๐ Key Takeaways
- Encryption turns the message body and attachments into ciphertext only the reader can decrypt.
- Business Premium unlocks the Outlook Encrypt button; lower tiers need a bump or a HIPAA service.
- Gmail client-side encryption requires Workspace Enterprise Plus and a customer-managed key service.
- Attachments encrypt with the body across S/MIME, PGP, Purview, and Google client-side encryption.
- Encryption alone fails HIPAA without a signed BAA, access logs, staff training, and response plan.
Encrypting an email converts the message body and attachments into ciphertext that only an authorized recipient can read. The sending client, the mail server, or both handle the encryption depending on the method used.
This guide covers the current methods for encrypting an email across Outlook, Gmail, and HIPAA-focused services. It explains the setup, the sender steps, the recipient experience, and when a dedicated encrypted email service is a simpler fit.
Encryption is one layer in a broader security posture. The right method depends on plan level, recipient environment, and compliance requirements. Read each section to match the method to the use case.
Encryption Standards Fall Into Three Main Categories
Email encryption uses three main models: transport-level encryption, message-level encryption, and portal-based encryption. Each model protects a different segment of the delivery path.
Transport-level encryption uses TLS between the sending and receiving mail servers. TLS is the baseline. It protects the message during network transmission but leaves the content in cleartext on the mail servers at each end.
Message-level encryption uses S/MIME or PGP to encrypt the message body and attachments before they leave the sending client. Only the recipient key can decrypt the message. The mail servers see ciphertext.
Portal-based encryption stores the encrypted message on a server and delivers a link to the recipient. Microsoft Purview Message Encryption and most HIPAA email services use this model. The recipient authenticates and reads the message in a browser session.
Microsoft Purview Message Encryption Covers Most Outlook Users
Microsoft Purview Message Encryption is the default encryption path for Outlook users on Microsoft 365 Business Premium and higher. The sender clicks Options, then Encrypt, in the ribbon of a new message. Purview handles the encryption and delivery on the server side.
Two options appear: Encrypt-Only and Do Not Forward. Encrypt-Only encrypts the content and lets the recipient reply, forward, and print. Do Not Forward encrypts the content and blocks forward, print, and download.
External recipients on Gmail, Yahoo, or another provider receive a notification email with a Read the message button. The button opens outlook.office365.com in a browser. The recipient signs in with a Microsoft or Google account or requests a one-time passcode.
Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook. The setup on the tenant side is minimal if Azure Rights Management is already active.

Gmail Users Rely on Confidential Mode or Client-Side Encryption
Gmail offers two encryption features. Confidential mode is available on every Gmail account, including personal Gmail and every Workspace plan. Client-side encryption is available only on Workspace Enterprise Plus and Education Plus.
Confidential mode sets an expiration date and disables forward, copy, print, and download. It does not encrypt the message body in a way that meets HIPAA transmission requirements on its own. Google can still access the content on its servers.
Client-side encryption encrypts the message content in the browser before it reaches Google servers. The encryption keys are managed by the customer through an external key service. Google cannot decrypt the message.
Standard Workspace plans that need encryption for HIPAA use a gateway or a dedicated HIPAA email service. The Gmail interface stays the same. The encryption happens at the outbound gateway or at the service layer.
S/MIME Provides End-to-End Encryption With Certificates
S/MIME is a message-level encryption standard supported by Outlook, Apple Mail, and most enterprise mail clients. It uses X.509 certificates issued by a trusted certificate authority such as DigiCert, Sectigo, or IdenTrust.
The sender installs a personal certificate in the mail client. The recipient must also have an S/MIME certificate available. Outlook stores recipient certificates from signed messages the user has previously received.
Once certificates are in place, the sender clicks Encrypt on a new message. The mail client uses the recipient public key to encrypt the content. The recipient decrypts with the private key stored in the recipient client.
S/MIME provides true end-to-end encryption because no server between the sender and recipient can decrypt the message. The trade-off is certificate management. Practices with dozens of external recipients need a workflow for exchanging certificates before the first encrypted message can go out.
A behavioral health group of eight clinicians switches from personal Gmail to Google Workspace Business Standard for HIPAA coverage. The admin accepts the BAA in the console, but discovers client-side encryption requires Enterprise Plus at roughly $30 per user. Instead of upgrading all eight seats at $240 per month, the group adds a HIPAA email service at $10 per clinician for $80 per month. The service handles PHI mail with encryption plus BAA, and Workspace Business Standard handles everything else.
PGP Handles Encryption Between Technical Users
PGP, sometimes called OpenPGP or GPG, is a second message-level encryption standard. It relies on a web of trust rather than a centralized certificate authority. Users generate a key pair and publish the public key to a key server or exchange it directly.
PGP is common in security research, legal work, and technical communities where both parties are comfortable managing keys. Mainstream Outlook and Gmail do not include PGP out of the box. Third-party plugins add support.
The strengths of PGP are strong cryptography and no dependence on a central authority. The weaknesses are key management overhead and a recipient experience that assumes technical familiarity. A patient receiving a PGP message will not know how to decrypt it.
Healthcare practices sending PHI to patients almost never use PGP because the recipient experience is unrealistic. PGP fits internal or business-to-business scenarios where both sides run the same tooling.
TLS Alone Does Not Meet HIPAA Transmission Requirements
TLS encrypts the connection between mail servers. It is the baseline for any modern mail transmission. TLS 1.2 and TLS 1.3 are the current versions in use, according to NIST SP 800-52 Rev. 2.
Opportunistic TLS is the common default. If the receiving server supports TLS, the connection uses TLS. If the receiving server does not support TLS, the connection falls back to cleartext. A sender using opportunistic TLS cannot guarantee the message stayed encrypted end to end.
Forced TLS requires the receiving server to support TLS or the message does not go out. Forced TLS is safer but harder to configure across a large recipient list. Most Outlook and Gmail tenants use opportunistic TLS by default.
HHS guidance treats TLS as acceptable for transmission but recommends message-level encryption for high-risk PHI. See the HHS Security Rule guidance for the current position. Practices should assume TLS alone is not sufficient.

Sensitivity Labels Automate Encryption at Scale
Sensitivity Labels in Microsoft 365 apply encryption automatically based on content classification. Administrators define labels in the Microsoft Purview compliance portal and set rules that trigger a label when the message contains specific patterns.
Patterns can include medical record numbers, Social Security numbers, credit card numbers, or custom regular expressions for practice-specific fields. A matching pattern applies the label and the encryption policy in one step.
The sender does not have to remember to click Encrypt. The system enforces encryption based on content. This removes human error from the encryption decision on routine mail.
Deployment requires Microsoft 365 E3 or E5 licensing and configuration of Purview Information Protection. Sensitivity Labels fit large practices and health systems that already run Microsoft 365 at the enterprise tier.
Attachments Are Encrypted Along With the Message Body
Every current message encryption method encrypts attachments as part of the message. S/MIME, PGP, Microsoft Purview, and Google client-side encryption all treat attachments and the body as a single encrypted unit.
The recipient sees one verification step. After the sign-in or key decryption, both the body and the attachments become readable. Do Not Forward rights in Microsoft Purview show attachments in the portal preview and block download.
Attachment size limits apply before encryption is added. Outlook and Gmail cap standard attachments at 20 to 25 megabytes. Very large files exceed the limit and get rejected before encryption is even attempted.
Practices sending large imaging files, video, or full record sets should use a HIPAA-compliant file transfer service instead of email attachments. The email carries the link. The file transfer service handles the payload.
Encryption Alone Does Not Equal HIPAA Compliance
HIPAA compliance includes administrative, physical, and technical safeguards. Encryption is one of the technical safeguards. The covered entity is responsible for the full set.
The covered entity needs a signed business associate agreement with the email provider, access logging, workforce training, an incident response plan, and configuration that enforces encryption on PHI. Microsoft 365 and Google Workspace include a BAA as part of the standard business terms.
Practices that outsource the full mail security posture use a HIPAA email service that includes the BAA, encryption, access logs, and audit trails in a single plan. Mailhippo is one option for practices that want a HIPAA-compliant secure email service that works with an existing Gmail or Outlook account without switching providers.
The choice between running encryption inside Microsoft 365 or Google Workspace and using a dedicated service comes down to IT capacity, license cost across all seats, and the sensitivity of the mail volume.
The sender view is not the recipient view. Send a test encrypted message to your own personal Gmail, Yahoo, and a corporate Outlook address. Walk through each opening path start to finish. If any path takes more than a minute or requires an account, patients will drop off. Front-desk staff who have not seen the recipient view cannot answer basic questions on the phone, and open rates on patient PHI mail crash within the first week.
Practical Setup Checklist for a First-Time Sender
A first-time sender can get an encrypted message out today by picking one path and running through the setup. The choice depends on the mail platform already in use.
- Confirm the license level of the Microsoft 365 or Google Workspace tenant.
- Verify that a business associate agreement is in place with the mail provider if PHI is involved.
- Enable the Encrypt button in Outlook or client-side encryption in Gmail if the license supports it.
- Test with an external recipient on a different mail platform to see the actual recipient view.
- Document the sender steps for staff who will send encrypted mail on a routine basis.
The test send matters. The sender view is not the recipient view. A practice sending encrypted PHI to a patient should see the exact browser experience the patient will see before sending real mail.
Practices building the wider HIPAA posture around the encryption method also need to cover the website, intake forms, and patient portals. See the guide on healthcare website security features for the site-side controls that pair with encrypted email.
Common Errors When Encrypting an Email
Several errors show up in the first weeks of a new encrypted email workflow. Most trace back to license mismatch, recipient environment, or a missing configuration step on the tenant.
- The Encrypt button does not appear in Outlook because the license is Business Basic or Business Standard.
- The recipient does not receive the notification because a corporate spam filter blocks the outlook.office365.com sender.
- The S/MIME send fails because the recipient certificate is not in the Outlook contact record.
- The one-time passcode does not arrive because the recipient inbox filters bulk mail into a folder the recipient does not check.
- Attachments exceed the 25 megabyte limit and get rejected before encryption is applied.
Each of these errors has a fix. Licensing is a purchase or a switch to a service that bundles encryption. Recipient filters can be addressed by asking the recipient to allow the sender domain. Certificates can be exchanged through a first signed message.
Related reading covers practical steps for common platforms: to encrypt an email, encrypting email in Outlook, email encrypting workflows, and what does encrypting an email do in outlook. Each guide breaks down the sender view for a specific tool.
When a Dedicated Encrypted Email Service Fits Better
A dedicated encrypted email service fits practices that need HIPAA compliance without adding license overhead or IT complexity. The service handles the encryption, the BAA, the access logs, and the recipient portal.
The sender writes mail in the same Gmail or Outlook interface. Outbound mail routes through the service gateway. The recipient gets a portal link or a native decrypt depending on the service configuration.
Mailhippo is a HIPAA-compliant secure email service that works with existing Gmail and Outlook accounts. The BAA is included in the base plan. Encryption applies to every outbound message. Recipients open messages with one click, without creating a Microsoft or Google account.
Practices building the wider healthcare digital presence often pair encrypted email with a compliant site, intake, and portal setup. A healthcare marketing agency can coordinate the site and communication layer around the encryption service already in place.
Frequently Asked Questions
Encrypting an email is the process of converting the message body and attachments into ciphertext so that only an authorized recipient with the correct key can read the content. The encryption can happen at the sending client, at the sending mail server, or at both points. Modern methods include S/MIME, PGP, Microsoft Purview Message Encryption, Google Workspace client-side encryption, and gateway-based encryption used by HIPAA email services. Each method protects the same fundamental thing: the confidentiality of the message contents in transit and at rest.
Encryption protects the message contents from interception and unauthorized reading. It does not protect against a compromised sender account, a compromised recipient account, or social engineering that tricks either party into sharing credentials. Encryption is one control in a layered security model. Practices sending PHI need encryption plus multi-factor authentication, access logging, phishing training, and endpoint protection. Encryption also does not protect a message that a legitimate recipient forwards to an unauthorized party, unless rights management is applied on top of the encryption.
Yes. S/MIME, PGP, Microsoft Purview Message Encryption, and Google Workspace client-side encryption all encrypt attachments along with the message body. The recipient sees a single verification step for both. Do Not Forward rights in Microsoft Purview block download of attachments and display them only in the portal preview. Attachment size limits still apply. Practices sending very large files containing PHI should use a HIPAA-compliant file transfer service instead of email attachments, because the mail server may reject files that exceed the platform limit before encryption is applied.
Open a new message in Outlook. Click Options in the ribbon. Click Encrypt and pick Encrypt-Only or Do Not Forward. Encrypt-Only lets the recipient reply, forward, and print. Do Not Forward blocks forward, print, and download. Write the message, add recipients, and click Send. Microsoft Purview handles the delivery. Internal Microsoft 365 recipients see the message inline. External recipients receive a notification with a Read the message button that opens the encrypted content in a browser tab on outlook.office365.com.
Gmail on Google Workspace Enterprise Plus and Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window that toggles encryption on. Standard Gmail and Workspace Business plans do not have this feature. Those accounts can use confidential mode, which sets an expiration and disables forwarding, or route encrypted mail through a HIPAA email service that works with the existing Gmail account.
Encryption blocks interception of message contents in transit, protects the content at rest on mail servers, and reduces the impact of a mail server breach because the stolen data is ciphertext. For regulated industries, encryption is a required control under HIPAA, HITECH, GLBA, and similar frameworks. For any business, encryption reduces the risk of an accidental data disclosure when a message is sent to the wrong address or forwarded outside the organization. Recipients also gain confidence that the sender has invested in secure communication.
TLS encrypts the connection between mail servers but does not encrypt the message at rest inside the recipient inbox. TLS also depends on both sending and receiving servers supporting the same version and cipher suite. Opportunistic TLS falls back to cleartext if the receiving server does not support TLS. The HHS guidance on encryption treats TLS as one acceptable safeguard for transmission but recommends message-level encryption for high-risk PHI. Practices should assume TLS alone is not sufficient and layer message-level encryption on top for regulated content.

















