HIPAA Compliant Email Rules Every Practice Should Know

hipaa compliant email guide featured image

๐Ÿ”‘ Key Takeaways

  • HIPAA email is a program of BAA, encryption, training, and logs, not a single product.
  • The BAA comes first; providers that refuse to sign it disqualify on encryption alone.
  • TLS covers transit; S/MIME, portals, or gateways cover message-level encryption at rest.
  • Patients can consent to plaintext email; document the consent on the intake form.
  • Missing workforce training is the invisible gap OCR investigators flag every audit.

HIPAA compliant email is the phrase most search results treat as one product. It is actually a program that combines a signed contract, an encryption method, a training record, and a documented policy. Missing any one leaves the practice non-compliant.

This guide covers what HIPAA compliant email requires, how to configure it across the major mail platforms, and where a dedicated secure email service with a BAA in the base plan simplifies the compliance stack for solo practices and small clinics.

Read the sections in order. The requirements build on each other and skipping any one creates a gap that OCR will find in an audit.

The Four Requirements That Define HIPAA Compliant Email

HIPAA compliant email meets four requirements. Every one is mandatory.

  • The provider signs a business associate agreement with the covered entity before any PHI moves through the service.
  • The service encrypts PHI in transit between mail servers and at rest inside the recipient mailbox using an approved method.
  • The covered entity documents policies covering PHI email handling, workforce training, and incident response.
  • Audit logs record who sent each message, who received it, and when it was accessed, retained per the six-year rule.

Meeting three of four still leaves the practice non-compliant. Every one must be in place before PHI moves through the account.

Practices treating HIPAA compliant email as a checkbox purchase miss the surrounding obligations. The vendor covers the platform. Everything else is covered entity work.

The Business Associate Agreement Is Non-Negotiable

A BAA is the first requirement, not the encryption feature. Without it, no amount of technical protection makes the email HIPAA compliant.

The BAA obligates the mail provider to protect PHI, report security incidents, allow HHS access for investigations, and destroy PHI at contract termination. It creates legal liability on the provider side.

Providers refusing to sign a BAA cannot be used for PHI regardless of encryption strength. Personal Gmail, personal Outlook.com, Yahoo, and AOL all fall in this category.

Microsoft 365 Business Basic and higher signs a BAA available through the Service Trust Portal. Google Workspace Business Standard and higher signs a BAA available through the admin console. Dedicated encrypted email services include the BAA in the base plan.

Retain the countersigned copy. Document the effective date and the covered services. Auditors ask for it during risk assessment review.

hipaa compliant email in article illustration one

Encryption Meets One Safeguard Out of Many

Encryption meets the HIPAA Security Rule transmission security safeguard. That is one requirement among dozens.

Transmission security is designated as addressable, which means the covered entity implements it or documents an equivalent alternative. Unencrypted PHI email is not a defensible alternative under current OCR guidance.

Approved encryption methods include TLS 1.2 or higher for transit, S/MIME with X.509 certificates for end-to-end content encryption, and hosted portal encryption from qualified providers. The HHS Security Rule guidance covers each safeguard.

Related guides: HIPAA compliant email service covers the vendor evaluation framework. HIPAA compliant email Gmail covers the Google Workspace configuration path.

Encryption is necessary but not sufficient. The remaining safeguards live in policy and workforce training.

Patient Consent for Unencrypted Email Is a Documented Option

HIPAA allows PHI transmission via unencrypted email to the patient if the patient has been informed of the risks and requests the unencrypted method anyway.

The consent option covers convenience cases like appointment reminders where a portal login exceeds the patient technical comfort. It does not apply to email between covered entities or between the practice and business associates, which still requires encryption.

Document consent through the intake form or a dedicated consent record. Auditors expect to see the exact consent language, the effective date, and the patient signature or electronic acknowledgment.

Consent is revocable at any time. Practices update patient records when the patient asks for encrypted delivery instead, and workforce members switch the send method accordingly.

Absent documented consent, PHI email to the patient still requires encryption. Encrypt by default and treat unencrypted delivery as the exception.

Example

A twelve-person orthopedic practice signs a BAA with Microsoft 365 Business Premium and configures Purview Message Encryption. Six months later, a front desk employee sends a patient MRI report to the wrong address using autocomplete. The practice had never trained staff on recipient verification. The breach affects one individual, but the OCR investigation surfaces the missing training program and expands scope. The practice adds mandatory quarterly training documented in a learning management system and closes the gap before penalties finalize.

Workforce Training Fills the Compliance Gap

A practice with signed BAA and configured encryption still fails compliance if staff mishandle PHI in email.

Training covers the send workflow for the specific mail platform, the recipient verification step to prevent wrong-recipient errors, the DLP or automatic encryption rules, and the incident reporting process for suspected exposure.

New staff receive training before mailbox access. Existing staff receive refresher training on every material change to the email stack or annually at minimum.

Documentation of training completion supports the six-year HIPAA retention requirement. Learning management systems that record completion dates and quiz scores make audit review straightforward.

Training is the cheapest compliance investment per dollar. A single wrong-recipient PHI email costs more in breach response than a full year of training for a ten-person practice.

hipaa compliant email in article illustration two

Audit Logging and Records Retention

HIPAA requires audit controls that record system activity relevant to PHI. Email audit logs support this requirement.

Microsoft Purview audit logging records every message send, receipt, and access event with timestamp, user identity, and message metadata. Google Workspace audit logs cover the same events through the admin console.

Retention periods vary. HIPAA requires six years for documentation supporting security policies. Some state laws require longer retention. Litigation holds can extend retention indefinitely for specific accounts.

Practices review audit logs periodically for anomalous access patterns. A workforce member downloading many patient records or a login from an unexpected geography triggers investigation.

Archiving services capture and preserve email records automatically. The archive itself is encrypted at rest and access-controlled to prevent tampering.

Incident Response for Email-Related Breaches

Every practice needs an incident response plan for email-related PHI breaches. HIPAA requires it.

The plan defines what triggers an incident, who leads response, how to preserve forensic evidence, how to notify affected individuals within 60 days, and when to notify HHS.

Common email incidents include wrong-recipient PHI email, forwarded PHI to personal accounts, phishing that compromised a mailbox credential, and unencrypted PHI email sent without patient consent.

Response includes containment, investigation, notification, and remediation. Update workforce training and policies to prevent recurrence. Document every step for the audit record.

The HHS breach notification guidance covers the timing and content requirements for each notification type.

๐Ÿ’กPro Tip: Document Every Training Session for Six Years

OCR breach investigations routinely surface missing workforce training records as a compounding factor in penalty decisions. Track every training session with the date, staff attendee list, topics covered, and quiz results. A learning management system that timestamps completion and stores quiz scores makes audit review straightforward. Refresh training annually and after every material change to the mail stack, including plan upgrades or vendor switches.

HIPAA Compliant Email Marketing Rules

Marketing email raises additional HIPAA questions beyond clinical communication.

Appointment reminders using patient name and appointment details are permitted as treatment operations without additional authorization. Newsletters using aggregated topics without PHI are permitted.

Promotional emails that reference specific patient conditions or treatments require documented patient authorization on file. Absent authorization, the marketing message is a HIPAA violation regardless of encryption.

The marketing platform must sign a BAA and encrypt PHI in transit and at rest. Consumer marketing platforms like Mailchimp free tier do not sign BAAs and cannot be used for PHI.

Related guide: HIPAA compliant email marketing covers the marketing-specific rules and platform options.

Segregating marketing lists that contain PHI from general marketing lists simplifies compliance. General newsletters can run on a standard platform. PHI-triggered communications run on a HIPAA compliant platform.

Common Compliance Gaps to Avoid

OCR breach investigations surface the same gaps repeatedly.

  • Missing signed BAA on file with the mail provider, discovered during breach investigation.
  • Workforce members using personal Gmail or Outlook.com for practice email, unencrypted and uncovered by BAA.
  • PHI sent unencrypted without documented patient consent for the unencrypted method.
  • Wrong-recipient PHI email caused by autocomplete errors or copy-paste mistakes.
  • Forwarded PHI to personal accounts, home email, or personal mobile devices without practice authorization.
  • Retained access after workforce termination, allowing former employees to read active PHI email.

Each gap has a specific control. BAA on file. Restrict personal accounts. Automatic encryption via DLP rules. Recipient verification prompts. Forwarding restrictions. Timely deprovisioning on termination.

Practices closing every gap avoid the settlements that make OCR headlines.

Choosing the Right HIPAA Email Setup for Practice Size

The right HIPAA compliant email setup depends on practice size, budget, and workforce technical comfort.

Solo practices and small clinics with two to ten workforce members often choose a dedicated encrypted email service layered on top of an existing Gmail or Outlook account. The BAA comes in the base plan and cost stays under 15 dollars per user per month.

Mid-size practices with dedicated IT staff often standardize on Microsoft 365 Business Premium or Google Workspace Enterprise Plus for the integrated encryption. The BAA covers the full tenant, simplifying vendor management.

Large health systems typically layer a specialized DLP and encryption gateway on top of Microsoft or Google to handle complex mail flow policies across departments.

Mailhippo delivers encrypted email for practices that want a shorter compliance path without portal friction on the recipient side. Related guides: best HIPAA compliant email, free HIPAA compliant email, and HIPAA compliant emails.

Pair the email choice with a compliant patient-facing web presence. See healthcare website security features for the site-side controls that pair with encrypted email under a shared compliance framework.

Frequently Asked Questions

What makes an email HIPAA compliant? +

A HIPAA compliant email meets four conditions. The sender uses a mail service covered by a signed business associate agreement. The message content is encrypted in transit and at rest using an approved method. The sending organization has documented policies covering PHI email handling and workforce training. The audit log records who sent the message, who received it, and when it was accessed. Meeting three conditions and skipping one still leaves the practice non-compliant. Every condition must be in place before the message is sent.

Is HIPAA compliant email required for every PHI communication? +

HIPAA requires the covered entity to protect PHI whenever it is transmitted. Email carrying PHI must be secured through encryption unless the patient has consented to unencrypted email delivery after being informed of the risks. Internal PHI email between workforce members using the same tenant is protected through the mail provider infrastructure and does not always require message-level encryption. External PHI email to referring physicians, insurance companies, and business associates requires encryption regardless of relationship.

Can I send HIPAA compliant email from Gmail? +

Yes, when the account is Google Workspace Business Standard or higher with a signed BAA and encryption configured. Personal Gmail cannot be made HIPAA compliant because Google refuses to sign a BAA for consumer accounts. Workspace users configure encryption through hosted S/MIME on Enterprise Plus, Confidential Mode with SMS passcode on lower tiers, or a dedicated encrypted email service that layers on Workspace. Verify the signed BAA is on file in the admin console before sending PHI from any Gmail account.

What happens if I send PHI email without encryption? +

Unencrypted PHI email is a HIPAA breach unless the patient consented to that method after being informed of the risks. The covered entity must document the incident, notify affected individuals within 60 days, notify HHS if the breach affects 500 or more individuals, and update its risk assessment. Repeat breaches or breaches affecting many individuals can trigger OCR investigations and settlements. Settlements have ranged from hundreds of thousands to millions of dollars. Encryption is cheaper than a single breach investigation.

Do I need patient consent to use HIPAA compliant email? +

No, if the practice uses encryption. Encrypted email meets the HIPAA transmission security requirement and does not need patient consent for the encrypted method itself. Patient consent applies to the alternative case where the patient requests unencrypted email delivery for convenience, understanding the risk. That consent must be documented in writing, retained per the six-year rule, and revocable at any time. Practices offering both encrypted and unencrypted options need to track which patients selected each method.

How does HIPAA compliant email marketing differ from clinical email? +

Marketing email typically covers appointment reminders, health tip newsletters, and promotional content for services. HIPAA restricts marketing communication that uses PHI without patient authorization. Appointment reminders using name and appointment details are permitted as treatment operations. Newsletters using aggregated topics without PHI are permitted. Promotional emails that reference specific patient conditions or treatments require documented patient authorization on file. The marketing platform must sign a BAA and encrypt PHI in transit and at rest, matching the clinical email requirements.

How long do I keep HIPAA email records? +

HIPAA requires six years of documentation retention for security policies, procedures, and records supporting compliance. Email records fall in this category when they document PHI transmission, workforce training, incident response, or risk assessment. Practices retain sent and received email that carries PHI, encryption configuration change logs, and audit reports from the mail provider. Archiving services capture and preserve these records automatically. The six-year clock starts from the later of message creation or the date the document was last in effect.

How to Enable Email Encryption in Office 365 for Healthcare Teams

enable email encryption office 365 guide featured image

๐Ÿ”‘ Key Takeaways

  • Purview Message Encryption activates on Microsoft 365 E3, E5, Business Premium, or Office 365 E3.
  • The fastest rollout is a mail flow rule that triggers Encrypt-Only on PHI keywords or labels.
  • PowerShell scripts Set-IRMConfiguration and New-TransportRule for reproducible tenant baselines.
  • S/MIME gives cryptographic sender ID but demands certificate distribution to every user device.
  • Pair encryption with MFA, conditional access, DLP, and audit logs for defense-in-depth compliance.

Healthcare teams running Microsoft 365 already own most of the tools they need to send encrypted email. The Encrypt button in Outlook, mail flow rules in Exchange, and rights management services in Azure combine into a working encryption stack that meets HIPAA transmission requirements.

The gap is configuration. Most practices discover that the default Office 365 tenant does not enable email encryption until an administrator turns it on, assigns the right licenses, and writes a mail flow rule. Teams that want a simpler path often pair Microsoft 365 with a dedicated encrypted email service to skip the per-user setup work.

This guide walks through the exact steps to enable email encryption in Office 365 from the admin center, PowerShell, and Outlook. It also covers S/MIME setup, mail flow rules, DLP policies, and the license checks that trip up first-time deployments.

Confirm your Office 365 license includes encryption

License verification comes first. Microsoft Purview Message Encryption ships with Microsoft 365 E3, E5, A3, A5, G3, G5, Business Premium, and Office 365 E3 and E5 plans.

Business Basic and Business Standard do not include Purview by default. Administrators on those plans add Azure Information Protection Premium P1 as an add-on license, upgrade the tenant, or route encryption through a third-party service.

To check coverage, sign in to the Microsoft 365 admin center, open Billing, then Licenses. Confirm that assigned licenses include Azure Rights Management Service and Microsoft Purview Message Encryption entitlements.

Users without the correct license see the Encrypt button greyed out in Outlook. Fixing that means assigning the license, waiting for the tenant to provision, then having the user sign out and back in to refresh the token.

Activate Azure Rights Management in the admin center

Azure Rights Management is the underlying service that Purview Message Encryption depends on. New tenants have it enabled by default, but tenants created before 2018 or tenants that were manually disabled need activation.

Open the Microsoft 365 admin center. Go to Settings, then Org settings, then Services. Find Microsoft Azure Information Protection and select it. Click Manage Microsoft Azure Information Protection settings, then Activate.

The activation runs in the background. After a few minutes, the service shows as Activated and the tenant is ready for message encryption policies.

Administrators who prefer to script this step run Enable-AadrmService or the newer Set-IRMConfiguration cmdlet through Exchange Online PowerShell. Both approaches produce the same result and are documented in Microsoft Purview Message Encryption setup guides at learn.microsoft.com.

enable email encryption office 365 in article illustration one

Create a mail flow rule to trigger encryption automatically

Manual encryption depends on staff clicking the Encrypt button on every sensitive message. Mail flow rules remove that dependency by triggering encryption based on message content, sender, recipient, or attached sensitivity labels.

Open the Exchange admin center. Go to Mail flow, then Rules. Click the plus icon and select Apply Office 365 Message Encryption and rights protection to messages.

Set the condition to match the trigger you want. Common conditions include the subject or body containing terms like PHI, patient, or diagnosis, or messages sent to external recipients from clinical users.

Choose the RMS template. Encrypt-Only lets recipients forward, while Do Not Forward blocks reply-all, forwarding, and printing. Save the rule and send a test message to confirm the recipient portal loads as expected.

Enable email encryption in Office 365 with PowerShell

PowerShell is the fastest path for IT teams managing multiple tenants or scripted deployments. Install the Exchange Online Management module, then connect with the appropriate global admin credentials.

Run Install-Module with the name ExchangeOnlineManagement once per machine. Then connect with Connect-ExchangeOnline and the global admin user principal name.

Enable the service with Set-IRMConfiguration and the AutomaticServiceUpdateEnabled parameter set to true. Verify state with Get-IRMConfiguration. The output should show ServiceLocation, LicensingLocation, and InternalLicensingEnabled populated with valid values.

Create mail flow rules with New-TransportRule. Bulk operations save hours when standing up encryption across acquired practices, new subsidiaries, or lab environments where a repeatable baseline matters more than a one-time click-through.

Example

An orthopedic group in Cleveland with 22 users on Microsoft 365 Business Premium needed automatic encryption for outbound referral letters. The IT contractor scripted the rollout through PowerShell, enabling IRM with Set-IRMConfiguration and creating a mail flow rule that triggered on subject keywords like referral, MRI, and X-ray. A second DLP policy caught patterns like ICD-10 codes and insurance member IDs. Total configuration ran 45 minutes. The first test message from a licensed mailbox to a personal Gmail address delivered a Microsoft portal link within seven seconds.

Use the Encrypt button in Outlook desktop and web

Once the tenant is configured, individual senders trigger encryption from Outlook without additional setup. In Outlook desktop, open a new message, click the Options tab, then click Encrypt.

Choose the protection template from the drop-down. Encrypt applies default protection, Do Not Forward blocks reply-all and forwarding, and any custom labels created by the tenant appear alongside the built-in options.

In Outlook on the web, the Encrypt button lives at the top of the new message pane. The behavior is identical to the desktop version, and messages appear in the recipient portal with the same experience.

Mobile users on the Outlook iOS and Android apps get the same Encrypt option under the three-dot menu when composing a message. Recipients open the encrypted message through a portal link and sign in with Microsoft, Google, or a one-time passcode.

enable email encryption office 365 in article illustration two

Configure S/MIME for regulated communications

S/MIME provides cryptographic identity verification on top of encryption. It requires certificate distribution to every user and device, which raises the operational cost but delivers sender authentication for compliance-critical exchanges.

Deploy a certificate authority or use a public CA. Push user certificates through Group Policy, Intune, or manual import into the personal certificate store. Confirm the store shows the certificate under Trusted Publishers.

In Outlook 2007 and later, open File, Options, Trust Center, Trust Center Settings, Email Security. Under Encrypted Email, select the S/MIME certificate. Check the boxes to sign outgoing messages and encrypt content and attachments.

S/MIME becomes practical for teams with an existing PKI. Small practices without one usually get better outcomes from Purview Message Encryption or a third-party secure email service that handles keys behind the scenes.

Layer DLP policies on top of encryption rules

Data loss prevention policies inspect messages for regulated content patterns. When a match hits, the policy applies encryption automatically or blocks the message and notifies the sender.

Open the Microsoft Purview compliance portal. Go to Data loss prevention, then Policies. Click Create policy and choose the U.S. Health Insurance Act (HIPAA) template as a starting point.

The template detects patterns like Social Security numbers, ICD-10 codes, DEA numbers, and insurance member IDs. Set the action to apply Purview Message Encryption when the policy matches an outbound message.

Tune the policy over the first two weeks. Review the DLP alert dashboard, adjust match confidence thresholds, and add exceptions for internal training data or test accounts. A tuned policy catches PHI leaks without blocking legitimate clinical email.

๐Ÿ’กPro Tip: Script the tenant baseline with PowerShell for reuse

Save the Set-IRMConfiguration, Enable-OrganizationCustomization, and New-TransportRule commands in a single .ps1 file with comments naming each step. When a mailbox migration, tenant reset, or license upgrade happens, the same script rebuilds the encryption baseline in under 10 minutes. Manual UI clicks are the leading cause of drift between what the risk register says is configured and what the tenant actually has active. A checked-in script also serves as evidence of consistent policy enforcement during an OCR audit.

Test the encryption workflow end to end

Testing catches misconfigured rules before staff sends real PHI through a broken flow. Set up two accounts. Use one licensed Office 365 mailbox as the sender and one external Gmail or Yahoo account as the recipient.

Send a test message with the word PHI in the subject line to trigger the mail flow rule. The external recipient should receive a wrapper message with a link to view the encrypted content.

Open the portal link. Sign in with a Microsoft account, a Google account, or request a one-time passcode. Confirm the message body renders correctly, and reply from the portal to test round-trip encryption.

Document each step with screenshots. Save the DLP report, the mail flow rule configuration, and the PowerShell output. This documentation becomes evidence during HIPAA audits, business associate reviews, and internal security assessments.

Match encryption with the HIPAA Security Rule

The HIPAA Security Rule addresses transmission security under 45 CFR 164.312(e). Encryption is an addressable standard, which means covered entities either implement it or document a reasonable alternative.

Office 365 encryption meets the transmission standard when configured with the mail flow rules and DLP policies described above. Practices should also enable multi-factor authentication, conditional access, and audit logging to satisfy access control and integrity standards.

The HHS Security Rule guidance outlines the full set of technical safeguards. Encryption alone does not satisfy the rule, but it addresses one of the more visible controls that auditors ask about first.

Healthcare organizations also need a signed business associate agreement (BAA) with Microsoft. The BAA is available through the Microsoft Service Trust Portal and covers Office 365, Exchange Online, and Purview Message Encryption when configured for HIPAA workloads. Compliance also depends on healthcare website security features that protect the public-facing side of the practice.

Choose between native encryption and a dedicated service

Native Office 365 encryption works well for organizations that already run on Microsoft 365 E3 or Business Premium and have IT staff to manage mail flow rules, license assignments, and Purview policies.

Small practices without dedicated IT often find the setup and ongoing maintenance costly. Every license change, tenant migration, or Outlook update creates a potential point of failure that a solo IT contractor needs to troubleshoot.

Mailhippo works alongside existing Gmail or Outlook accounts as a HIPAA-compliant secure email service. The base plan includes a business associate agreement and applies TLS with client-side encryption without requiring PGP keys or separate client software. Recipients open messages with one click.

Teams building the workflow further may want to look at enable office 365 email encryption, review outlook 365 enable encryption email options, or benchmark against email encryption office 365 business premium to confirm the plan level covers the needed features.

  • Confirm license coverage before touching mail flow rules.
  • Activate Azure Rights Management once per tenant.
  • Script repeat deployments with PowerShell instead of the admin UI.
  • Layer DLP policies on top of manual encryption for PHI patterns.
  • Document the full configuration for HIPAA audit evidence.

Frequently Asked Questions

Which Office 365 plans include email encryption? +

Microsoft 365 E3, E5, A3, A5, G3, G5, Business Premium, and Office 365 E3 and E5 include Microsoft Purview Message Encryption at no extra cost. Business Basic and Business Standard plans do not include Purview Message Encryption in the base license. Practices on lower-tier plans need to add Azure Information Protection Premium P1, upgrade the tenant, or use a third-party secure email service. Verifying license coverage before enabling encryption avoids failed mail flow rules and confused end users.

How long does it take to enable email encryption in Office 365? +

A single-tenant configuration with existing Purview Message Encryption licensing takes about 30 to 60 minutes. That includes activating Azure Rights Management, creating a mail flow rule, testing an outbound message, and documenting the setup. Multi-tenant rollouts, custom branding, and DLP policy tuning add several hours. Practices adding licenses first should expect provisioning delays of up to 24 hours before the Encrypt button appears in Outlook for newly licensed users.

Do external recipients need an Office 365 account to read encrypted mail? +

No. External recipients receive a notification message with a link to a secure portal hosted by Microsoft. They sign in with a Microsoft account, a Google account, or request a one-time passcode delivered to the recipient email address. The message opens in the browser, and replies stay inside the encrypted thread. Recipients on mobile see the same experience through the Office mobile app or a standard web browser.

Can I enable email encryption in Office 365 with PowerShell? +

Yes. Connect to Exchange Online PowerShell using Connect-ExchangeOnline, then run Set-IRMConfiguration with the AutomaticServiceUpdateEnabled parameter set to true and enable the rights management service with Enable-OrganizationCustomization. Verify the state with Get-IRMConfiguration and Test-IRMConfiguration against a licensed mailbox. PowerShell also handles bulk mail flow rule creation through New-TransportRule, which is faster than the admin center for tenants with dozens of rules or repeated deployment across labs, subsidiaries, and clinics.

How does S/MIME differ from Microsoft Purview Message Encryption? +

S/MIME uses digital certificates issued to individual users. Each sender signs and encrypts the message with keys bound to a verified identity, and each recipient needs a matching certificate to read the message. Microsoft Purview Message Encryption uses a policy-based approach that does not require recipient certificates. S/MIME provides stronger identity assurance for regulated communications with fixed partners. Purview scales better for healthcare teams sending to patients, insurers, and referral partners who do not manage certificates.

Is Office 365 email encryption enough for HIPAA compliance? +

Encryption satisfies the transmission security standard under the HIPAA Security Rule, but compliance requires additional controls. Practices need multi-factor authentication, access controls, audit logs, workforce training, a signed business associate agreement with Microsoft, and documented policies. Encryption without those supporting controls fails an OCR audit even when messages themselves are secured. Treat encryption as one layer inside a broader compliance program rather than the finish line for HIPAA readiness.

What if the Encrypt button does not appear in Outlook after licensing? +

Check three items in order. First, confirm the user license includes Purview Message Encryption in the Microsoft 365 admin center. Second, verify Azure Rights Management is active by running Get-IRMConfiguration and checking that RMSOnlineActivated returns True. Third, sign the user out of Outlook and back in to refresh the license token. If the button still does not appear, restart Outlook in safe mode and clear the Office credentials cache under Windows Credential Manager.