๐ Key Takeaways
- Zix scans outbound mail, applies TLS when possible, and drops recipients into a portal.
- Automated policy libraries encrypt PHI without asking staff to click an Encrypt button.
- Recipients either see the message inline or sign into a Zix portal with a passcode.
- Zix pricing suits multi-site systems; ten-seat clinics usually pay for unused features.
- Under 100 regulated messages a week points to a portal service, not a full gateway.
Zix email encryption is a policy-driven secure email gateway used across regulated industries to enforce HIPAA, GLBA, and PCI email rules. The gateway scans every outbound message, applies encryption when a rule matches, and routes the recipient into a secure portal when the receiving server cannot accept TLS.
Healthcare practices adopt Zix for the same reason they adopt other encrypted email platforms. The gateway removes the burden of asking every staff member to remember when to encrypt. Content classification runs on the server, not in the mail client.
The tradeoff is complexity. Policy tuning, directory synchronization, and gateway routing require IT time that smaller practices often do not have. This guide covers how Zix works, what it costs, and where simpler options fit.
Zix Runs as a Gateway Between the Mail Server and the Internet
The Zix architecture places a gateway between the outbound mail server and the internet. Every message the mail server sends passes through the gateway before it reaches the receiving mail server. The gateway inspects the message, classifies the content, and applies the routing decision.
For Google Workspace, administrators configure the outbound gateway in the Gmail routing settings and point outbound mail at the Zix hostname. For Microsoft 365, administrators create an outbound connector in the Exchange Admin Center. The gateway sits in the delivery path without changing the sender client.
The inspection step matters. Zix reads the message subject, body, headers, and attachments. It matches the content against a library of built-in patterns for PHI, financial account numbers, and other regulated fields. Matched messages get encrypted. Non-matched messages route normally.
The gateway model works well for organizations with a dedicated IT team, consistent mail platform, and a compliance officer who owns policy tuning. Smaller practices often find the model heavier than the actual send volume justifies.
Policy Rules Drive the Encryption Decision
Zix ships with a policy library covering HIPAA, HITECH, GLBA, PCI DSS, and state privacy rules. Each policy contains a set of pattern matches, keyword lists, and structural checks. Administrators can enable full policies out of the box or customize them for the practice.
A HIPAA policy typically flags nine-digit numbers formatted as social security numbers, medical record numbers, ICD-10 codes, and combinations of patient identifier plus clinical information. The gateway can also flag messages sent to known covered entity domains or to any address that matches a directory of business associates.
When a message matches a policy, the gateway encrypts and delivers based on the routing rule. The sender does not need to click an Encrypt button. The compliance officer does not need to train the entire staff on when to encrypt. The gateway handles the decision.
The tradeoff is policy accuracy. False positives encrypt messages that do not require it. False negatives release regulated content in plaintext. Policy tuning is an ongoing activity, not a one-time setup. The HHS HIPAA Security Rule lists the transmission security requirements that policy design should map back to.

Delivery Uses TLS First and Portal Fallback When Needed
Zix delivery follows a two-path model. The first path uses TLS when the receiving mail server supports it and passes Zix directory verification. In that case, the encrypted message decrypts at the gateway boundary and arrives in the recipient inbox as a normal email.
The second path routes to the Zix portal. The gateway sends the recipient a notification email with a link. The recipient clicks the link, signs in with a password, and reads the message inside the browser. First-time recipients set a password. Repeat recipients reuse the account.
Zix directory verification uses a network of known Zix-enabled organizations that can accept encrypted messages directly. If both parties run Zix, the message decrypts on delivery without the portal step. This is the Zix-to-Zix delivery model that reduces friction between practices already on the platform.
The portal fallback is the workhorse for messages sent to patients, external providers, and vendors not on the Zix network. It ensures every regulated message reaches the recipient over an encrypted channel, without depending on the receiving server TLS configuration.
Sender Experience Stays Inside Gmail or Outlook
Zix does not require a separate compose window or a browser plugin. The sender uses the native Gmail or Outlook interface. They write the message, add attachments, and click Send. The gateway takes over from there.
For senders who want to manually flag a message as encrypted regardless of policy, Zix supports a subject line keyword such as [Secure] that forces encryption on that specific message. The keyword is configurable. Administrators can also add an Outlook button through a template deployment.
Sent items appear in the sender Sent folder as normal messages. The sender can view the encrypted status in the message tracking report on the Zix administrative console. Recipients who need a resent link contact the sender, who initiates a resend from the console.
This is the main sender-side advantage. Encryption becomes an infrastructure function rather than a per-message decision. The sender does not have to remember to encrypt because the gateway makes the decision on their behalf.
A regional health system with 400 mailboxes across six clinics deploys Zix in the outbound path. IT configures directory sync from Active Directory, points the Microsoft 365 outbound connector at the Zix hostname, and enables the default HIPAA policy library. First-week tuning removes twelve false-positive patterns and adds two custom rules for internal medical record numbers. Compliance reporting shows 3,200 outbound messages per week, of which 480 trigger encryption automatically. Staff never touch an Encrypt button.
Recipient Experience Depends on the Receiving Server
Recipients see one of three experiences based on their mail environment. The first is a plain email in the inbox, delivered over TLS with no portal step. This happens when the receiving server supports TLS and passes Zix directory checks.
The second is the portal experience. The recipient receives a notification email with a link. They click, sign in, and read the message in the Zix web portal. Attachments download inside the portal. Reply from the portal encrypts the reply automatically.
The third is the Zix-to-Zix direct delivery, where both organizations run Zix and messages flow encrypted end to end without a portal step. This is the highest-friction-reduction path but requires both sides on the same platform.
The portal experience adds a step for external recipients. That step is a source of friction for elderly patients, low-technology recipients, and one-off external contacts. The friction is worth it for regulated content, but it should be measured against portal-based services designed for lighter-touch recipient handoffs.
Pricing Reflects Enterprise Feature Set Rather Than Practice Size
Zix does not publish list pricing. Practices request a quote based on seat count, plan level, and add-on modules. Reported public pricing from third-party reviews runs from single digits per mailbox per month at the low end into higher tiers for full enterprise bundles.
Add-on modules include archiving with retention controls, data loss prevention with content classification, inbound threat protection with URL rewriting, and encryption gateways for regulated industries beyond HIPAA. Each module adds to the base per-seat cost.
The pricing reflects an enterprise buyer profile. Practices under twenty seats often find the plan structure heavier than the actual send volume of PHI justifies. The seat rate covers features many small practices never use, and the setup time cuts into practical value.
Buyers should compare quoted Zix pricing against portal-based services that include the BAA and encryption in a base per-seat rate without a gateway deployment. The healthcare website security features guide covers additional layers that combine with encrypted email for a full compliance stack.

Setup Requires Directory Sync and Policy Tuning
Zix deployment starts with directory synchronization. The gateway needs to know which users belong to the practice, which addresses are external, and which domains belong to known covered entities or business associates. Administrators sync Active Directory or Google Workspace into the Zix console.
The next step is outbound routing. For Microsoft 365, this means an outbound connector pointing at the Zix hostname. For Google Workspace, this means an outbound gateway rule in Gmail routing. Every outbound message routes through the gateway from this point forward.
Policy tuning is the third step and typically the longest. The compliance officer or IT lead reviews the default HIPAA policy, adjusts the pattern matches for the specific practice, and monitors the first weeks of traffic for false positives and false negatives. This is an iterative process.
Inbound routing, if used, requires an inbound connector plus an MX record change to point the practice domain at the Zix inbound gateway. This is a bigger change that affects every inbound message. It should be tested carefully before cutover.
The Gateway Model Has Real Advantages for Multi-Site Practices
Multi-site practices with hundreds of users, mixed mail platforms, and complex compliance needs benefit from the gateway model. Centralized policy means one team owns the encryption rules across every location, regardless of local mail configuration.
The advantages compound with size:
- Uniform enforcement across every mailbox in every location
- Centralized reporting for compliance audits
- Directory-based policy that adjusts as staff join and leave
- Inbound threat protection bundled into the same gateway
- Automated encryption on regulated content without user decision
Health systems with an internal IT team, a compliance officer, and established procurement processes match this profile. The gateway pays back its complexity through scale.
Practices under fifty users rarely see the same payback. The setup, tuning, and administrative time exceeds the benefit at that scale. That is where portal-based alternatives become more attractive.
Gateway services pay back their complexity through scale. Multi-site practices with hundreds of users, mixed mail platforms, and dedicated IT match the profile. Practices under fifty users rarely see the same payback because setup, tuning, and administrative time exceed the benefit at that scale. Map your weekly outbound PHI volume before picking a platform. Under 100 regulated messages per week usually points to a portal-based service instead.
Portal-Based Alternatives Skip the Gateway Deployment
Portal-based HIPAA email services take a different approach. There is no gateway between the mail server and the internet. The sender routes messages through the service either by using an add-in inside Gmail or Outlook, by sending through an SMTP relay, or by using a separate compose interface hosted by the vendor.
Mailhippo is an example of the portal model. It works with existing Gmail or Outlook accounts, includes a signed BAA in the base plan, and delivers encrypted messages through a portal link. There are no PGP keys, no S/MIME certificates, and no gateway policy tuning. One click on the send side, one link click on the recipient side.
The portal model trades automated policy detection for simplicity. The sender decides which message needs encryption. There is no gateway scanning body text for PHI patterns. For practices where staff already know which messages contain PHI, the manual decision costs less than the gateway tuning effort.
The right choice depends on the practice profile. Multi-site health systems match the gateway model. Small and mid-size practices often match the portal model. Both approaches satisfy HIPAA transmission security when configured correctly.
Zix Sits Inside a Broader HIPAA Email Toolkit
Zix is one of several methods HIPAA teams use for email transmission security. The full toolkit includes TLS as the transport baseline, S/MIME and PGP for message-level encryption, gateway services like Zix, and portal-based HIPAA email services.
Each method covers a different case:
- TLS covers the base case where both mail servers support opportunistic encryption
- S/MIME and PGP handle end-to-end encryption between technically fluent parties
- Gateway services enforce policy across a large user base with mixed skill levels
- Portal services deliver encrypted mail to any recipient with a browser
A practice choosing between Zix and a portal service should map its actual email flow. How many outbound PHI messages per week. How many external recipients. How many staff need to send encrypted mail. The answers point to the right model.
The broader HIPAA compliance picture also covers HIPAA-compliant website design, patient intake forms, and access controls on internal systems. Email is one leg of the compliance stack, not the entire picture.
Mailhippo as a Simpler Path to HIPAA Email Compliance
Practices that find the Zix gateway heavier than their send volume justifies often move to a portal-based service. Mailhippo secure email service works with existing Gmail or Outlook accounts, includes a signed BAA in the base plan, and delivers encrypted messages through a one-click recipient link with no keys or certificates.
The tradeoff is manual encryption. The sender chooses which message to encrypt. There is no gateway detecting PHI patterns in the body text. Staff who already know which messages contain PHI make the decision at compose time.
For small and mid-size practices, the portal model deploys faster, costs less per seat, and requires no IT time on gateway policy tuning. Compare quoted Zix pricing against Mailhippo pricing and factor in the setup time before deciding.
Both approaches meet HIPAA transmission security. The right choice depends on staff count, mail platform, external recipient mix, and internal IT capacity. Map your actual email flow before picking a platform.
Frequently Asked Questions
Zix email encryption is a secure email gateway that inspects outbound mail, applies encryption when a policy rule matches, and delivers the encrypted message either through TLS or through a secure web portal. The sender continues to use Gmail, Outlook, or another mail client without changing how they compose email. The gateway handles the encryption decision automatically based on the message content, sender identity, recipient domain, and configured compliance rules.
Zix integrates with Gmail through Google Workspace routing settings or with Outlook through Microsoft 365 connectors. Outbound mail routes to the Zix gateway before it reaches the internet. The gateway scans the message, applies policy, and forwards the message with the appropriate encryption. Inbound mail can also route through Zix for threat scanning. The sender experience stays inside the native mail client. No plugin, no separate compose window, no manual encryption step for policy-matched content.
No account is required for one-off recipients. External recipients receive a notification email with a link to the Zix portal. They set a password on first use, sign in, and read the message. Repeat recipients use the same account on later messages. Recipients on other TLS-enabled mail servers may receive the message directly in their inbox without a portal step, depending on the Zix directory verification of the receiving server. The experience varies by recipient environment.
Zix pricing runs per mailbox per month and depends on the plan level and seat count. Public list pricing is not published. Small practices typically pay a higher per-seat rate than enterprise deployments. Add-on modules for archiving, DLP, and inbound threat protection increase the total. Practices comparing options should request a quote directly and compare against simpler HIPAA email services that include the BAA and encryption in a base per-seat rate.
Zix signs a business associate agreement and supports the HIPAA transmission security standard when configured correctly. Encryption at rest and encryption in transit both meet the HIPAA technical safeguard. Access logs and audit trails support the accounting-of-disclosures requirement. HIPAA compliance is a shared responsibility. The provider handles the platform side. The covered entity is responsible for correct policy configuration, workforce training, and access control on the sending accounts.
Alternatives include portal-based HIPAA email services that add encryption at the individual mailbox level without a gateway, S/MIME certificates managed inside Microsoft 365 or Google Workspace Enterprise, and PGP for technical teams. Portal-based services from vendors like Mailhippo work with existing Gmail or Outlook accounts, include a signed BAA in the base plan, and skip the gateway routing setup. Smaller practices often find portal services simpler to deploy and easier to explain to external recipients.
Yes, Zix offers inbound threat protection as a separate module or bundle. The inbound path routes external mail through the Zix gateway for phishing, malware, and business email compromise detection before delivery to the mailbox. This is separate from the outbound encryption feature and is priced as an add-on. Practices that already run Microsoft Defender or Google Advanced Protection may already have inbound coverage and should compare feature overlap before adding the Zix inbound module.

















