. Use 7-Zip or WinZip Pro to produce AES-256 archives.

Encrypted zip does not scale. Every message requires manual password sharing. Every recipient needs zip software that supports AES. Automated services like Mailhippo remove the manual step and standardize the recipient experience.

Proton Mail encrypted email limitations and workarounds

Proton Mail encryption breaks in a few common scenarios. Auto-forwarding rules to non-Proton accounts strip the end-to-end encryption on the forwarded copy. Legacy mail clients that connect through Bridge lose the automatic encryption in the client display.

Search inside Proton Mail runs against the client-side decrypted copy. Server-side search is not possible because the server cannot read the content. On large mailboxes, search performance drops compared to Gmail or Outlook server search.

Common workarounds:

  • Disable auto-forwarding on any account that carries PHI
  • Use the Proton Mail app rather than a legacy IMAP client
  • Set a longer local search index window on the app
  • Enable Bridge only for accounts that require it
  • Rotate the account password on the standard 60 to 90 day cycle

When to pick a HIPAA alternative to Proton Mail encrypted email

Practices with heavy external patient mail volume often face portal password support tickets. A five-person practice sending 200 encrypted messages per week to 200 unique patients handles 200 password sessions per week.

A zero-step encryption service like Mailhippo removes the portal step. Encrypted messages arrive directly in the recipient normal Gmail or Outlook inbox and open like any other message. The sender picks Mailhippo in the toolbar for messages that need encryption and skips it for messages that do not.

Practices running HIPAA compliant website design already understand the reasonable and appropriate standard. Applying the same standard to email means picking the tool that keeps compliance tight while dropping recipient friction. See also security features for healthcare websites for the parallel web guidance.

For further reference, review NIST SP 800-177 Trustworthy Email and the HIPAA Journal guide to compliant email before finalizing the encrypted mail stack. See encrypted email and send encrypted email for related walkthroughs.

Frequently Asked Questions

How does Proton Mail encrypted email work? +

Proton Mail generates a key pair on the user device at signup. The public key uploads to Proton servers so other Proton users can encrypt messages to it. The private key stays on the device, encrypted with the account password. Messages between two Proton accounts encrypt automatically end to end. Messages to external recipients require password-based encryption, which sends a portal link that the recipient opens with a shared password. PGP support adds interoperability with other encrypted email systems.

Is Proton Mail HIPAA compliant? +

Proton Mail Business Plus and higher include a signed business associate agreement, making them HIPAA-eligible when configured correctly. Free and Plus tiers do not include a BAA and cannot be used for PHI. Practices adopting Proton Mail Business need to accept the BAA in the admin console, enable two-factor authentication on every account, and configure Proton retention to meet the six-year Privacy Rule requirement. Test the patient reply flow before deploying because the portal step often drops adoption compared to zero-step alternatives.

How do I reply to a Proton Mail encrypted email? +

If you use Proton Mail yourself, open the message and click Reply. The reply automatically encrypts to the sender Proton Mail account. If you received the message as a non-Proton recipient through a portal link, log in to the portal with the shared password, click Reply inside the portal, and send. The reply stays encrypted through the portal. If the sender used PGP, you need your own PGP key configured in your mail client to reply securely with the same encryption level.

How does Google Mail encrypted email compare to Proton Mail? +

Gmail encrypts every message in transit with TLS on every Workspace tier. Confidential mode adds link expiry and SMS passcode options. Gmail S/MIME on Enterprise Plus adds certificate-based encryption. Proton Mail encrypts every stored message with end-to-end encryption using keys the user controls. Gmail treats encryption as an optional add-on. Proton Mail treats encryption as the default. Gmail signs a BAA on paid Workspace plans. Proton Mail signs a BAA on Business Plus and higher.

What is Canary Mail encrypted email? +

Canary Mail is a third party mail client for iOS, Mac, and Windows that adds S/MIME and PGP encryption on top of any IMAP or Exchange account. Users install Canary Mail, connect their Gmail or Outlook account, and generate keys inside the client. Outbound messages encrypt automatically to any recipient with a public key on file. Canary Mail does not run its own mail server, so the BAA question depends on the underlying mail service. Canary Mail Pro at $49 per year adds encryption features.

How does encrypted zip compare to encrypted email? +

Encrypted zip attaches a password-protected archive to a normal email. The sender shares the password through a separate channel. The recipient extracts the archive with the password. Encrypted zip works everywhere and does not require any special mail server or client. The security depends entirely on password strength and out-of-band password sharing. HIPAA compliance uses encrypted zip as a fallback for one-off transfers when the recipient cannot access a proper encrypted email service. Automated services like Mailhippo remove the manual step entirely.

When does a HIPAA alternative fit better than Proton Mail? +

Practices with high external mail volume, low IT staffing, or a mixed recipient base often benefit from a zero-step alternative to Proton Mail. Proton Mail portal delivery requires the recipient to remember a shared password. Zero-step services deliver encrypted messages directly to the recipient normal inbox without the portal step. Mailhippo and similar services fit this pattern. The tradeoff is the sender loses the strong Proton cryptographic guarantees in exchange for simpler recipient handling. Pick based on threat model.

How Do I Send Encrypted Email in Outlook, Gmail, and Yahoo

how do i send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Outlook 365 Business Premium adds the Encrypt button; lower tiers need a license upgrade.
  • Gmail confidential mode is not real encryption; client-side S/MIME needs admin setup on both ends.
  • Outlook 2010 through 2016 encrypt with S/MIME certs, which fail for ad hoc consumer recipients.
  • Yahoo Mail has no message-level encryption; TLS in transit alone will not meet HIPAA.
  • Portal encryption reaches any inbox; S/MIME fits PKI-equipped internal and government mail.

Sending encrypted email is straightforward once you know which method your client supports. Outlook 365, Outlook 2010 through 2016, Gmail, and Yahoo each handle encryption differently, and the right method depends on both your sender platform and your recipient.

This guide walks through each client step by step, then compares the methods. If you need a service that layers on top of any of these clients with a signed business associate agreement, see the overview of encrypted email options.

The audience assumed here is a business user or clinician who wants to send an encrypted message today, not a developer building an integration.

How to send encrypted email in Outlook 365

Outlook 365 on Business Premium, Enterprise E3, or Enterprise E5 includes the Encrypt button in the Options ribbon. This is the fastest path if your account is on a qualifying plan.

Compose a new message. Click Options in the ribbon. Click Encrypt. Choose Encrypt-Only for a message the recipient can reply and forward. Choose Do Not Forward for a message where you want to restrict sharing.

Send the message. The recipient on your own tenant sees the message inline in Outlook with a lock icon. External recipients see a notification email with a Read the message button. Clicking the button opens the Office 365 message encryption portal in a browser.

Setup requires an admin to enable Azure Rights Management on the tenant. Full guidance is published by Microsoft in the Microsoft Purview Message Encryption reference. If Encrypt is missing from your ribbon, your tenant or license does not have Purview enabled.

How to send encrypted email in Outlook 2010, 2013, and 2016

These versions do not include the modern Encrypt button that appears in Outlook 365. Encryption uses S/MIME certificates and works well for organizations where both sender and recipient have certificates issued through corporate PKI or a public certificate authority.

Import your certificate through File, Options, Trust Center, Trust Center Settings, Email Security. Click Import Export and load your certificate file. Enter the password and complete the import. Outlook now has your certificate bound to your mailbox.

Compose a new message. In the message window, click Options in the ribbon, then click the small dialog launcher in the More Options group. In the Properties dialog, click Security Settings. Check Encrypt message contents and attachments. Click OK. Send.

The recipient needs a matching certificate to decrypt. This is where S/MIME breaks down for ad hoc external mail. For enterprise-to-enterprise and government correspondence, S/MIME works well. For consumer mail, use portal-based encryption instead. The how do I send an encrypted email in Outlook guide covers additional edge cases.

how do i send encrypted email in article illustration one

How to send encrypted email in Gmail

Gmail on Google Workspace offers two paths. Gmail on a personal account has no HIPAA-grade encryption option at all.

Confidential mode is available on every Gmail account. Click the padlock and clock icon in the compose window, set an expiration and a passcode option, and send. This restricts forwarding, printing, downloading, and copying. It does not encrypt content at rest inside Gmail systems.

Google Workspace client-side encryption applies true end-to-end encryption for qualifying tiers. An admin configures a client-side encryption identity for the account. Once configured, the sender can toggle client-side encryption on a message. Recipients must also be configured for client-side encryption to decrypt.

For the widest recipient reach and healthcare use, a dedicated secure email service that installs as a Gmail add-on gives you a Send Encrypted button that routes the message through the vendor. The recipient reads it in a portal. This is the simplest path for a solo practice or small clinic.

How to send encrypted email in Yahoo Mail

Yahoo Mail does not offer a built-in message encryption feature. There is no Send Encrypted button in Yahoo, and Yahoo does not sign a business associate agreement for HIPAA use.

Yahoo servers use TLS between mail servers, which protects messages in transit when the receiving server supports TLS. This is a baseline measure that any modern mail provider offers. TLS alone is not equivalent to end-to-end or message-level encryption.

To send encrypted email from a Yahoo address, you have two practical options. Use a third-party encryption service that can send on your behalf and reply through a portal. Or move the encrypted correspondence to a provider that supports encryption natively.

Yahoo is not a supported platform for HIPAA-covered mail. A therapist or medical office running client communications through a Yahoo address is not compliant regardless of what encryption is added on top of the sending experience. Change providers first.

Example A three-provider dental practice on Microsoft 365 Business Standard tried to send encrypted lab result summaries to patients on Gmail and Yahoo addresses. Staff assumed TLS was enough because IT mentioned it during onboarding. Six months in, the practice discovered the Encrypt button was missing because their tier did not include Purview. They upgraded 12 seats to Business Premium at $22 per user per month, activated Azure Rights Management, and rebuilt a mail flow rule that auto-encrypts any outbound message to non-corporate domains.

Comparing the encryption methods across clients

The methods trade off between ease of use, recipient reach, and compliance strength. This table lays out the practical differences.

MethodSender platformRecipient reachCompliance-grade
Outlook 365 Encrypt buttonBusiness Premium and upAny recipient via portalYes with BAA on tenant
S/MIME certificateOutlook 2010 to 2016 and 365Recipients with certificatesYes when configured
Gmail confidential modeAny Gmail accountAny recipientNo, not on its own
Gmail client-side encryptionQualifying Workspace tiersWorkspace with CSE identityYes with BAA on tenant
Yahoo nativeNone availableNot applicableNo
Dedicated encrypted email serviceAny client with plug-in or webAny recipient via portalYes with vendor BAA

Portal-based methods reach any recipient. Certificate-based methods only work between correspondents with matching PKI infrastructure. Choose based on who you actually send to.

For solo practices sending to patients on consumer email, portal-based encryption is the reliable default. The how to send encrypted email guide covers the sender workflow in more detail.

how do i send encrypted email in article illustration two

Choosing between Encrypt-Only and Do Not Forward in Outlook

Outlook’s Encrypt button gives two options that trip up new users. The right choice depends on how much control you need after the message leaves your outbox.

Encrypt-Only encrypts the message content and attachments. The recipient can reply and forward. Any forwarded copy remains encrypted. This is the right choice for a normal sensitive message where the recipient may legitimately need to share it with a colleague.

Do Not Forward encrypts the message and also blocks forwarding, reply-all, printing, copying, and attachment download. This is the right choice for a legal notice, an executive communication, or a message where you want tight distribution control.

Both options use Microsoft Purview Message Encryption underneath. The distinction is in the rights template applied to the message. Guidance on rights templates is in the Microsoft Azure Rights Management documentation.

Recipient experience across encryption methods

The sender picks the method. The recipient lives with it. Understanding the recipient experience for each method helps a sender choose the right one for the audience.

Portal-based encryption gives the recipient a notification email with a link. The recipient clicks, signs in with a one-time passcode or a linked account, and reads the message in a browser. First-time recipients often need a short explanation of the flow.

S/MIME opens the message inline in the recipient mail client once the recipient certificate is installed. There is no portal step. If the certificate is missing, the message body appears garbled or refuses to open.

Confidential mode from Gmail sends the recipient a link to a Google-hosted view where the message opens after optional passcode verification. Downloads and forwarding are blocked but the underlying storage is not encrypted at rest.

๐Ÿ’กPro Tip: Match the encryption method to the strictest recipientMethod choice fails when senders default to the easiest option for internal use. Portal-based encryption reaches any recipient without prerequisites, so treat it as the default for external clinical mail. Reserve S/MIME for correspondents with existing PKI infrastructure. Configure a mail flow rule that enforces encryption on any message leaving the practice domain, so untrained staff cannot accidentally send patient content in cleartext.

When each method is the right choice

Method choice comes down to who you send to and what compliance obligation applies. The following patterns match methods to typical use cases.

  • Sending to patients on any consumer email: portal-based encryption from Outlook 365 or a dedicated encrypted email service
  • Sending to another business on Microsoft 365: Outlook 365 Encrypt button, message opens inline for the recipient
  • Sending to a corporate or government recipient with existing S/MIME: import certificates and use S/MIME
  • Sending non-PHI internal-sensitive mail inside Google Workspace: Gmail confidential mode is acceptable for the sensitivity but not for HIPAA
  • Sending high-volume transactional email programmatically: a HIPAA-eligible email API through a vendor with a BAA

Match the method to the strictest requirement in the message flow. A healthcare practice that sends both internal-sensitive and patient-covered mail needs the patient-covered method for both, not the internal-sensitive method for the mix.

Practices with a website that also collects sensitive information should align their web infrastructure with the email choice. Redefine Web covers relevant patterns in the overview of healthcare website security features.

Troubleshooting common send failures

Encryption send failures usually trace back to configuration rather than the message itself. The following symptoms map to specific fixes.

Missing Encrypt button in Outlook 365 means the account is not on a qualifying plan or the tenant has not enabled Azure Rights Management. The fix is either a license upgrade or an admin action on the tenant.

S/MIME send fails with a certificate error means the recipient certificate is not available. Outlook cannot encrypt to a recipient whose public certificate has not been previously received. Ask the recipient to send you a signed message first so their certificate is captured.

Recipient reports the portal login fails with a one-time passcode. Passcodes expire after fifteen minutes. Ask the recipient to request a fresh code and use it immediately. Some corporate spam filters delay the passcode delivery past the expiration window, in which case an alternate email address is needed. The National Institute of Standards and Technology publishes recommended email security guidance in NIST SP 800-177 Rev. 1.

Setting up encrypted email once so future sends are easier

Sending encrypted email should not be a per-message decision. Configure the account once so the workflow is consistent across all correspondence.

For Outlook 365, ask your admin to set default encryption on messages to certain external domains through a mail flow rule. This means messages to patient addresses or partner accounts are always encrypted without the sender toggling the button.

For dedicated encrypted email services, install the Gmail or Outlook plug-in on every workstation used by clinical or administrative staff. Enable the default-encrypt behavior in the service settings so no untrained sender accidentally sends plain text.

Document the workflow in a one-page internal reference. Include screenshots of the Encrypt button, the confidential mode toggle, or the plug-in send button as appropriate. New staff can then reach compliant sending on their first day rather than after weeks of trial and error.

How to Send Encrypted Email Without Extra Software

send encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • Gmail offers confidential mode for basics and S/MIME on paid Workspace plans for real encryption.
  • Outlook's Encrypt button works on 365 Business Premium and higher, backed by Purview and Azure RMS.
  • iPhone Mail supports S/MIME via config profile, but only if both sides already exchanged certs.
  • Developers can wire S/MIME in C# via System.Security.Cryptography.Pkcs or ship faster with an API.
  • Mailhippo layers on existing Gmail or 365 mailboxes, ships the BAA, and skips all cert management.

Sending an encrypted email used to require certificates, keys, and a shared setup between sender and recipient. Native email clients now include options that skip most of that friction, and dedicated services handle it entirely on the server side.

The right method depends on the account you send from, the recipient software, and whether the message contains regulated data like protected health information. Practices and developers who need a HIPAA-safe path can look at a secure email service that sits behind Gmail or Microsoft 365 without extra client software.

This guide walks through the native encryption steps for Gmail, Outlook, iPhone Mail, and code, and shows where each option fits. It also covers the recipient experience, which is the part that most often decides whether an encryption workflow gets used or ignored.

Gmail confidential mode is a starting point, not full encryption

Gmail confidential mode is available on every account, including free personal Gmail. Composing a message and clicking the padlock-and-clock icon at the bottom of the window opens the confidential mode panel.

Confidential mode sets an expiration date, blocks recipients from forwarding, copying, printing, or downloading the message, and can require an SMS passcode. Google stores the message on its own servers and delivers the recipient a link rather than the full body.

The message body itself is not encrypted end-to-end. Google can read it, and confidential mode alone does not satisfy HIPAA requirements because Google does not sign a business associate agreement for free consumer Gmail.

For paid Google Workspace tenants, S/MIME is available on the Enterprise Plus, Education Standard, and Education Plus plans. The admin enables hosted S/MIME in the Google Admin console, uploads a certificate for each user, and the compose window then shows a lock icon that toggles between signed, encrypted, and both.

External S/MIME requires the recipient to hold a matching certificate, which limits the practical scope to organizations that have already exchanged certificates. For patient communication, most practices use a portal-based service instead.

Outlook uses the Encrypt button on Business Premium and higher

Microsoft 365 Business Premium, Apps for Enterprise, and the E3 and E5 tiers include Microsoft Purview Message Encryption. In new Outlook and Outlook on the web, the Encrypt button appears in the Options ribbon and offers two presets.

The first preset is Encrypt, which locks the message so only recipients with valid credentials can open it. The second is Do Not Forward, which encrypts the message and additionally blocks forwarding, printing, and copying by the original recipients.

External recipients receive a link and open the message in a browser portal after signing in with Microsoft, Google, Yahoo, or a one-time passcode. The workflow is documented in the Microsoft Purview Message Encryption reference.

For a tenant on Business Basic or Business Standard, the Encrypt button does not appear. Options are to upgrade the affected mailboxes, add Azure Information Protection as a per-user license, or layer a third-party encrypted email service on top of the existing account.

Purview also requires the tenant to have signed a business associate agreement with Microsoft before it can be considered HIPAA-covered. That agreement is available at no extra cost on eligible plans but must be requested through the Service Trust Portal.

send encrypted email in article illustration one

iPhone Mail supports S/MIME with a configuration profile

Apple Mail on iOS 17 and later supports S/MIME on iCloud, Exchange, and IMAP accounts. Enabling it requires a personal certificate installed through a configuration profile, either from the organization mobile device management console or a signed .mobileconfig file.

Once the certificate is trusted, the account Advanced settings screen exposes a Sign and an Encrypt toggle under S/MIME. Enabling Encrypt tells Mail to attempt encryption on every outbound message from that account.

The compose screen shows a lock icon next to the recipient. A closed lock means Mail has the recipient public certificate and will encrypt the message. An open lock means the certificate is missing and the message will go out unencrypted.

For clinical staff sending patient information from a phone, S/MIME on iOS works but depends on prior certificate exchange with every recipient. That is often unrealistic for patient-facing mail.

A hosted encrypted email service accessed through the mobile browser or a light native app removes the certificate management step. The same account works from desktop, web, and phone.

C# applications can encrypt mail with System.Security.Cryptography.Pkcs

The .NET standard library ships with S/MIME primitives in the System.Security.Cryptography.Pkcs namespace. The developer loads the recipient X.509 certificate, wraps the message body in an EnvelopedCms container, and encrypts it using the certificate public key.

The resulting binary is packaged into a MIME message with the application/pkcs7-mime content type, then sent through SMTP with SmtpClient or MailKit. Recipients open it in an S/MIME-aware mail client, which decrypts it with the matching private key.

The MimeKit library adds a higher-level Multipart/Signed and Multipart/Encrypted wrapper that handles most of the MIME assembly automatically. MimeKit also supports PGP through the BouncyCastle backend for teams that prefer that path.

For applications that send protected health information, calling a secure email API that encrypts every outbound message server-side is usually faster than building and maintaining certificate code. The BAA is signed at the vendor level and covers every message the application sends.

SSIS packages that need to send encrypted mail from a scheduled data flow can call a script task that runs the same .NET code, or shell out to a PowerShell step that uses the Send-MailMessage cmdlet against a hardened SMTP relay.

Example A solo family physician on Microsoft 365 Business Basic tried to send a lab result to a specialist and found no Encrypt button in Outlook. Upgrading her single seat to Business Premium cost $22 per month against $6 for Business Basic. She instead layered Mailhippo at $4.95 per month on top of her existing Business Basic account. The BAA was bundled, setup took 18 minutes, and her first encrypted send to the specialist opened on his iPhone with a single tap. Total added cost was under $60 per year.

PGP is powerful but rarely the right fit for everyday practice mail

PGP encrypts the message body with the recipient public key and signs it with the sender private key. It has been the standard for security-conscious technical users since the 1990s.

The friction is real. Both sides must generate keys, publish public keys somewhere the other side can find them, and use a mail client with PGP support such as Thunderbird with the built-in OpenPGP module or GPG Suite on macOS.

Web-based Gmail and Outlook require browser extensions like Mailvelope to handle PGP, which adds another moving part and a browser-side keyring the user must protect and back up.

For patient-facing communication, PGP is impractical because most patients do not have keys and will not create them. Portal-based systems bypass the key exchange problem entirely and are easier to explain to non-technical recipients.

For sending encrypted messages between two developers or two security teams, PGP remains an efficient choice, and the OpenPGP working group standard is documented at the IETF.

HIPAA-safe encrypted email needs a signed business associate agreement

HIPAA requires covered entities and their business associates to sign a business associate agreement before sharing protected health information. That agreement must be in place before any email service can be considered HIPAA-safe for patient data.

Google Workspace and Microsoft 365 both offer a BAA on eligible paid plans, but the practice must request and sign it. Free consumer accounts are never covered, regardless of how the mail is encrypted.

The HHS HIPAA guidance explains which providers count as covered entities and when a BAA is required. Any vendor that touches, stores, or transmits PHI on the covered entity behalf falls under the rule.

A dedicated encrypted email service such as Mailhippo includes the BAA in the base plan, so every message sent through the account is covered without a separate request or license upgrade. That removes one of the more common compliance gaps found in small-practice audits.

For practices that want the convenience without changing their existing mail platform, see how to send encrypted emails from any account without adding client software.

send encrypted email in article illustration two

The recipient experience decides whether the workflow gets used

The most secure encryption method fails if the recipient cannot open the message. Every method above has a different recipient experience, and matching that experience to the audience matters as much as the underlying cryptography.

S/MIME and PGP require the recipient to have keys or certificates already set up. Purview and Workspace portal messages require the recipient to sign in or use a one-time passcode.

Portal-based encrypted email services typically deliver a link that opens in a browser, with a passcode sent to the recipient inbox or phone. Patients open it, read the message, and reply through the same secure channel without any account setup.

Front-desk staff, billing, and referring providers each have different tolerance for portal login steps. Testing the full round-trip with a real recipient before rolling the workflow out avoids the most common cause of failed encryption programs, which is that nobody actually opens the encrypted messages.

Practices building a full patient communication stack should also think about the surrounding website. Guidance on security features for healthcare websites covers form handling, SSL, and portal integration alongside encrypted email.

Attachments carry the same encryption rules as the message body

Attachments are the most common source of PHI exposure because staff often paste a scanned document or a lab report into a message without thinking about the transport. The same encryption rules apply to attachments as to the body.

Purview and Google Workspace S/MIME encrypt attachments along with the body when the encryption toggle is on. Confidential mode in free Gmail applies expiration and forwarding limits but does not encrypt the attachment end-to-end.

File size limits are a separate consideration. Gmail caps attachments at 25 MB, Outlook at 20 MB on most tiers, and many portal-based encrypted services support larger files by hosting the attachment on their own storage and delivering a link.

For large medical imaging files, a dedicated secure file transfer service alongside encrypted email is often the right pattern. A single encrypted message can then reference the file link and include the passcode.

Verifying that attachments actually arrive encrypted is worth doing during initial rollout. Sending a test message to a personal address on a different provider surfaces any downgrade to plain text.

๐Ÿ’กPro Tip: Test the round-trip before rolling outThe most secure encryption fails if the recipient cannot open the message or reply. Before announcing a new encryption workflow to staff, send a test message from your production account to a personal Gmail, a personal iCloud address, and an Outlook.com address. Confirm each opens on both mobile and desktop. Confirm the reply arrives back encrypted. A five-minute round-trip test catches mobile browser bugs, spam-filter blocks, and portal registration friction before a real patient hits them.

Automation and shared inboxes need a different setup

Scheduled reports, appointment reminders, and billing notifications sent from an application or a shared inbox cannot rely on a human clicking Encrypt in the ribbon. They need a policy or an API that encrypts every outbound message automatically.

Microsoft Purview supports mail flow rules that apply encryption based on the sender, recipient, subject, or content. A rule can encrypt every message going to a specific insurance carrier or every message from a specific mailbox.

Google Workspace has similar content compliance rules under Apps, Google Workspace, Gmail, Compliance in the Admin console. Rules can trigger S/MIME encryption or route the message through a third-party gateway.

For custom applications, a secure email API removes the rule complexity by encrypting every message at the transport layer. The application calls a single endpoint and the vendor handles the compliance mechanics.

Common patterns worth automating include appointment reminders with clinic name and date only in the plain-text body and the full detail behind a secure link, and billing statements delivered through a portal link rather than a raw PDF attachment.

Auditing what you actually send matters more than the theory

Every encrypted email program should include a periodic audit of the sent folder against the encryption logs. The point is to confirm that messages containing PHI actually went out encrypted, not that the option was available.

Microsoft Purview reports show which messages triggered the Encrypt policy and which recipients opened them. Google Workspace audit logs show S/MIME activity and portal opens.

A monthly review that samples a handful of outbound messages catches the common failure modes early. Common findings include messages sent from a mobile client that skipped the encryption step, messages CC-ed to personal addresses, and forwarded threads that dropped the encryption header.

The NIST SP 800-177 Rev. 1 Trustworthy Email guidance covers the technical controls that support this kind of audit, including DKIM, DMARC, and TLS reporting.

Practices that want a shorter path can use encrypted email as a single-vendor service that logs every message, portal open, and reply against the account, which shortens the audit to a single report.

Picking a method comes down to the recipients and the volume

For internal mail between employees on the same tenant, S/MIME or Purview Do Not Forward is the low-friction path because everyone already has the required setup.

For mail to patients, referring providers, and insurance carriers, portal-based encryption avoids the certificate exchange problem. Recipients get a link and read the message without installing anything.

For high volume automated mail from an application, a secure email API is the right layer because it applies encryption once at the transport rather than in every application code path.

Sole practitioners and small practices sending occasional patient mail from a mixed set of devices, including iPhones, get the least friction from a dedicated encrypted email service that includes the BAA and works with any existing Gmail or Microsoft 365 account.

Whichever method fits, the first test is always the same. Send a message to a real recipient outside your organization, confirm they can open it, and confirm they can reply through the same encrypted channel. If any step fails, patient mail will fall back to plain text within days.

What Are Encrypted Emails and How They Actually Work

what are encrypted emails guide featured image

๐Ÿ”‘ Key Takeaways

  • Encrypted email means ciphertext in transit and at rest, decoded only by the recipient's key.
  • Gmail auto-encrypts transport via TLS, but true content encryption needs S/MIME on Enterprise Plus.
  • S/MIME forwards re-encrypt per recipient; portal messages usually can't be forwarded at all.
  • You get encrypted mail when a provider, lawyer, or insurer applies encryption to protect the thread.
  • Encryption stops interception, not phishing or malware. Layer MFA and endpoint protection on top.

Encrypted emails are messages you cannot read without the right key or credential. The concept is simple. The specific methods, recipient experiences, and edge cases behind it are where confusion starts.

This guide covers what encrypted emails actually are, how Gmail and Outlook handle them, whether they can be forwarded, and how to tell a legitimate encrypted message from a phishing attempt. For senders evaluating an encrypted email service, the recipient experience is often more important than the technical specs.

Read the sections in order. Each one covers a specific question users typically ask.

Encrypted Emails Turn Message Content Into Unreadable Ciphertext

An encrypted email is a message where the content has been transformed into ciphertext that only the intended recipient can decode. Encryption applies at one or more layers of the email delivery path.

Transport encryption using TLS protects the message between mail servers. The message body is readable at the servers themselves but not on the network between them.

Content encryption using S/MIME or PGP protects the message body itself. The message stays encrypted at the recipient mail provider until decrypted by the recipient with a matching key.

Portal-based encryption stores the message on a vendor server and delivers a sign-in link. The recipient authenticates to the vendor portal and reads the message in a browser.

Each method covers different threats. Best practice layers TLS with content or portal encryption rather than relying on transport alone.

Gmail and Encrypted Email Behavior

Gmail encrypts messages automatically for transport but not for content by default. Understanding the difference clears up common questions about Gmail encryption.

Google Workspace uses TLS 1.2 or 1.3 when connecting to receiving servers that support it. Standard consumer Gmail does the same. This transport encryption prevents interception on the network path.

Content encryption in Gmail requires Google Workspace Enterprise Plus for S/MIME. The administrator provisions certificates for users and enables encrypted sending inside the workspace policy.

Add-ons like FlowCrypt and Mailvelope bring PGP-based encryption to any Gmail account. The user installs the browser extension, generates a key pair, and encrypts messages one at a time.

Google Confidential Mode is not content encryption. It adds expiration and access controls but Google retains access to the underlying content. Practices should not treat Confidential Mode as HIPAA-compliant encryption.

what are encrypted emails in article illustration one

Outlook and Encrypted Email Behavior

Outlook supports S/MIME natively across Microsoft 365 Business Premium and higher tiers. The certificate installs into the local certificate store and enables signed and encrypted sending.

Microsoft Purview Message Encryption adds a policy-based layer that triggers on rules configured by the administrator. External recipients receive a portal link and sign in with Microsoft, Google, or a one-time passcode.

Third-party add-ins from Virtru, Mailhippo, and other vendors add another encryption path that works across Microsoft 365 tiers without requiring Business Premium.

Outlook shows encrypted messages with a padlock icon in the header. The message properties confirm the encryption method and certificate details.

Users can verify a sent message was encrypted by checking the Sent Items folder for the same padlock indicator. Related coverage in encrypted emails Outlook covers the specific configuration steps.

Forwarding Encrypted Emails Changes the Encryption Context

Encrypted emails can sometimes be forwarded but the encryption context often changes depending on the method and sender policy.

S/MIME messages forwarded from Outlook typically get decrypted with the original recipient key and re-encrypted for the forward recipient if forwarding is permitted. The forward recipient must have a matching certificate or the message will not decrypt on their end.

Portal-based encrypted messages usually cannot be forwarded because the recipient holds a portal access link, not the underlying content. Some vendors allow the recipient to share the portal link with another user, subject to sender policy.

Sender-set rights management controls decide what forwarding is allowed. Microsoft Purview Message Encryption supports Do Not Forward as a rights template that blocks forwarding entirely.

Practices sending regulated content should default to Do Not Forward and enable forwarding only when the sender explicitly permits it. Blanket forwarding permissions undermine the sender control that encryption otherwise provides.

Example A patient received a Purview-encrypted email from her cardiologist with lab results. She forwarded the message to her adult son for a second opinion, expecting the encryption to travel with the message. The sender had applied the Do Not Forward template, so her Outlook client blocked the forward attempt with a rights management warning. She instead saved the PDF attachment locally, opened a separate encrypted email through Mailhippo to her son, and attached the PDF. The chain preserved sender control while still reaching the trusted second reader.

Encrypted Email Comparison Across Common Methods

The table below compares four common encryption methods across the fields that decide recipient experience and security posture.

MethodRecipient StepsContent Encrypted at RestForwarding BehaviorTypical Use
TLS Transport OnlyNoneNoFreely forwardableStandard business email
S/MIMECertificate installedYesRe-encrypted per recipientEnterprise between certificate holders
PGPKey installedYesRe-encrypted per recipientTechnical users, journalists
Portal EncryptionClick link, sign inYes on vendor serverUsually blockedHealthcare, finance to external recipients

Real-world deployments often layer TLS with either content or portal encryption. The layered approach covers more threats than any single method alone.

Why You Might Be Getting Encrypted Emails

Recipients often receive encrypted emails without expecting them. The reasons are usually straightforward.

A healthcare provider sending PHI encrypts to protect patient information under HIPAA. Test results, appointment details, and billing statements often arrive encrypted.

A financial services firm sending account details encrypts to protect against fraud and to meet GLBA requirements. Statements, tax documents, and account changes often arrive encrypted.

A legal counterparty sending privileged material encrypts to protect attorney-client privilege. Settlement documents, court filings, and case correspondence often arrive encrypted.

An employer sending HR content encrypts to protect employee records. Offer letters, tax forms, and performance reviews often arrive encrypted.

Legitimate encrypted messages come from known senders and route through recognizable vendors like Microsoft, Google, Mailhippo, Virtru, or Barracuda. Suspicious encrypted messages from unknown senders should be treated as potential phishing.

what are encrypted emails in article illustration two

Phishing Increasingly Mimics Encrypted Email Delivery

Phishing campaigns increasingly use fake encryption portals to harvest credentials. Recognizing the pattern reduces the risk of falling for one.

Fake encrypted email notifications typically arrive from unfamiliar senders and reference a document you did not expect. The link goes to a domain that looks similar to a real vendor but does not match.

The fake portal asks for the email password or a Microsoft account sign-in. Legitimate portals ask for a one-time passcode sent to your address or a sign-in with an existing account you recognize.

The CISA phishing guidance covers common patterns and what to do if you suspect a phishing attempt.

Best practice verifies the sender through a separate channel before clicking any encrypted email link from an unfamiliar source. A phone call to a known number is worth thirty seconds of caution.

Are Encrypted Emails Actually Safe

Encrypted emails are safer than unencrypted emails against interception and provider-side access. They do not defend against every threat.

Phishing attacks that steal mail credentials bypass encryption by giving the attacker legitimate access to the inbox. The attacker sees the plaintext through the same interface as the real user.

Malware on the sender or recipient device captures plaintext before encryption or after decryption. Keyloggers, screen scrapers, and clipboard monitors all bypass the encryption layer.

Weak recipient portal passwords make encryption meaningless. A message encrypted with AES-256 protected by a password of qwerty is not protected in any meaningful sense.

Real security posture layers encryption with multi-factor authentication, endpoint protection, phishing training, and incident response. Each layer covers threats the others miss.

๐Ÿ’กPro Tip: Default to Do Not Forward for regulated contentEncrypt-Only lets recipients forward, print, and copy freely once decrypted, which defeats sender control for regulated PHI, legal documents, and privileged material. Set Do Not Forward as the default template on any mail flow rule that fires for clinical, legal, or HR content. Recipients who genuinely need to share the content can request a fresh encrypted send to the additional party, which keeps the audit trail intact and preserves rights management on the second thread.

Shared Mailboxes and Encrypted Messages

Shared mailboxes complicate encrypted email handling. The complications matter more for regulated content than for general business email.

S/MIME-encrypted messages in a shared mailbox require the mailbox owner or delegated user to have a matching certificate. If the certificate is tied to an individual account, other delegates cannot decrypt.

Portal-encrypted messages in a shared mailbox arrive as notification emails. Anyone with credentials to the portal can sign in and read the content. This model preserves recipient anonymity at the cost of audit clarity.

Best practice restricts encrypted PHI or sensitive content to named individual mailboxes rather than shared ones. The audit trail stays clean, and inadvertent access by delegated users does not happen.

Practices with shared inboxes for reception or billing should route PHI through a named clinical inbox and reserve the shared inbox for non-PHI communication.

Related Encrypted Email Reading

Encrypted emails cover multiple adjacent topics. The companion guides below add depth on specific questions.

Users trying to open a specific encrypted message can review how to open encrypted emails in Outlook and how to view encrypted emails. Both guides cover the recipient-side workflow across common vendors.

Senders configuring encrypted sending in Outlook benefit from encrypting emails in Outlook. The guide covers S/MIME setup and the ribbon controls.

Users comparing encryption providers can review ProtonMail encrypted email for a specific vendor deep-dive. ProtonMail illustrates a pure E2EE approach.

Broader coverage of whether standard email is encrypted at all lives in are emails encrypted. The guide covers the transport-only default across major providers.

Where Redefine Web Fits the Healthcare Email Stack

Encrypted email covers the message pipeline. Website contact forms, patient portals, and marketing platforms carry PHI that must reach the same encryption controls.

A contact form on the practice website that emails PHI to a generic Gmail address bypasses every encryption control the practice buys. The submission arrives unencrypted, and the audit trail does not exist.

Redefine Web builds HIPAA-aware healthcare websites and integrates the forms with encrypted delivery paths. Details on the healthcare marketing agency practice cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the risk that a PHI leak lands in an unencrypted channel by mistake.

Mailhippo fits senders that want encrypted email delivery with the BAA, audit logging, and simple recipient experience in one product. The service integrates with existing Gmail or Outlook accounts and keeps the recipient path to a single click for most messages, whether the recipient is on Gmail, Outlook, or another provider. Understanding what encrypted emails are makes the vendor conversation shorter and the buying decision more defensible.

Email Encryption for Small Business Practical Buying Guide

email encryption for small business guide featured image

๐Ÿ”‘ Key Takeaways

  • Small business email encryption hinges on three questions, not a fifty-row enterprise checklist.
  • Dedicated services run $5 to $15 per user monthly with the BAA baked into the base plan.
  • Setup fits an afternoon at ten seats; multi-day quotes signal the wrong buyer profile.
  • HIPAA needs a signed BAA, workforce training, audit review, and an incident response plan.
  • Recipient friction over thirty seconds kills adoption and pushes staff back to plain email.

Email encryption for small business owners is a shorter conversation than most vendor demos suggest. The buying decision hinges on three questions rather than a fifty-row feature comparison.

This guide covers those three questions, the pricing tiers that fit small business budgets, the setup steps that fit an afternoon, and the recipient experience that actually determines whether staff keep using the tool. For HIPAA-adjacent small businesses, a secure email service that includes the BAA in the base plan removes most of the friction.

Read the sections in order. Each one filters the shortlist.

Small Business Encryption Needs Are Different From Enterprise

Small businesses buy encryption to solve one problem, not to consolidate a security operations program. The one-problem framing changes the product shortlist.

A five-person medical practice sends PHI to patients and referring providers. A ten-person law firm sends privileged documents to clients and opposing counsel. A twenty-person accounting firm sends tax filings to clients and payroll data to state agencies.

Each case has a well-defined sender group, a well-defined recipient audience, and a specific compliance requirement. None of the three needs data loss prevention with two hundred rules, advanced threat protection with sandboxing, or archiving for legal hold.

Enterprise gateway products bundle those features and price accordingly. Small businesses that buy enterprise gateways pay two to four times what a dedicated service would cost and use a fraction of the features.

The right product for a small business handles encryption, BAA coverage, and audit logging without the enterprise bundle. Extra features add cost without matching operational benefit.

Three Questions Filter the Shortlist

Three questions eliminate most vendors from the small business shortlist within an hour of research. Answer them before scheduling a demo.

  • Does the vendor include a business associate agreement in the base plan?
  • Does the service work with existing Gmail or Outlook accounts without a mailbox migration?
  • Does the recipient experience stay under thirty seconds for a typical patient or client?

Vendors that require a plan upgrade for the BAA drive up the effective cost for a healthcare practice. Microsoft and Google both fit this pattern. A dedicated service that includes the BAA in the base plan avoids the upgrade.

Vendors that require a mailbox migration disrupt every business process that depends on the current email addresses. A connector-based integration avoids the migration.

Vendors with heavy recipient portals reduce response rates. Test the recipient path during the trial with real target recipients, not internal test accounts.

email encryption for small business in article illustration one

Pricing Under Fifteen Dollars Per User Fits Most Small Businesses

Pricing at the small business tier lands between five and fifteen dollars per user per month for dedicated encryption services with BAA coverage.

Mailhippo publishes rates from about five dollars per user per month with unlimited encrypted sending and BAA coverage. LuxSci Standard runs about ten to fifteen dollars per user per month with S/MIME and portal options. Virtru sits in a similar range with plugin-based delivery.

Microsoft 365 Business Premium runs about twenty-two dollars per user per month and includes Purview Message Encryption plus a broader security bundle. Google Workspace Business Standard does not include client-side encryption. Enterprise Plus at about thirty dollars per user per month does.

A five-person practice pays roughly six hundred dollars per year for a dedicated encryption service against thirteen hundred for Business Premium. The gap widens at larger seat counts.

Practices that already use Business Premium for the other security features can extend that license rather than adding a separate product. Practices on Business Basic or Business Standard almost always save money on a dedicated service.

Setup Should Fit Inside One Afternoon

Small business encryption setup should take one to four hours for a dedicated service. Multi-day setup indicates a product built for larger buyers.

The standard steps involve creating the vendor account, adding DNS records for the sending domain, connecting the vendor to the existing Microsoft 365 or Google Workspace account through the admin console, and installing a plugin or Chrome extension for users.

DNS updates typically require SPF, DKIM, and DMARC alignment with the vendor sending infrastructure. Most vendors provide the exact record values in a setup wizard.

User training runs fifteen to thirty minutes per staff member. The training covers when to encrypt, how to trigger encryption, what the recipient sees, and how to check the audit log.

Practices without a dedicated IT team can handle the setup with a general familiarity with Microsoft 365 or Google Workspace admin panels. A local IT consultant can complete the deployment in a half-day site visit.

Example A five-clinician dental practice on Microsoft 365 Business Basic sends about 120 patient messages weekly with lab results, appointment details, and referral notes. The office manager evaluates two options. Upgrading fifteen seats to Business Premium costs roughly $3,960 per year. Adding Mailhippo at $8 per user monthly costs $1,440 per year and ships the BAA in the base plan. Setup runs three hours on a Friday afternoon. Within two weeks, patient open rates hold above 85 percent because recipients read messages inline without portal registration.

HIPAA Compliant Email for Small Business Requires More Than Encryption

HIPAA compliance for a small medical, dental, or therapy practice requires several components beyond the encryption tool itself.

The practice signs a business associate agreement with the encryption vendor. The BAA covers the vendor obligations for PHI handling, breach notification, and audit response.

The practice documents workforce training on PHI handling in email. Training covers what constitutes PHI, when encryption is required, how to recognize phishing that targets clinical staff, and how to report a suspected incident.

The practice audits access to encrypted messages periodically. The HHS Security Rule requires audit review as part of the administrative safeguards.

The practice maintains an incident response procedure covering suspected breach, notification to affected individuals, and reporting to OCR under the breach notification rule.

Encryption alone without these administrative controls does not create compliance. OCR investigations find the administrative gap in small practice settlements as often as they find technical gaps.

Comparison Across Small Business Options

The table below compares common encryption options for small business across the fields that matter most in the buying decision.

OptionPrice Per UserBAA IncludedSetup TimeWorks With Existing Gmail/Outlook
Mailhippo$5 to $12Yes1 to 4 hoursYes
Virtru Business$8 to $15Yes on paid tier1 to 4 hoursYes
LuxSci Standard$10 to $20Yes2 to 6 hoursYes
Microsoft 365 Business Premium$22Yes on eligible plan2 to 6 hoursYes, native
Google Workspace Enterprise Plus$30Yes on eligible plan4 to 8 hoursYes, native
Barracuda Email Gateway Defense$18 to $30Yes1 to 3 daysYes with MX cutover

Prices reflect 2026 published rates on annual billing. Actual quotes vary by seat count and add-on selection.

email encryption for small business in article illustration two

Working With Existing Gmail and Outlook Accounts

Small businesses rarely want to migrate mailboxes for an encryption feature. Every modern service integrates with the existing mail platform.

Google Workspace integrations use a routing connector inside the admin console. Outbound mail flows through the encryption service, and the user sees no change in Gmail.

Microsoft 365 integrations use a similar connector inside Exchange Online. Outbound mail routes through the vendor for encryption, and users continue sending from Outlook or Outlook on the Web.

Chrome extensions and Outlook add-ins provide the visible interface for users. An Encrypt button appears next to Send. Some services also allow subject line keywords like [encrypt] to trigger encryption.

The user keeps their existing email address. No mailbox migration. No lost email history. The change is invisible to internal workflow beyond the new Encrypt button.

Recipient Experience Predicts Adoption

Recipient experience is the strongest predictor of whether staff keep using the encryption tool six months later. Practices should test the recipient path before signing.

Direct delivery to Gmail or Outlook recipients with compatible domain settings looks like a normal message with a padlock indicator. No extra steps. This model works when both sides support the vendor delivery method.

Portal delivery with one-time passcode adds one step. The recipient clicks the notification link, enters a code sent to their email, and reads the message in a browser tab.

Portal delivery with account registration adds three or four steps. The recipient creates a portal account, verifies their email, sets a password, and then reads the message. This model reduces response rates significantly.

Test each vendor by sending three messages to real target recipients during the trial. Ask them how many steps they took and how long the process felt.

๐Ÿ’กPro Tip: Test the recipient path with real patients firstVendor demos always show the smoothest recipient experience. Real patients on old Android phones or basic Yahoo accounts often hit walls the demo hides. Send three test messages to actual target recipients during any trial. Ask them how many taps they took and whether they gave up. The vendor scoring highest on that single question will produce the fewest support tickets and the highest six-month adoption rate at the practice.

Common Small Business Vertical Fit

Different small business verticals have slightly different encryption needs. Understanding the vertical fit narrows the shortlist.

Medical and dental practices need HIPAA-covered encryption with BAA and audit logging. Recipient audience includes patients on various free mail providers. Direct delivery with portal fallback fits best.

Law firms need attorney-client privilege protection with retention controls. Recipient audience includes clients, opposing counsel, and courts. Portal delivery with strict access controls fits privileged material.

Accounting firms need financial data protection during tax season and payroll cycles. Recipient audience includes clients and government agencies. TLS transport plus content encryption on sensitive attachments covers most cases.

Real estate offices need transaction document protection during closing. Recipient audience includes buyers, sellers, lenders, and title companies. Portal delivery with expiration windows fits the transaction lifecycle.

Each vertical fits the same three-question filter with slightly different weight on each answer.

Where a Healthcare Website Ties Into the Encryption Stack

Small healthcare practices often overlook the website side of the PHI perimeter. Contact forms, appointment requests, and patient intake pages carry PHI that must reach the encrypted email pipeline or a HIPAA-covered database.

An unencrypted contact form that emails PHI to a generic Gmail address bypasses every encryption tool the practice buys. The submission arrives unencrypted, and the audit trail does not exist.

Redefine Web builds HIPAA-aware websites and integrates the forms with encrypted delivery paths. Details on HIPAA-compliant healthcare website design cover the surface area that sits alongside encrypted email.

A closed-loop review across website, forms, email, and portal reduces the risk that a PHI leak lands in an unencrypted channel by mistake.

Related Small Business Encryption Reading

The email encryption for small business decision touches several related topics. Practices narrowing a shortlist can review these companion guides.

Broader coverage of business email encryption pricing and vendor positioning applies to businesses above the small tier but often overlaps in the ten-to-fifty seat range.

Practices already on Microsoft 365 can compare with Microsoft 365 Business Premium email encryption to decide whether the license upgrade beats a dedicated service.

Practices new to the topic often benefit from encryption for email foundational reading before evaluating specific vendors. The technical background sharpens vendor questions.

Cost-focused searches often surface free HIPAA compliant email options. That guide covers where free tools stop and paid tools become necessary.

Mailhippo fits the profile of a small business that needs HIPAA-ready encrypted email at the lower end of the pricing tier. The service integrates with existing Gmail or Outlook accounts, includes the BAA in the base plan, and keeps the recipient path to a single click for most messages. A structured trial answers the three questions and produces a defensible buying decision.

End to End Encrypted Email Services Explained for Business Users

end to end encrypted email services guide featured image

๐Ÿ”‘ Key Takeaways

  • End-to-end encryption keeps message keys on endpoints; no server, not even the provider, decrypts.
  • S/MIME uses X.509 certificates from a CA; OpenPGP uses user-generated keys and a web of trust.
  • ProtonMail and Tuta cover intra-platform sends; cross-provider mail falls back to password links.
  • E2E blocks server compromise and subpoenas; it does not stop phishing or endpoint malware.
  • HIPAA does not mandate E2E; TLS plus a signed BAA and access controls satisfy the Security Rule.

End to end encrypted email services keep the message readable only by the sender and the recipient. Every server in between, including the email provider itself, holds only ciphertext. That property matters when the threat model includes provider access or server-side compromise.

This guide covers how encrypted email qualifies as end to end and where the term gets misused. Sections address the standards (S/MIME and OpenPGP), the consumer secure webmail category, HIPAA implications, and the practical limits of the model.

The material aims to give IT decision makers a working framework for evaluating end to end encryption claims against their actual workflow. Every vendor claims strong encryption. Only some claims survive scrutiny of what the provider can and cannot read.

The Definition of End to End Encryption in Email

End to end encryption means the message is encrypted on the sender’s device and decrypted only on the recipient’s device. The keys used for decryption never leave the endpoints. Provider servers, network intermediaries, and even the transport protocol operators hold only ciphertext.

That property matters when the threat model includes an entity with server access. Government subpoena, insider access at the provider, or a full server compromise all fail to yield plaintext against a properly implemented end to end system.

A service that stores messages encrypted at rest but holds the decryption key on the server does not qualify. If the provider can read a message when compelled by law or when the server is compromised, the model is not end to end.

The distinction is often muddled in vendor marketing. Terms such as “military-grade encryption” or “advanced encryption” appear in materials for services that do not implement end to end. Verification requires looking at where the keys live rather than trusting the marketing language.

S/MIME as an End to End Encryption Standard

S/MIME (Secure/Multipurpose Internet Mail Extensions) is one of two dominant end to end encryption standards for email. It uses X.509 certificates issued by a certificate authority to establish trust between sender and recipient.

The sender obtains the recipient’s S/MIME certificate (usually attached to a prior signed message from the recipient). The sender’s mail client encrypts the outgoing message with the recipient’s public key. Only the recipient’s private key, held on their device, can decrypt.

  • Standard: Defined in RFC 8551 and related documents
  • Client support: Native in Outlook, Apple Mail, iOS Mail
  • Trust model: X.509 certificates from a CA
  • Setup burden: Certificate provisioning per user before use

S/MIME is the more common choice in enterprise environments because certificate management can be centralized through Microsoft Active Directory Certificate Services or a similar enterprise CA. Adoption in consumer contexts is rare because certificate provisioning is not a workflow ordinary users complete.

end to end encrypted email services in article illustration one

OpenPGP as an End to End Encryption Standard

OpenPGP (Pretty Good Privacy) is the second dominant end to end encryption standard. It uses user-generated keys and a web of trust model rather than a certificate authority hierarchy.

The sender obtains the recipient’s public key from a keyserver, a personal exchange, or a previous message. The sender’s mail client encrypts with that public key. Only the recipient’s private key decrypts.

Client support includes Thunderbird (native OpenPGP support since version 78), the ProtonMail bridge, and browser extensions such as FlowCrypt and Mailvelope for Gmail. Command-line tools such as GnuPG allow scripting for automated workflows.

OpenPGP is common among technical audiences (developers, security researchers, journalists) and less common in enterprise settings. The web of trust model does not scale as well as certificate authorities for large organizations that need centralized key management. NIST SP 800-177 provides related guidance in Special Publication 800-177 on trustworthy email.

Consumer Secure Webmail with End to End Support

ProtonMail, Tuta, and Skiff are the largest consumer secure webmail services with end to end encryption between users on the same platform. Two ProtonMail users, or two Tuta users, exchange messages neither the provider nor any interceptor can read.

The technical implementation varies. ProtonMail uses OpenPGP under the hood. Tuta uses a proprietary hybrid model. Both hold user keys on the client and never let the provider see plaintext. The user experience approximates normal webmail.

Cross-provider messaging falls back to password-protected links. A ProtonMail user sending to a Gmail recipient triggers a link-based decryption flow rather than transparent end to end delivery. That fallback is the primary business limitation of consumer secure webmail.

Business identity requirements also limit consumer webmail for regulated use. Custom domain support usually requires an upgraded plan. BAAs for HIPAA coverage are available on ProtonMail Business but not on all consumer tiers. Our companion piece on protonmail encrypted email covers the trade-offs.

Example A twelve-attorney firm handling immigration cases decides to add end to end encryption for client communication because senior partners read a breach headline. IT deploys S/MIME across all attorney workstations at $75 per certificate. Within two months, client open rates drop from 92 percent to 41 percent because most clients cannot install a certificate on their phone. The firm switches half the workflow to portal-based delivery with a signed BAA. Open rates recover to 88 percent while the sensitive-case subset stays on S/MIME for actual zero-knowledge protection.

Google Workspace Client-Side Encryption for Enterprise

Google Workspace Client-Side Encryption (CSE) provides zero-knowledge encryption on Enterprise Plus and Education Plus plans. CSE encrypts message content with keys held by the customer, not Google. Google servers hold only ciphertext.

Setup involves integrating with a customer-controlled key management service (Google offers several supported partners). Users encrypt messages through the standard Gmail compose interface with a toggle to enable CSE. Recipients on the same domain read transparently.

External recipients read through a link-based decryption flow similar to consumer secure webmail. Documentation is at support.google.com/a/answer/10741897.

CSE fits enterprises with existing Workspace Enterprise Plus licenses and strict key sovereignty requirements. It does not fit small businesses because the license tier is expensive and the setup complexity is substantial for a small IT team.

end to end encrypted email services in article illustration two

What End to End Encryption Does Not Protect

End to end encryption addresses specific threats and leaves other threats untouched. Understanding what the model does not cover is as important as understanding what it does cover.

Endpoint compromise defeats end to end encryption entirely. A keylogger on the sender’s device captures the plaintext before encryption. A malicious browser extension on the recipient’s device captures the plaintext after decryption. The strongest ciphertext does not help if either endpoint is compromised.

Phishing bypasses end to end encryption by targeting the human rather than the cryptography. An attacker impersonating a legitimate contact convinces the recipient to reveal information or take action regardless of how the underlying transport is protected. CISA publishes phishing guidance at cisa.gov phishing resources.

Metadata leakage is another limitation. Most end to end implementations encrypt the message body but leave headers (sender, recipient, subject, timestamp) unencrypted for delivery. An observer with access to mail server logs can build a communication graph even without reading message bodies.

End to End Encryption and HIPAA Compliance

HIPAA does not require end to end encryption for compliant email. The Security Rule at 45 CFR 164.312(e) requires either encryption in transmission or documented compensating controls. TLS with a signed BAA and appropriate access controls satisfies the requirement for most workflows.

Many healthcare organizations pursue end to end encryption believing HIPAA requires it. That belief overshoots the regulatory requirement and adds recipient friction. HHS guidance clarifies that encryption is one of several acceptable safeguards, not a mandate for the strongest available method.

Practices should evaluate their actual threat model before choosing end to end over BAA-plus-TLS. Threats such as an insider at the mail provider or a state-level subpoena favor end to end. Threats such as phishing, credential theft, and endpoint compromise are not addressed by end to end and require separate controls.

Practices building broader HIPAA programs frequently pair encrypted email with hardening on the web side. Our team at Redefine Web has published guidance on healthcare website security features that complements the email encryption decision.

๐Ÿ’กPro Tip: Match the tool to the actual threat modelEnd to end encryption solves provider access, subpoena resistance, and mail server compromise. It does not solve phishing, credential theft, or endpoint malware, which drive most real breaches. Before deploying S/MIME or ProtonMail across the practice, list the top three threats the workflow actually faces. If none of them involve a hostile provider or a state-level subpoena, a signed BAA plus TLS plus multi-factor authentication meets HIPAA at far lower recipient friction.

End to End Encryption Versus Portal Encryption

Portal encryption products (Barracuda, Zixcorp, similar) store the plaintext message on a vendor-controlled server and grant recipients access through a portal login. That model provides encryption at rest and TLS in transit but does not qualify as end to end.

The vendor can read messages when compelled by legal process. The vendor can read messages if the portal server is compromised. Those are legitimate business trade-offs but not end to end guarantees.

Portal encryption fits enterprises with heavy regulated content flow that need centralized policy control and administrative access to sent messages for audit purposes. That auditability depends on the vendor being able to read stored messages, which is incompatible with end to end.

Organizations should decide whether central auditability or zero-knowledge protection matches their compliance and threat needs. Both models are valid. Neither is universally better. Our companion pieces on HIPAA compliant email services and email encryption services compare the categories in more depth.

Inbox-Native Encrypted Email as an Alternative

Inbox-native encrypted email services occupy a middle position between end to end encryption and portal encryption. The message is encrypted at the sender’s vendor gateway and decrypted on a per-recipient session basis when the recipient clicks a decrypt link in their normal inbox.

The model gives the recipient a one-click read experience with no portal password. That reduces friction dramatically compared to portal encryption. The trade-off is that the vendor gateway holds encryption context during transit, so the model is not end to end in the strict sense.

For most HIPAA workflows, inbox-native services with a signed BAA satisfy compliance and dramatically improve recipient adoption compared to portal or S/MIME approaches. Services such as Mailhippo pair TLS-in-transit with client-side encryption and a bundled BAA in the base plan.

Organizations that need true end to end for a subset of communications (attorney-client privilege, journalism sources, security research) can layer S/MIME or PGP on top of a broader inbox-native or portal-based deployment for specific messages. That layered approach matches the tool to the threat rather than applying the strongest available protection uniformly.

Choosing an End to End Encrypted Email Service

Selection starts with the threat model. Which specific threats does the workflow face and which of those does end to end encryption address? Answering that question narrows the choice quickly.

Threats where end to end helps: provider access under legal compulsion, mail server compromise on either side, network interception. Threats where end to end does not help: phishing, credential theft, endpoint malware, metadata analysis. If the workflow’s main risks are in the second bucket, end to end is not the priority.

  • Enterprise with regulatory mandate: Google Workspace CSE or S/MIME with enterprise CA
  • Small business with occasional zero-knowledge needs: ProtonMail Business or PGP browser extension
  • Small practice with HIPAA requirement: inbox-native service with BAA (not necessarily end to end)
  • Individual privacy: ProtonMail, Tuta, or Skiff consumer tier

Practical adoption is the second consideration. An end to end service the recipient cannot use is worse than a slightly weaker service they use consistently. Solutions requiring recipient key management have historically low adoption outside technical audiences. That factor argues for inbox-native or portal approaches for most business use, with true end to end reserved for the specific workflows that need it.

HIPAA Compliance Managers Email List Guidance

hipaa compliance managers email list guide featured image

๐Ÿ”‘ Key Takeaways

  • HIPAA email splits into three surfaces: internal groups, patient lists, and vendor correspondence.
  • Distribution groups need explicit access control, quarterly membership audits, and tenant BAA cover.
  • Patient contact lists carry PHI on nearly every send; body-level encryption is the safe default.
  • Vendor lists need a signed BAA before the first PHI send; a mapping matrix is what auditors check.
  • Best-fit 2026 vendors split across native Purview, dedicated services, and S/MIME with PKI.

HIPAA compliance managers own email as one of the highest-risk PHI channels inside any covered entity. The role sits between IT, clinical operations, marketing, and legal, and the accountability shows up during OCR audits when documentation of email list handling is one of the first items auditors request.

This guide covers the practical work of managing HIPAA email lists across internal, patient, and vendor surfaces, the encryption controls that pair with each, and the vendor landscape for 2025 and 2026. Dedicated tools like a secure email service handle the surfaces where native platform features do not fit the practice profile.

The intent is operational, not theoretical. Compliance managers can lift the sections that map to their environment and apply them directly.

Email Lists Split Into Three Distinct Compliance Surfaces

Every covered entity operates three separate email surfaces that carry different risk profiles. Internal staff distribution groups handle clinical coordination, administrative announcements, and departmental communication. Patient contact lists handle appointment reminders, lab results, follow-up notifications, and portal registration.

Vendor correspondence lists handle billing services, IT contractors, transcription vendors, and any third party that touches PHI through email. Each surface has a different threat model and a different consent posture.

Treating all three as one flat email list is the most common source of compliance findings during audits. The compliance manager owns the split, documents each surface separately, and pairs each with the appropriate BAA and encryption controls.

The HHS HIPAA security rule guidance covers the risk assessment framework that supports these decisions. The rule is technology-neutral, which puts the burden on the compliance manager to justify the specific controls applied to each surface.

Internal Distribution Groups Need BAA Coverage from the Tenant

Internal distribution groups in Microsoft 365 and Google Workspace inherit business associate agreement coverage from the tenant when the practice is on a HIPAA-eligible plan and has a signed BAA with Microsoft or Google.

Microsoft signs a BAA covering Exchange Online, SharePoint Online, OneDrive, and Teams for eligible plans. Google signs a Workspace BAA covering Gmail, Drive, Calendar, and related services on Business Standard and above. The BAA covers the group send as long as it stays inside the tenant.

The moment an internal group sends to an external address, the encryption and BAA coverage on the recipient side becomes a separate consideration. Cross-tenant Microsoft 365 sends benefit from federation but still hit the encryption question for external recipients.

Compliance managers should maintain a documented list of internal groups, their membership, and the BAA status of the underlying tenant. Membership audits every quarter catch drift when former staff retain access.

hipaa compliance managers email list in article illustration one

Patient Communication Lists Carry PHI in Nearly Every Send

Patient contact lists handle the highest volume of PHI in most healthcare practices. Appointment reminders name the patient and the appointment type. Lab result notifications reference clinical context. Portal registration prompts identify the patient by clinic and account.

Every one of those sends carries PHI even when the practice treats the email as routine. Body-level encryption is the correct default. Encryption applies through the native Outlook Encrypt button on Purview-enabled plans, Workspace client-side encryption on Enterprise Plus, S/MIME on eligible plans, or a dedicated encrypted email service.

The recipient experience matters at this surface more than any other. Patients on any device and any email provider need to open the encrypted message without extra software installation or PGP key exchange. Portal-based delivery from a dedicated service usually wins on usability.

Consent tracking is a separate item that compliance managers own. Patients should have opted in to email communication about their care, and the consent record should exist in the practice management system.

Vendor Correspondence Requires a BAA Before Any PHI Send

Vendor correspondence lists include billing services, IT contractors, transcription vendors, medical device manufacturers, and any third party that receives PHI through email. Every vendor on that list must sign a BAA before the covered entity sends them the first message with patient data.

The BAA specifies the vendor obligations for safeguarding PHI, breach notification timelines, and subcontractor management. A vendor unwilling to sign a BAA is not a candidate for handling PHI regardless of technical capability.

Compliance managers should maintain a matrix that maps each vendor email contact to the BAA on file, the last review date, and the encryption method used for outbound correspondence. That matrix is the audit trail auditors look for first when reviewing business associate relationships.

The HHS sample BAA provisions give the baseline language. Most vendors have their own preferred BAA template. Compliance managers should review the vendor template for any deviations from the sample that shift risk back to the covered entity.

Example A 45-provider multi-location dermatology group audits its email surfaces. The compliance manager finds 12 internal distribution groups, 3 patient reminder lists totaling 18,400 addresses, and 27 vendor correspondence contacts. Only 8 of the 27 vendors have a signed BAA on file. The audit also finds one former biller retained access to a clinical group for four months after termination. The compliance manager collects the missing 19 BAAs across six weeks, purges the stale membership, and documents the review cadence for the next OCR window.

Marketing Platforms Rarely Cover PHI Without a Special Plan

Standard email marketing platforms like Mailchimp, Constant Contact, HubSpot, and Substack do not sign a BAA on their default product tiers. Sending PHI through these platforms without a BAA is a HIPAA violation regardless of the encryption applied on the sends themselves.

The practical split for a healthcare practice is to segregate marketing sends from PHI communication entirely. Newsletters, general health education content, and appointment availability updates without patient-specific detail can go through a standard marketing platform.

Patient-specific appointment reminders, lab notifications, portal messages, and clinical follow-up must go through a HIPAA-covered channel. That means Microsoft 365 with the appropriate encryption, Workspace with the appropriate encryption, or a dedicated encrypted email service with a signed BAA.

Some marketing platforms have added specialized healthcare tiers with BAA coverage in recent years. Compliance managers should verify BAA availability with the vendor account team in writing before assuming coverage exists.

hipaa compliance managers email list in article illustration two

List Membership Audits Catch Silent Compliance Drift

Distribution list membership drifts silently over time. Staff leave and their addresses stay on internal clinical groups. Patients move and their old addresses remain on reminder lists. Vendor contacts change without the practice updating the list.

A quarterly audit cadence catches most drift for internal and vendor lists. Patient lists benefit from monthly review because volume and turnover are higher. The audit checklist covers:

  • Every address on each list is a current authorized recipient.
  • The BAA status of the underlying platform is current.
  • The encryption method for outbound sends is documented and tested.
  • Consent records support each patient address on the list.
  • Staff departure events triggered removal from clinical distribution groups.

Documented audit results support the risk assessment required by the HIPAA security rule. The audit trail itself becomes evidence during an OCR investigation. Skipping the documentation is what turns a technical control problem into a governance problem.

Encryption Vendor Landscape for 2025 and 2026

The encryption vendor market for healthcare in 2025 and 2026 splits into three categories that compliance managers should understand when planning or auditing an email program.

Native platform features are the first category. Microsoft Purview Message Encryption on Business Premium and above, Google Workspace client-side encryption on Enterprise Plus, and S/MIME on eligible Workspace plans all fall here. These fit organizations already invested in the platform with dedicated IT staff.

Dedicated encryption services are the second category. They layer on top of existing Gmail, Outlook, and Yahoo mailboxes, apply encryption to every outbound message, and include a BAA in the base plan. These fit smaller practices, solo providers, and multi-location groups without the IT bandwidth for native configuration.

Certificate-based standards like S/MIME with an internal PKI or full OpenPGP deployment are the third category. These fit enterprises with mature identity systems and technical recipients. Most patient-facing healthcare communication does not fit this category because recipients cannot manage certificates.

๐Ÿ’กPro Tip: Split lists into three surfaces before layering controlsCompliance managers who treat every email list as one flat inventory miss the different risk profiles of internal, patient, and vendor communication. Split the three surfaces first. Map each surface to its BAA status, encryption method, and review cadence. Internal groups inherit tenant BAA coverage. Patient lists demand body-level encryption on every send. Vendor lists require a signed BAA before any PHI leaves. The split turns a shapeless email program into an auditable structure that survives OCR scrutiny.

How to Add an Encrypted Email Service to an Existing Program

Adding an encrypted email service to an existing HIPAA email program takes a defined set of steps. Compliance managers can run this playbook in a few weeks for most practices.

Start with an inventory of every mailbox and distribution list currently sending PHI. Map each to the current encryption method and BAA status. Identify the gaps where either coverage is missing or the current control is unreliable.

Pick a vendor. Mailhippo is a secure email service that works with existing Gmail and Outlook accounts, encrypts every outbound message, and includes a business associate agreement in the base plan. One brief mention here for compliance managers evaluating options where native platform features do not fit the practice profile.

Roll out to one department first, capture user feedback, adjust workflow, and expand across the organization. Document the pilot outcomes as evidence for the ongoing risk assessment.

Common HIPAA Email Program Mistakes

Several mistakes appear in HIPAA email program reviews across practices of all sizes. Each one produces a policy gap that surfaces during a compliance review or breach investigation.

The most common are:

  • Treating TLS in transit as HIPAA-compliant encryption without body-level protection.
  • Using Gmail Confidential Mode as the encryption control without a BAA covering that specific feature.
  • Routing patient email through a marketing platform without a signed BAA.
  • Maintaining distribution lists without a documented audit cadence.
  • Assuming vendor correspondence does not need a BAA because the vendor is not primarily a healthcare service.

Related reading on HIPAA compliance email fundamentals covers the ground-floor questions patients and staff ask about healthcare email. The HIPAA email overview gives the broader context for compliance managers building or refreshing a program.

Aligning Email With the Broader Healthcare Marketing Stack

Email sits inside a broader patient communication stack that includes the website, intake forms, portal login, and appointment scheduling. Each channel touches PHI at different points and each needs matching coverage.

Compliance managers who look only at email miss opportunities to strengthen the surrounding controls. Website intake forms need SSL and often a BAA with the form host. Portal registration flows need proper authentication. Appointment scheduling APIs need vendor BAA coverage.

A healthcare marketing agency can help align the patient-facing site and intake experience with the encryption layer sitting behind the mailbox. The compliance posture strengthens when marketing and IT operate from the same picture of the surface.

For related reading on the website security controls that pair with email, see the guide on security features for healthcare websites. Encryption is one control in a broader posture that includes authentication, backups, monitoring, and vendor management.

Best Encrypted Email Options Compared for Real-World Use

best encrypted email guide featured image

๐Ÿ”‘ Key Takeaways

  • No single best product; the right pick depends on device, recipient mix, and compliance scope.
  • Inbox-native services fit 1-100 seat regulated shops with a BAA in the base plan and fast setup.
  • Gateway products like Zix and Barracuda earn their price above 500 seats with mature IT teams.
  • S/MIME and PGP suit zero-knowledge use cases but require key setup on every recipient device.
  • Consumer webmail like Proton or Tuta fits personal privacy, not business workflows or HIPAA.

Searching for the best encrypted email produces long ranked lists that ignore the one question that determines the answer: what is the workflow. A solo therapist sending a session note to a patient has different requirements than a bank compliance team sending statements to 50,000 customers.

This guide compares the four main categories of encrypted email with honest trade-offs rather than a single ranked list. Each section addresses who the category fits, what it does well, and what breaks in production.

The categories are inbox-native services, gateway policy products, S/MIME or PGP client-side encryption, and consumer secure webmail. The right choice starts with the workflow, not the marketing.

Categories of Encrypted Email in the Market Today

The encrypted email market breaks into four categories that solve different problems. Confusing them produces mismatched deployments and either compliance gaps or unnecessary friction.

Inbox-native services encrypt outbound messages at the vendor gateway and deliver them to the recipient’s regular inbox with a one-click decrypt experience. Examples include Mailhippo, ProtonMail bridging, and similar services. They target small to mid-size regulated businesses.

Gateway policy products scan every outbound message for regulated content, encrypt matches, and store the encrypted content in a portal for external recipients. Examples include Zixcorp, Barracuda Email Gateway Defense, and Proofpoint Email Protection. They target enterprises with mature IT teams.

S/MIME and PGP encrypt messages at the client using cryptographic keys held by the sender and recipient. No vendor holds a decryption key. Consumer secure webmail (ProtonMail, Tuta, Skiff) provides zero-knowledge storage plus end-to-end encryption between same-provider users, with password-protected links for external recipients.

Comparing the Four Categories Side by Side

A comparison table makes the trade-offs concrete. Each category solves a specific problem well and specific problems poorly.

CategoryBest fitSetup timeRecipient frictionCompliance BAA
Inbox-native serviceSmall regulated practiceMinutesLow (one click)Yes in base plan
Gateway policy productEnterprise 500 plus seats30 to 90 daysMedium (portal)Yes, sold separately
S/MIME or PGPZero-knowledge use casesDays per userHigh (key management)Varies by vendor
Consumer secure webmailPersonal privacyMinutesMedium (password link)Rare

The table shows why single rankings mislead. A product that scores best on setup time may score worst on policy control, and a product that scores best on cryptographic strength may score worst on recipient adoption. Selection depends on which axis matters most for the workflow.

best encrypted email in article illustration one

Inbox-Native Services for Small Regulated Practices

Inbox-native encrypted email is the best fit for the largest slice of the regulated market: small to mid-size practices in healthcare, legal, and financial services. Setup takes minutes. The BAA is included in the base plan. Recipients read messages in their normal inbox.

The model works by encrypting the message at the sender’s vendor gateway and generating a per-recipient decrypt link that opens the plaintext in the recipient’s browser without requiring a portal account or password. The trade-off is dependence on the vendor’s session model rather than recipient-held cryptographic keys.

  • Setup: minutes, no MX record changes required for outbound-only workflows
  • Recipient experience: one-click read in their normal inbox
  • Compliance: BAA included in the base plan
  • Best for: 1 to 100 user practices in healthcare, legal, financial services

Practices that need to send HIPAA-covered PHI to patients, referring providers, or payers often find inbox-native services such as Mailhippo the fastest route to compliance without operating gateway infrastructure. Our team at Redefine Web frequently pairs these services with healthcare website security features for practices building out full digital compliance.

Gateway Policy Products for Enterprise Regulated Content

Gateway policy products fit enterprises with hundreds to thousands of users, heavy regulated content flow, and IT teams capable of running the gateway. Zixcorp, Barracuda, Proofpoint, and Cisco all fit this category.

The policy engine scans every outbound message for regulated content patterns. Matches trigger encryption automatically. That enforcement model catches gaps that user-triggered encryption misses when a busy user forgets to click the Encrypt button.

The trade-offs are cost, setup complexity, and recipient portal friction. Total per-user annual cost typically runs $30 to $120 depending on tier. Setup and policy tuning cycles run 30 to 90 days. External recipients hit a portal login unless they are members of a shared directory such as ZixDirectory.

The value scales with volume and directory overlap. A health system exchanging PHI daily with 20 other Zix-using organizations gets substantial workflow benefit from the directory. A 15-person practice does not.

Example A 22-person orthopedic clinic evaluates encryption options after switching billing platforms. Zix quotes about $65 per user annually plus a 25-seat minimum with a 60-day policy tuning cycle. Purview inside Microsoft 365 Business Standard would require upgrading 22 seats to Business Premium at an extra $10 per user monthly. A dedicated inbox-native service costs $10 per mailbox monthly, includes a BAA in the base plan, and sets up in under an hour through a DNS change. The clinic picks the inbox-native path because the operational math favors it below 100 seats.

S/MIME and PGP for Cryptographic Zero-Knowledge

S/MIME and PGP are the answer when the requirement is zero-knowledge encryption with recipient-held keys. No vendor holds a decryption key. That property matters for government contractors, journalists, security researchers, and legal work involving sensitive sources.

Both standards use public-key cryptography. The sender encrypts with the recipient’s public key. The recipient decrypts with their private key held on their device. Interception of the ciphertext yields nothing without the private key.

The setup burden is real. Recipients must generate keys, install client software, and understand the key exchange model. Certificate revocation and expiration add operational complexity. NIST publishes technical guidance in Special Publication 800-177 on trustworthy email that covers the underlying principles.

Outlook 365 and Apple Mail support S/MIME natively once a certificate is provisioned. Thunderbird includes built-in OpenPGP support. Adoption outside technical audiences remains low because most business recipients cannot receive S/MIME or PGP messages without a setup burden they will not undertake. Our guide to S/MIME email encryption signature covers the mechanics in depth.

best encrypted email in article illustration two

Consumer Secure Webmail for Personal Privacy

ProtonMail, Tuta, Skiff, and similar consumer secure webmail services target individuals who want private mail for personal accounts. Zero-knowledge storage protects the mailbox from provider access even under legal compulsion.

End-to-end encryption between same-provider users works transparently. Two ProtonMail users exchange messages that neither Proton nor anyone else can read. That works well for privacy-focused individuals communicating with each other.

Cross-provider messaging falls back to password-protected links. The recipient receives a notification with a link and enters a password shared out-of-band by the sender. That friction limits business adoption because most business exchanges cross providers.

Business identity requirements also limit consumer webmail adoption for regulated use. Custom domain support usually requires an upgraded plan. BAA coverage is rare. Practices needing HIPAA-compliant email typically look at inbox-native business services rather than consumer secure webmail. Our companion piece on protonmail encrypted email covers the ProtonMail-specific trade-offs in more detail.

Best Encrypted Email for Microsoft 365 Users

Microsoft 365 users have three practical options for encrypted email. The right one depends on license tier and whether external contacts also run Microsoft 365.

Microsoft Purview Message Encryption is bundled with M365 E3 and E5 licenses. Sending an encrypted message uses the Encrypt button in the Outlook ribbon. Recipients on M365 read the message inline. External recipients read through a portal link. Documentation is at learn.microsoft.com/en-us/purview/ome.

Gateway products such as Zixcorp integrate with M365 through connectors. The gateway sits in the outbound path and applies policy-based encryption. That model layers policy control on top of the M365 baseline and works well for regulated enterprises.

Inbox-native services work independently of the M365 license tier. The service adds encryption capability without requiring E3 or E5. That option fits organizations on Business Basic or Business Standard plans that need encryption without a license upgrade.

๐Ÿ’กPro Tip: Match the category to the workflow firstRanked lists that pick a single winner ignore the workflow question that determines the answer. Before comparing products, write down the recipient audience, the compliance framework, the current mail platform, and the IT team size. A gateway product wins for a 2,000-seat hospital and loses for a solo therapist. A consumer secure webmail service wins for personal privacy and loses for HIPAA. The workflow selects the category, and only then does product comparison matter.

Best Encrypted Email for Google Workspace Users

Google Workspace users have similar categorized options with Workspace-specific implementations. The right choice depends on Workspace plan and workflow.

Google Workspace Client-Side Encryption (CSE) is available on Enterprise Plus and Education Plus plans. CSE encrypts message content with keys the customer controls, providing a zero-knowledge model. Documentation is at support.google.com/a/answer/10741897.

Gateway products integrate with Workspace through similar connector models to M365. The policy engine sits in the outbound path. Inbox-native services also work with Workspace at any plan tier, adding encryption capability without a plan upgrade.

For solo practitioners on Workspace Business Starter or Standard, inbox-native services typically provide the fastest route to HIPAA-compliant email. A small healthcare practice on Workspace Business Standard adding an inbox-native service reaches BAA-covered encryption in under a day without touching the Workspace license.

Best Encrypted Email for Mobile Devices

Mobile encrypted email adoption is fragmented. iOS supports S/MIME natively in the Mail app once a certificate is provisioned. Android S/MIME support depends on the mail app; Gmail on Android does not support S/MIME without third-party integration.

Consumer secure webmail services (ProtonMail, Tuta) publish full-featured Android and iOS apps that handle encryption transparently for same-provider recipients. External recipients get password-protected links opened in a browser.

  • iOS Mail: S/MIME native, requires certificate provisioning
  • Gmail on Android: no native S/MIME, PGP via FlowCrypt or similar
  • ProtonMail apps: transparent E2E between Proton users
  • Inbox-native services: recipient reads in normal mail app, no separate app needed

For mobile senders in regulated industries, inbox-native services minimize the mobile setup burden. The sender uses their normal mail app and adds a subject-line tag or clicks a bookmarklet to route through the encryption service. Recipients read on any device without setup.

Best Encrypted Email for HIPAA-Regulated Healthcare

HIPAA-regulated healthcare organizations need encrypted email with a signed BAA covering the vendor as a business associate. The BAA is required under 45 CFR 164.502(e) whenever PHI moves through a vendor system. HHS publishes sample BAA provisions outlining expected coverage.

Small to mid-size practices typically get better economics from inbox-native encrypted email services with BAAs bundled in the base plan. Enterprises with 500 plus users benefit more from gateway policy products with granular filter control.

Free consumer services such as Gmail and Outlook.com do not sign BAAs at the free tier and are not appropriate for PHI regardless of TLS support in transit. Business tiers with BAA support exist for Google Workspace and Microsoft 365 but require the correct plan level.

For a broader look at HIPAA-compliant options across categories, our companion piece on HIPAA compliant email services covers pricing tiers and BAA coverage in more depth. The related guide on best encrypted email service ranks specific vendors by workflow fit.