๐ Key Takeaways
- Outlook’s Encrypt button needs Microsoft 365 Business Premium; lower tiers get no encryption.
- Gmail client-side encryption is Enterprise Plus only; Confidential Mode fails HIPAA standards.
- Yahoo has no native message encryption and no BAA, so PHI belongs on a different platform.
- S/MIME, PGP, Purview, and HIPAA services encrypt attachments as part of the encrypted message.
- Password-protected ZIPs guard the file but leave PHI in the body exposed and fail HIPAA rules.
Sending an encrypted email means applying an encryption method before the message leaves the sender. The specific steps vary by platform. Outlook, Gmail, Yahoo, and GoDaddy each handle encryption differently, and each has gaps that a dedicated service can fill.
This guide walks through the sender steps for each platform, covers attachments and password-protected files, and identifies where a HIPAA-focused encrypted email service fits the workflow.
The underlying protection is the same across methods. Content is unreadable to anyone without the correct key or credential. The differences are in setup, license, and recipient experience.
Sending an Encrypted Email in Outlook Uses Purview
The Outlook path starts in the compose ribbon of a new message. Click Options, then Encrypt, and pick a policy. Two policies are available: Encrypt-Only and Do Not Forward.
Encrypt-Only encrypts the content and lets the recipient reply, forward, and print. Do Not Forward encrypts the content and blocks forward, print, and download. The sender picks the policy at send time.
The tenant must be on Microsoft 365 Business Premium or higher for the Encrypt button to appear. Business Basic and Business Standard do not include the button. Adding it requires an upgrade or a per-seat license add-on.
External recipients see a notification with a Read the message button. The button opens outlook.office365.com in a browser. The recipient signs in with a Microsoft or Google account or requests a one-time passcode. Detailed steps are in the Microsoft support guide for encrypted messages in Outlook.
Sending an Encrypted Email in Gmail Depends on Workspace Plan
Gmail on Google Workspace Enterprise Plus or Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window.
The lock icon toggles encryption on for the message. The message content is encrypted in the browser before it reaches Google servers. The keys stay outside Google through a customer-controlled external key service.
Standard Workspace plans and personal Gmail do not support client-side encryption. Confidential mode is available on every Gmail account. Confidential mode sets an expiration date and disables forward, copy, print, and download. It does not encrypt content in a way that meets HIPAA transmission requirements.
Practices on standard Workspace plans that need encryption for HIPAA route outbound mail through a HIPAA email service. The Gmail interface stays the same. The encryption applies at the service layer.

Sending an Encrypted Email in Yahoo Requires a Workaround
Yahoo Mail does not offer native message-level encryption on standard consumer or business accounts. There is no Encrypt button in the Yahoo compose window equivalent to the Outlook or Gmail options.
Yahoo users send encrypted mail through one of three workarounds:
- Install a browser extension such as Mailvelope that adds PGP support to the Yahoo web interface.
- Attach a password-protected ZIP file to the message and share the password through a separate channel.
- Route outbound mail through a HIPAA email service that adds encryption at the outbound gateway.
Yahoo does not sign a business associate agreement for consumer accounts. The platform is not appropriate for PHI regardless of the encryption workaround. Practices sending regulated content should move to a compliant mail platform rather than relying on Yahoo with encryption bolted on.
Sending an Encrypted Email From GoDaddy Requires a Third-Party Layer
GoDaddy Professional Email is hosted mail on the godaddy.com or a custom domain. The service does not offer native message-level encryption in the web interface or in the standard IMAP client access.
Practices using GoDaddy for hosted email send encrypted mail through one of three options. Add a third-party S/MIME certificate to Outlook or Apple Mail connected to the GoDaddy account. Use a browser extension that supports PGP or S/MIME. Route outbound mail through a HIPAA email service.
GoDaddy signs a business associate agreement for some hosted email plans through a separate compliance add-on. The BAA covers storage of PHI on GoDaddy infrastructure. It does not cover the encryption of outbound transmission automatically.
Practices sending PHI from GoDaddy typically pair the account with a dedicated encryption service. The GoDaddy account handles inbound receipt and stored mail. The encryption service handles the outbound HIPAA-required protection.
A dental practice on Microsoft 365 Business Basic wants to send X-ray attachments to a referring oral surgeon on personal Gmail. The Business Basic plan does not include the Encrypt button. The office manager tries a password-protected ZIP, but the message body still references the patient by full name and treatment code. Instead, the practice routes outbound mail through a HIPAA email service at $10 per mailbox per month, which encrypts every message and delivers a one-click portal link the surgeon opens on any device.
Sending Encrypted Files Uses the Same Message Encryption Path
Encrypted files travel as message attachments protected by the same encryption applied to the message body. S/MIME, PGP, Microsoft Purview, Google client-side encryption, and HIPAA email services all treat the attachment as part of the encrypted message.
The recipient sees one verification step. After the sign-in or key decryption, both the body and the attachments become readable. Do Not Forward rights in Microsoft Purview show attachments in the portal preview and block download.
Attachment size limits apply. Outlook caps standard attachments at 20 megabytes. Gmail caps at 25 megabytes. Larger files exceed the limit before encryption is even attempted. The message bounces with a size error.
For large files, use a HIPAA-compliant file transfer service and put the link in the message body. The email delivers the link. The file service handles the payload with its own encryption at rest and in transit.

Sending a Password-Protected File as a Workaround
Sending a password-protected file through email is a common workaround for accounts without full encryption. The sender ZIP-encrypts the file with a password and attaches the ZIP to the message.
Tools that support AES-256 encryption include 7-Zip, WinRAR, and the built-in Archive Utility on macOS with a strong password. The encrypted ZIP is unreadable without the password. This protects the file at rest and in transit.
The password must go through a separate channel. Phone call, text message, or a secure messaging app all work. Never include the password in the same email as the encrypted attachment. That defeats the encryption.
Password-protected attachments do not meet the HIPAA requirement for encrypted transmission of PHI when the message body itself contains identifying information. The workaround protects the file but leaves the body exposed. Dedicated encryption remains the required control for regulated content.
Sender Steps Compared Across Platforms
The sender view differs across platforms. The table below summarizes the steps and license requirements for each.
| Platform | Sender Step | License Required | Recipient Experience |
|---|---|---|---|
| Outlook | Options, Encrypt, pick policy | Business Premium or higher | Portal sign-in or passcode |
| Gmail (Workspace) | Lock icon in compose | Enterprise Plus or Education Plus | Portal sign-in with key service |
| Yahoo | Browser extension or gateway | None native | Depends on workaround |
| GoDaddy | Third-party layer | None native | Depends on layer added |
| HIPAA Email Service | Send Secure button or automatic | Service subscription | One-click portal, no account creation |
The service approach is the shortest path for accounts without built-in encryption. It also fits practices on Business Premium or Enterprise Plus that want a simpler recipient experience for patient communication.
The sender workflow tells you nothing about what the patient sees. Before committing to Purview, S/MIME, or a HIPAA service, send one test message to a personal Gmail and one to a personal Yahoo. Time the steps from notification to reading the body. If the recipient path takes more than 30 seconds or asks for account creation, patient response rates will drop.
Sending Encrypted Mail to Recipients With No Encryption Setup
The most common friction point in sending encrypted mail is the recipient. A patient with a personal Gmail account does not have S/MIME certificates. A small business partner may not know how to use PGP.
Portal-based encryption solves this. Microsoft Purview and most HIPAA email services deliver the recipient a notification with a link. The recipient clicks the link, authenticates with a sign-in or one-time passcode, and reads the message in a browser.
The recipient does not install anything. The recipient does not need a specific mail client. The recipient does not need to hold any cryptographic material. The portal experience matches how patients already use online banking or telehealth portals.
Practices sending to patients almost always want the portal experience for this reason. The one-click access matches patient tech literacy across a broad population.
HIPAA Applies to Encryption Choices for Covered Entities
Covered entities and business associates operate under the HIPAA Security Rule. Encryption is one required technical safeguard. The HHS Security Rule guidance treats encryption as an addressable specification.
Addressable does not mean optional. The covered entity must either implement encryption or document why an alternative safeguard is reasonable. Most compliance reviews expect encryption on any transmission of PHI outside the internal network.
The sending platform must also have a signed business associate agreement in place with the covered entity. Microsoft 365 and Google Workspace include a BAA as part of the standard business terms. Personal Gmail and consumer Yahoo do not.
Practices building the wider HIPAA posture around encrypted mail also need to cover the website and patient portal. See the guide on healthcare website security features for the site-side controls.
Dedicated HIPAA Email Services Simplify the Sender Workflow
A dedicated HIPAA email service handles the encryption, the BAA, the access logs, and the recipient portal in a single plan. The sender writes mail in a familiar Gmail or Outlook interface.
Mailhippo is one option in this category. It works with existing Gmail and Outlook accounts. The BAA is included in the base plan. Encryption applies to every outbound message. Recipients open messages with one click, without creating a Microsoft or Google account.
Related reading covers the platform-specific how-tos: how to send varracuda encrypted email, how to send encrypted email, how to send an encrypted email, how to send encrypted email using gmail, send encrypted email, and how to send encrypted email via comcast.
Practices coordinating encrypted email with a wider healthcare digital strategy often pair the mail service with a compliant site and portal setup. A healthcare marketing agency handles the marketing overlay on top of the compliance stack.
Frequently Asked Questions
Open a new message in Outlook. Click Options in the ribbon. Click Encrypt and pick either Encrypt-Only or Do Not Forward. Encrypt-Only lets the recipient reply, forward, and print. Do Not Forward blocks forward, print, and download. Write the message, add recipients, and click Send. The tenant must be on Microsoft 365 Business Premium or higher for the Encrypt button to appear. Microsoft Purview handles the delivery and recipient authentication through a browser portal for external recipients.
Gmail on Google Workspace Enterprise Plus or Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window that toggles encryption on. Standard Workspace plans and personal Gmail do not support client-side encryption. Those accounts can route outbound mail through a HIPAA email service that adds encryption at the gateway, or use confidential mode for non-regulated content that needs expiration and forwarding controls.
Yahoo Mail does not offer native message-level encryption on standard accounts. To send an encrypted message from a Yahoo address, use a browser extension that adds S/MIME or PGP support, attach a password-protected file with the password shared through a separate channel, or route outbound mail through a HIPAA email service. Yahoo does not sign a business associate agreement for consumer accounts, so the platform is not appropriate for PHI. Practices sending regulated content move to Google Workspace, Microsoft 365, or a dedicated encryption service.
Attach the file to a message and send using an encryption method that covers both the body and the attachments. S/MIME, PGP, Microsoft Purview Message Encryption, Google client-side encryption, and HIPAA email services all encrypt attachments as part of the message. The recipient opens attachments after the same authentication step used for the message body. Attachment size limits on Outlook and Gmail typically cap at 25 megabytes. Larger files should use a HIPAA-compliant file transfer service with a link in the message rather than a direct attachment.
Compress the file into a ZIP archive using a tool that supports AES-256 encryption, such as 7-Zip or WinRAR. Set a strong password during compression. Attach the encrypted ZIP to the message and send. Share the password through a separate channel: phone call, text message, or a secure messaging app. Never include the password in the same email as the attachment. This method protects the file but does not encrypt the message body itself. It is a workaround for accounts without full encryption, not a HIPAA-grade solution.
GoDaddy Professional Email does not offer native message-level encryption. Practices using GoDaddy for hosted email send encrypted mail by adding a third-party S/MIME certificate, using a browser extension that supports encryption, or routing outbound mail through a HIPAA email service. GoDaddy does sign a business associate agreement for some hosted email plans, but the BAA covers the storage of PHI on GoDaddy servers rather than the encryption of outbound transmission. Practices sending PHI from GoDaddy typically pair the account with a dedicated encryption service.
Microsoft 365 provides the technical layer of encryption when Purview Message Encryption is enabled. HIPAA compliance also requires a signed business associate agreement, which Microsoft includes as part of the Microsoft 365 BAA terms. The covered entity is still responsible for correct configuration, access logging, workforce training, and an incident response plan. The technical layer is one part of the compliance picture. Practices without dedicated IT often supplement Microsoft 365 with a HIPAA email service that simplifies the recipient portal experience and audit trail.





