HIPAA Compliant Email: Best Options for Practices

Your front desk sends a patient's lab results to the wrong email address. A billing coordinator emails a spreadsheet of outstanding balances — with patient names and diagnoses — to an insurance rep using her personal Gmail. A provider replies to a patient question with appointment details in the subject line.

Each of these is a HIPAA violation. And in 2025, email-related breaches were the single most common source of exposed patient data — with 170 email breaches impacting over 2.5 million people.

The fix is not complicated. But it does require the right email setup. Here is what makes email HIPAA compliant, what your options cost, and which one fits your practice.

Why Regular Email Is Not HIPAA Compliant

Free Gmail and consumer Outlook fail HIPAA requirements in four critical ways:

• No Business Associate Agreement (BAA). HIPAA requires a signed BAA with any service provider that stores or transmits protected health information (PHI). Free email does not offer one.
• Insufficient encryption. Standard Gmail uses TLS to encrypt emails in transit — but only if the recipient's server also supports TLS. There is no end-to-end encryption and no guarantee of encryption at rest.
• No admin controls. HIPAA requires role-based access, session timeouts, multi-factor authentication, and central administrative oversight. Consumer email lacks these organizational tools.
• No audit trails. HIPAA requires audit controls to track who accessed PHI and when. Consumer email does not provide the detailed logging that compliance demands.

This does not mean you cannot use Gmail or Outlook. It means you need the paid business versions — Google Workspace or Microsoft 365 — configured correctly with a signed BAA. Or you need a dedicated HIPAA email solution layered on top.

What Makes Email HIPAA Compliant

Five requirements must all be met — missing any one of them leaves your practice exposed:

1. Signed BAA. Your email provider must sign a BAA establishing their legal responsibility for protecting PHI. No BAA means no compliance — regardless of encryption or other features.
2. Encryption in transit. TLS 1.2 or higher is required. TLS 1.0 and 1.1 are no longer considered secure. End-to-end encryption (S/MIME or similar) provides the strongest protection.
3. Encryption at rest. Emails stored on the provider's servers must be encrypted using AES-256 or equivalent.
4. Access controls. Unique user accounts (no shared logins), multi-factor authentication, automatic session timeouts, and role-based permissions.
5. Audit logs. Activity logging for all access to PHI — login/logout tracking, email send/receive logs with timestamps, and the ability to produce audit reports on demand.

The proposed 2026 HIPAA Security Rule update would eliminate the distinction between "required" and "addressable" safeguards, making encryption mandatory in all cases. If you are not encrypting email today, the regulatory window is closing.

Your Options — Compared

Here are the six most practical HIPAA-compliant email options for small medical practices, with real pricing for a 5-person office:

Microsoft 365 Business Premium — $22/user/month ($110/month for 5 users)

The all-in-one choice. Includes email hosting, Office apps (Word, Excel, Teams), plus the security features HIPAA requires: Intune device management, Azure Information Protection, advanced threat protection, data loss prevention (DLP), and conditional access policies. BAA is included automatically. Microsoft states that Business Basic ($6/user) and Business Standard ($12.50/user) lack the security features for full HIPAA compliance — Business Premium is the minimum recommended tier.

Google Workspace Business Plus — $22/user/month ($110/month for 5 users)

Similar to Microsoft 365 but in the Google ecosystem. Includes Gmail, Google Docs, Drive, and Vault for archiving and eDiscovery. BAA must be explicitly accepted in the Admin Console. Google notes that Starter ($7) and Standard ($14) plans are missing several security functions — Business Plus is the practical minimum for HIPAA. Enterprise tier (contact sales, ~$25-30+) adds S/MIME encryption and the full Security Center.

Paubox Standard — $29/month flat (up to 10 users)

The easiest add-on option. Paubox layers HIPAA-compliant encryption on top of your existing Microsoft 365 or Google Workspace. The standout feature: encrypted emails arrive in the recipient's regular inbox — no portal logins, passwords, or apps needed. Zero workflow changes for your staff or patients. HITRUST CSF certified. BAA included. For a 5-user practice, Paubox at $29/month is the most affordable path to HIPAA email compliance if you already have an email provider.

Hushmail Healthcare Essentials — $24.99/month (up to 5 users)

Built specifically for small healthcare practices. Includes encrypted email, secure web forms with electronic signatures, and a Private Message Center for receiving patient responses. Popular with solo practitioners, therapists, and counselors. BAA included. At $5/user/month, it is the cheapest standalone HIPAA email option. Limitations: no Office suite, limited storage, fewer enterprise features.

LuxSci Small — $50/month minimum (~$10/user for 5 users)

Supports the widest range of encryption protocols: TLS, PGP, S/MIME, and Escrow. Also offers a Secure Gateway product that adds HIPAA compliance on top of existing Microsoft 365 or Google Workspace — similar to Paubox. Includes email archiving and audit logging. BAA included. Good for practices that need multiple encryption options or high-volume email.

Virtru Starter — $87/month (5 users, ~$17.40/user)

One-click encryption directly within Gmail or Outlook. Unique feature: senders can revoke access to sent emails at any time, set expiration dates, and disable forwarding. If you accidentally send PHI to the wrong person, you can pull it back. BAA included. Higher price point than Paubox or Hushmail, but the access revocation feature is valuable for practices handling sensitive communications.

Which Option Fits Your Practice?

You already use Microsoft 365 or Google Workspace: Add Paubox ($29/month) for the simplest, cheapest compliance upgrade. No workflow changes needed.

You need email + office tools from scratch: Microsoft 365 Business Premium ($22/user) or Google Workspace Business Plus ($22/user). Both provide everything — email, productivity apps, and HIPAA compliance — in one package.

You are a solo practitioner or very small practice (1-3 people): Hushmail Healthcare ($11.99 to $24.99/month) is the most affordable standalone option with built-in secure forms and e-signatures.

You need to revoke access to sent emails: Virtru ($87/month for 5 users) is the only option with one-click email revocation.

Common Email Mistakes That Trigger HIPAA Violations

Even with a compliant email system, staff behavior can create violations. Train your team to avoid these:

PHI in subject lines. Subject lines are never encrypted — even with encrypted email. They are visible in inbox previews and on phone lock screens. Never include patient names, diagnoses, or appointment details in subject lines.

Not using BCC for group emails. Revealing that a group of people all receive email from a healthcare provider implies a treatment relationship — which is an impermissible disclosure of PHI. The most commonly reported HIPAA email violation on the HHS Breach Report is failure to blind copy recipients.

Sending PHI to the wrong recipient. In March 2024, a California healthcare employee sent data of over 1,000 people — names, diagnoses, lab results — to the wrong person. In March 2023, a dermatology practice accidentally attached a PHI spreadsheet to an email sent to four patients. One wrong click. Six-figure consequences.

Unencrypted attachments. Encrypting the email body but sending unencrypted spreadsheets, PDFs, or lab results as attachments. All attachments containing PHI must travel through an encrypted channel.

Using personal email for work. Sending PHI to a personal Gmail account to "finish work at home" is a violation. All PHI must stay within HIPAA-compliant systems.

Relying on disclaimers. A "This email is confidential" footer does not make an email HIPAA compliant. Disclaimers are a supplementary measure, not a substitute for encryption and access controls.

The Penalty Reality

HIPAA email violations carry real financial consequences. Penalties range from $141 per violation (unknowing) to over $2.1 million (willful neglect, uncorrected). Criminal penalties for intentional misuse can reach $250,000 and 10 years in prison.

Recent enforcement examples that should concern small practices:

• Children's Hospital Colorado ($548,265): A physician's email account was compromised after IT disabled two-factor authentication.
• Gulf Coast Pain Consultants ($1.19 million): Inadequate access controls and failure to conduct a risk analysis.
• Gums Dental Care ($70,000): A small dental practice penalized for failure to provide timely patient records access.
• Manasa Health Center ($30,000): PHI disclosed in response to negative online reviews.

76% of 2025 enforcement actions included a penalty for risk analysis failure. Getting your email right is one piece of a larger compliance picture.

Patient Portal vs. Email: You Need Both

Patient portals and HIPAA-compliant email serve different purposes. Portals are purpose-built for record access and document sharing with strong authentication. But patients find them inconvenient — each provider has a different portal with different credentials.

HIPAA-compliant email is familiar, fast, and works across all providers. Services like Paubox have closed the security gap by providing encryption that requires no behavior change from recipients.

Use your patient portal for medical record access and document sharing. Use HIPAA-compliant email for appointment reminders, follow-up instructions, and routine communications. Both have a role.

Getting Started

Setting up HIPAA-compliant email takes hours, not weeks:

1. Assess your current setup. What email provider do you use? Is a BAA signed? Is encryption enabled?
2. Choose your path. If you already have Microsoft 365 or Google Workspace, add Paubox ($29/month). If you need a fresh start, go with Microsoft 365 Business Premium or Google Workspace Business Plus.
3. Sign the BAA. In Microsoft 365, accept the Online Services Data Protection Addendum. In Google Workspace, enable the BAA in the Admin Console. For Paubox and Hushmail, BAAs are included during signup.
4. Enable MFA. Multi-factor authentication is a HIPAA requirement and your first line of defense against email account compromise.
5. Train your staff. Cover the common mistakes above. 73% of all affected records in breaches result from human error — training is not optional.

If you have a managed IT provider, they should handle the technical setup and ensure your email configuration aligns with your broader HIPAA compliance program.

The Bottom Line

HIPAA-compliant email costs as little as $5 per user per month. The cost of a single email breach — $25,000 minimum in penalties, plus notification costs, legal fees, and patient trust — dwarfs that investment.

If you are still using consumer email or an unconfigured business plan without a BAA, fix it this week. The setup is simple. The risk of waiting is not.

Book a free IT assessment to review your email compliance, or explore our HIPAA compliance services for a complete compliance review.