๐ Key Takeaways
- Outlook Business Premium exposes the Encrypt button; lower tiers hide it entirely.
- S/MIME works from Outlook 2013 up but needs a valid cert for sender and recipient.
- Outlook on the web shows Encrypt only when Purview Message Encryption is active.
- Microsoft signs the BAA, but sending PHI in plaintext still counts as a HIPAA breach.
- Configure a DLP rule so PHI patterns trigger encryption when staff forget to click.
Outlook supports three encryption paths. The Encrypt button, S/MIME certificates, and layered third-party services. Each has a specific plan requirement and a specific recipient experience.
For healthcare organizations and any team handling regulated data, encrypting emails in Outlook means matching the method to the license, the recipient, and the compliance requirement.
This guide covers the setup for Outlook desktop and Outlook on the web across the main Microsoft 365 tiers.
The Encrypt Button Uses Microsoft Purview Message Encryption
The Encrypt button in the Outlook Options ribbon triggers Microsoft Purview Message Encryption. This is the native Microsoft option for sending encrypted mail to recipients outside the sender tenant.
The button appears on Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, and comparable Education plans. It does not appear on Business Basic or Business Standard because those tiers do not include Purview Message Encryption.
If the tenant is on a qualifying plan and the button is missing, an administrator needs to enable Azure Rights Management under the Microsoft 365 Admin Center. Once activated, the Encrypt button appears in Outlook within a few minutes.
According to Microsoft documentation, Purview Message Encryption meets HIPAA transmission requirements when combined with a signed BAA available on qualifying Microsoft 365 tiers.
Encrypt-Only and Do Not Forward Provide Different Levels of Control
Clicking the Encrypt button opens a dropdown with two main options. Encrypt-Only sends the message with encryption in transit and at rest. Do Not Forward adds rights-management controls that block the recipient from forwarding, copying, or printing.
Encrypt-Only is appropriate when the sender trusts the recipient to handle the message responsibly but wants to protect it from network interception and mailbox compromise. The recipient can forward it to others once they read it, in encrypted form.
Do Not Forward is stronger when the sender wants to limit downstream distribution. The rights-management layer prevents the recipient from forwarding or exporting the content. Screenshots still work, but the automated actions are blocked.
For HIPAA and regulated content, Encrypt-Only meets the transmission standard. Do Not Forward adds a layer of downstream control that is optional under HIPAA but often used as a matter of practice policy.

Encrypt Button Step-by-Step in Outlook Desktop
Open Outlook desktop and click New Email. Fill in the recipient, subject, and body as usual. Click the Options tab in the ribbon.
Click Encrypt in the ribbon. A dropdown appears with Encrypt-Only and Do Not Forward. Select the option that matches the message. A banner appears at the top of the message confirming the selected encryption.
Click Send. Outlook encrypts the message through Microsoft Purview and delivers it to the recipient. Internal recipients on the same tenant see it inline in Outlook. External recipients receive a portal link.
- The banner in the compose window confirms which encryption level is applied.
- To remove encryption before sending, click Encrypt again and select the same option to toggle off.
- The Sent folder shows a lock icon on the encrypted message.
Encrypt Button Step-by-Step in Outlook on the Web
Open Outlook on the web and click New Message. Fill in the recipient, subject, and body. Click the three-dot overflow menu at the top of the compose window.
Select Encrypt from the menu. A banner appears at the top of the message with the selected encryption level. The default is Encrypt-Only. To switch to Do Not Forward, click Change Permissions in the banner.
Click Send. The message is encrypted through Microsoft Purview and delivered. Internal recipients on the same tenant read it inline. External recipients on Gmail, Yahoo, iCloud, or other providers receive a link to the Microsoft portal.
If the Encrypt option does not appear in the overflow menu, the tenant has not enabled Purview Message Encryption. An administrator needs to activate it in the Microsoft 365 Admin Center before the option becomes visible.
A cosmetic surgery office on Microsoft 365 Business Standard needs to send consent forms and pre-op instructions to patients. Business Standard does not include the Encrypt button, and upgrading eight staff to Business Premium would add $76 per user annually. Instead the office keeps Business Standard at $12.50 per user and adds a HIPAA-compliant portal service at $9 per user monthly. Total savings compared to a full Premium upgrade lands near $600 per year, and patients open messages with one click instead of a Microsoft portal sign-in.
S/MIME Setup for Outlook Desktop
S/MIME is the certificate-based encryption standard built into Outlook. It provides end-to-end encryption between sender and recipient without a portal step. Both parties need certificates from a trusted authority.
Get a certificate from DigiCert, Sectigo, IdenTrust, or another trusted authority. The authority delivers a .pfx file containing the public certificate and private key. Import the file into the Windows certificate store on Windows or the macOS keychain on Mac.
Open Outlook and navigate to File, Options, Trust Center, Trust Center Settings, Email Security. Click Settings under Encrypted email. In the dialog, select the certificate for signing and encryption from the dropdown. Click OK and restart Outlook.
When composing a message, click Options, then click Sign and Encrypt icons in the More Options section. If the recipient has a valid S/MIME certificate that Outlook can verify, the encrypted send works. If not, Outlook prompts to send unencrypted.

HIPAA Coverage in Microsoft 365 Has Boundaries
Microsoft signs a business associate agreement covering Microsoft 365 core services, including Exchange Online, when the tenant has accepted the BAA under the Microsoft Trust Center. The BAA covers the transmission and storage of PHI in Outlook.
The sender remains responsible for enabling encryption on every PHI transmission. The BAA does not automatically encrypt every message. Sending a PHI message without clicking Encrypt still results in transmission over TLS or plaintext, which does not meet the HIPAA transmission standard for regulated data.
For consistent enforcement, administrators can configure a data loss prevention rule under the Microsoft 365 Purview compliance portal that scans outbound messages for regulated patterns and applies encryption automatically. This is not enabled out of the box.
For practices on Business Basic or Business Standard without Purview Message Encryption, the practical path is a layered encrypted email service. This pairs with broader work covered in healthcare website security features.
Recipient Experience Depends on Their Mail Provider
Recipients on the same Microsoft 365 tenant see the message inline in Outlook or Outlook on the web. They do not click a portal link. The message opens like any other, with a lock icon indicating encryption.
Gmail users get a notification email with a link. They click the link and either sign in with their Google account or request a one-time passcode by email. They read the message in a Microsoft portal in their browser.
Yahoo, iCloud, AOL, and other recipients receive a one-time passcode by email and view the message in the Microsoft portal. They cannot sign in with their mail provider because those providers do not federate with Microsoft identity services.
Test the workflow with a known recipient before relying on it for time-sensitive delivery. Some corporate mail gateways strip the notification link or block the Microsoft portal domain. Testing surfaces those issues before the first real send.
Manual Encrypt-button use fails when staff forget on a sensitive message. The single most common HIPAA breach cause is a sender forgetting to click Encrypt on a PHI message. Configure a data loss prevention rule in the Microsoft 365 Purview compliance portal that scans outbound messages for patterns like Social Security numbers or medical record numbers and applies Purview Message Encryption automatically. Human error drops out of the workflow.
Third-Party Services Close the Gap on Lower Microsoft 365 Tiers
Microsoft 365 Business Basic and Business Standard tenants do not have the Encrypt button. Upgrading every seat to Business Premium for the encryption feature is often more expensive than adding a purpose-built encrypted email service.
Mailhippo integrates with any Outlook or Microsoft 365 account through SMTP relay or a plug-in. The sender continues to write and send from Outlook. The service intercepts the message, encrypts it, and delivers over TLS or through a portal fallback.
The service includes a signed BAA in the base plan and logs every message access. The recipient experience is a single click and passcode. No key management, no software install for the recipient.
For healthcare organizations coordinating email with website work, this pairs with services covered in healthcare marketing.
Verify Encryption on Every Sensitive Send
Before hitting Send on a regulated message, verify the encryption is active. In Outlook desktop, the banner at the top of the compose window shows Encrypt-Only or Do Not Forward. In Outlook on the web, the same banner appears.
For S/MIME, the Sign and Encrypt buttons in the Options ribbon show as active. The message icon in the Sent folder shows a lock. If the message went out without those indicators, encryption did not apply.
Microsoft 365 administrators can audit encryption status in the Purview compliance portal under Message Trace. This shows every outbound message with its encryption status, useful for HIPAA risk assessments and periodic compliance reviews.
According to HIPAA Journal, the most common documented compliance failure is a sender forgetting to enable encryption on a PHI message. Verification per send is the single most effective preventive control.
Choose the Outlook Path Based on Plan and Recipient
Match the encryption approach to the Microsoft 365 tier and the target recipient. Business Premium and above have the Encrypt button for a Microsoft-native experience. Business Basic and Business Standard need either an upgrade or a layered service.
- Business Premium or higher, external recipients: Encrypt button with Purview Message Encryption.
- Any tier, internal certified users: S/MIME with corporate certificates.
- Business Basic or Business Standard, external recipients: layered HIPAA-compliant service.
- Any tier, mixed compliance needs, patients as recipients: layered service with portal fallback.
For deeper coverage on related methods, see the sibling guides encrypting email in Outlook, encrypting an email, and how to open encrypted emails in Outlook.
The final point is that Outlook makes encryption easy on the right plan and unavailable on the wrong plan. Match the tool to the tier, and verify every sensitive send.
Frequently Asked Questions
The Encrypt button appears on Microsoft 365 Business Premium, Enterprise E3, Enterprise E5, and comparable Education plans. It does not appear on Business Basic or Business Standard. If the tenant is on a qualifying plan and the button is still missing, an administrator likely needs to enable Azure Rights Management under the Microsoft 365 Admin Center. Once activated, the Encrypt button appears in Outlook desktop under Options and in Outlook on the web under the compose window overflow menu within a few minutes.
Encrypt-Only encrypts the message in transit and at rest, so unauthorized viewers cannot read it, but the recipient can forward, copy, print, and download normally once they open it. Do Not Forward adds Microsoft Purview rights-management controls that block forwarding, printing, and copying by the recipient. Do Not Forward is the stronger control when the sender wants to limit downstream distribution. Both options require Microsoft Purview Message Encryption enabled at the tenant level to appear in the Outlook compose menu.
Get an S/MIME certificate from a trusted authority such as DigiCert, Sectigo, or IdenTrust. The authority delivers the certificate as a .pfx file with a private key. Double-click the .pfx file on Windows, or import it into Keychain Access on macOS. Open Outlook, navigate to File, Options, Trust Center, Trust Center Settings, Email Security, and click Settings under Encrypted email. Select the certificate for signing and encryption. Save and restart Outlook.
Microsoft 365 Business Basic is a web-only plan without the desktop Outlook client, and S/MIME on Outlook on the web has limited support. The Encrypt button on Business Basic is not available because Purview Message Encryption requires Business Premium or higher. Practices on Business Basic that need encryption typically use a browser-based encrypted email service or upgrade one or more seats to Business Premium. Layering a HIPAA-compliant service is often the lower-cost path for small practices.
Yes. Purview Message Encryption delivers the message through a Microsoft portal. The Gmail user receives a notification email with a link. They click the link and either sign in with their Google account or request a one-time passcode by email. They read the message in the Microsoft portal in their browser. The message stays encrypted at Microsoft servers and is not copied into the recipient Gmail account in plaintext. Portal-based reads leave the message on Microsoft infrastructure.
Not by default. Outlook does not scan message content and apply encryption automatically. An administrator can build data loss prevention rules in the Microsoft 365 Purview compliance portal that scan outbound messages for patterns like Social Security numbers or medical record numbers and enforce encryption on match. This is not enabled out of the box. It requires configuration of a DLP policy tied to a Purview Message Encryption action.
The message sends over TLS to the recipient server if the recipient supports TLS, or in plaintext if it does not. Neither of these paths meets HIPAA transmission standards for PHI. If the message contained regulated content, the sender may need to report a potential incident, depending on the organization breach response policy. This is one of the reasons many healthcare organizations layer an encrypted email service that enforces encryption regardless of user action.















