HIPAA Compliant Email: Your Best Options
Let's be honest—email compliance can feel overwhelming. You went to school to become a therapist, not an IT specialist. But here's the thing: getting your email HIPAA compliant doesn't have to be rocket science, and it's important for protecting your clients and your practice.
I've helped a number of therapists navigate this exact challenge, so let me break down your options in plain English. No tech jargon, no confusing acronyms—just straightforward advice to help you make the right choice for your practice.
Why HIPAA Compliant Email Matters
Regular email is like sending a postcard—anyone handling it along the way can read it. When you're dealing with protected health information (PHI), that's a big problem. HIPAA requires that any communication containing PHI be encrypted and secured, which means your regular Gmail or Yahoo account just won't cut it.
The good news? You have several solid options, and I'm going to walk you through each one.
Your Best HIPAA Compliant Email Options
Google Workspace: The Popular Choice
Google Workspace (formerly G Suite) is probably the most popular option among therapists I work with, and for good reason. It's familiar, reliable, and when set up correctly, it can be HIPAA compliant. There’s a good chance you’re already using Gmail!—note, free Gmail is NOT HIPAA compliant.
What makes Google Workspace HIPAA compliant:
Google will sign a Business Associate Agreement (BAA) with you
All emails are encrypted in transit and at rest
You get advanced security features like two-factor authentication
It integrates seamlessly with other Google tools you might already use
Here's what you need to do:
Sign up for a paid Google Workspace plan (the free Gmail won't work)
Sign a BAA with Google (YouTube video on how it’s done)
Enable two-factor authentication for all users
The cost: Starting around $6 per user per month
The catch: You need to be diligent about configuration and user training. Google gives you the tools, but you need to use them correctly.
Microsoft 365: The Enterprise Favorite
Microsoft 365 (formerly Office 365) is another solid choice, especially if you're already using Microsoft products in your practice.
What makes Microsoft 365 HIPAA compliant:
Microsoft offers a comprehensive BAA
Built-in encryption and advanced threat protection
Detailed audit logs and compliance reporting
Integration with other Microsoft tools like Word, Excel, and Teams
What you need to do:
Choose a business plan that includes compliance features
Sign a BAA with Microsoft
Configure your tenant for HIPAA compliance
Enable multi-factor authentication
Set up data loss prevention policies
The cost: Starting around $6 per user per month for basic plans, more for advanced compliance features
The advantage: If you're already in the Microsoft ecosystem, this can be a natural fit with robust compliance tools.
ProtonMail: The Privacy-First Option
ProtonMail was built from the ground up with privacy and security in mind. It's based in Switzerland and offers end-to-end encryption by default.
Why therapists like ProtonMail:
End-to-end encryption is automatic
Based in privacy-friendly Switzerland
No ads or tracking
User-friendly interface
They'll sign a BAA
What you need to know:
You'll need the ProtonMail Business plan for HIPAA compliance
The BAA is available but requires their business tier
Slightly less integration with other business tools
Some clients might find the interface different from what they're used to
The cost: Business plans start around $8 per user per month
Best for: Therapists who prioritize privacy above all else and don't need extensive integration with other business tools.
MailHippo: The Healthcare Specialist
MailHippo is specifically designed for healthcare providers, which means HIPAA compliance is baked right in.
What makes MailHippo appealing:
Built specifically for healthcare
HIPAA compliance is automatic
BAA included with all plans
Secure messaging features
Healthcare-focused customer support
Things to consider:
Smaller company, so fewer integrations
Less familiar interface for users
More limited storage compared to Google or Microsoft
The cost: FREE, with lost cost plans also available
Best for: Practices that want a "set it and forget it" solution specifically designed for healthcare.
Paubox: The Email Encryption Specialist
Paubox takes a different approach—they provide HIPAA compliant email that works with your existing email client, whether that's Outlook, Apple Mail, or something else.
How Paubox works:
Encrypts your emails automatically
Recipients receive emails normally (no passwords or portals)
Works with your existing email setup
Comprehensive BAA included
Excellent customer support
The benefits:
No change to your current email workflow
Recipients don't need special software
Automatic encryption of all outbound emails
Great for practices already invested in a particular email system
The cost: Starting around $25 per user per month
Best for: Practices that want to keep their current email setup but add HIPAA compliance on top.
Hushmail: The Therapist-Friendly Solution
Hushmail has been around for over 20 years and is specifically popular among healthcare providers, including many therapists I work with.
What makes Hushmail appealing:
Designed with healthcare providers in mind
Automatic encryption for all emails
Web-based interface that's easy to use
BAA included with business plans
Digital forms feature for secure client intake
No software installation required
The benefits:
Simple, intuitive interface
Built-in secure forms (great for intake paperwork)
Automatic encryption without complicated setup
Good customer support that understands healthcare needs
Works from any web browser
The cost: Business plans start around $8 per user per month
Best for: Therapists who want a straightforward, healthcare-focused email solution without the complexity of enterprise platforms.
Making Your Choice: What's Right for Your Practice?
Here's how I typically guide my clients through this decision:
HIPAA Compliant Email Services Comparison for Therapists
| Feature | Google Workspace | Microsoft 365 | ProtonMail | MailHippo | Hushmail |
|---|---|---|---|---|---|
| Starting Price/Month | $7/user (annual) $8.40/user (monthly) |
$6/user (basic plans) | $8/user (business plans) | $4.95/user (Basic) Free 30-day trial |
$9.99/user (individual) Healthcare plans vary |
| BAA Included | ✅ Yes (all paid plans) | ✅ Yes (business plans) | ✅ Yes (all business plans) | ✅ Yes (all plans) | ✅ Yes (healthcare plans) |
| Web Email Client | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Desktop App Support | ✅ Yes (with proper config) | ✅ Yes | ✅ Limited (bridge required) | ❌ Web-based only | ✅ Yes (Outlook, Apple Mail) |
| Mobile App | ✅ Yes (HIPAA compliant) | ✅ Yes | ✅ Yes | ✅ Yes (responsive web) | ✅ Yes (iPhone app) |
| Email Client Integration | ✅ Outlook, Apple Mail, others | ✅ Native Outlook integration | ✅ Limited (requires bridge) | ❌ Works with existing email | ✅ Outlook, Apple Mail |
| Setup Complexity | 🟨 Moderate (requires config) | 🟨 Moderate (requires config) | 🟩 Simple | 🟩 Very simple | 🟩 Simple |
| End-to-End Encryption | ❌ No (TLS only) | ❌ No (TLS only) | ✅ Yes (default) | ✅ Yes | ✅ Yes |
| Storage Per User | 30GB-5TB (plan dependent) | Varies by plan | 15GB-500GB | 2GB-10GB | 10GB+ |
| Message Limits | Unlimited | Unlimited | Plan dependent | 1,000-10,000/month | Unlimited |
| Additional Features | Full office suite, Meet, Drive | Full office suite, Teams | VPN, calendar, drive | Message recall, expiration | Secure forms, e-signatures |
| Free Trial | 14 days | 30 days | Yes (limited) | 30 days | 14 days |
Quick Decision Guide
Google Workspace & Microsoft 365
- Most comprehensive feature sets
- Require technical configuration for HIPAA compliance
- Best value for practices needing full office suites
- Extensive third-party integrations
Privacy-First (ProtonMail)
- End-to-end encryption by default
- Based in privacy-friendly Switzerland
- Limited integrations with other business tools
- Best for practices prioritizing maximum security
Budget-Friendly (MailHippo)
- Most affordable option with free trial
- Simple setup - no configuration required
- Web-based interface only
- Perfect for solo practitioners or small practices
Healthcare-Focused (Hushmail)
- Built specifically for healthcare providers
- Includes secure forms and e-signatures
- HIPAA compliant out of the box
- Established reputation in healthcare community
Important Notes
- Free versions are never HIPAA compliant - You must have paid plans and signed BAAs
- Training is essential regardless of which service you choose
- All solutions require proper policies and procedures beyond just the technology
- Consider your workflow - some solutions integrate better with existing tools than others
The Bottom Line
Choosing the right HIPAA compliant email solution doesn't have to be overwhelming. Whether you go with a full business suite like Google Workspace, a privacy-focused option like ProtonMail, or a healthcare-specific solution like Hushmail, the most important thing is that you're protecting your clients' information and staying compliant.
Remember, the technology is just one piece of the puzzle. You'll also need proper policies, staff training, and regular reviews to maintain true HIPAA compliance. But getting your email sorted is a huge step in the right direction.
Take advantage of those free trials, test out a few options, and choose the one that feels right for your practice. Your clients will thank you for taking their privacy seriously, and you'll have peace of mind knowing you're doing things the right way.
