Skip to main content

HIPAA Compliant Email Encryption Services: How to Choose in 2026

By Joseph Abear ·
HIPAA compliant email encryption services title graphic with a locked envelope icon on a dark background.

A HIPAA-compliant email encryption service is one that signs a Business Associate Agreement (BAA) and encrypts protected health information (PHI) in transit and at rest, meeting the transmission security standard at 45 CFR § 164.312(e) and the addressable encryption specification at § 164.312(a)(2)(iv). HIPAA does not ban email for PHI; it requires that the transmission be safeguarded. Standard consumer email fails on both counts: no BAA is available, and delivery encryption is opportunistic rather than guaranteed. As of June 2026, the established healthcare options are Paubox, Virtru, LuxSci, and Hushmail for Healthcare, plus Google Workspace and Microsoft 365 configured under their BAAs. We provide HIPAA-eligible hosting, not email, so what follows is neutral guidance.

TL;DR: Quick answer

  • HIPAA permits emailing PHI when transmission security under 45 CFR § 164.312(e) is met and the email vendor holding PHI has signed a BAA per § 164.504(e).
  • Paubox includes a BAA on all paid plans and delivers encrypted email with no recipient portal; Email Suite plans started at $32 per user per month as of mid-2026.
  • Virtru adds client-side encryption on top of existing Gmail or Microsoft 365, typically priced per user as an add-on; the BAA comes with paid healthcare plans.
  • Hushmail for Healthcare starts near $11.99 per user per month with a BAA, secure web forms, and e-signatures; LuxSci offers configurable healthcare email with quote-based pricing.
  • Google Workspace and Microsoft 365 sign BAAs on paid plans, but compliance depends on configuration the customer must do; default setup is not sufficient for PHI.

Why does standard email fail HIPAA's transmission security standard?

Three reasons. First, ordinary email uses opportunistic TLS: if the receiving server does not support encryption, many systems deliver the message in plaintext anyway, which is exactly the unguarded transmission 45 CFR § 164.312(e)(1) addresses. Second, consumer services like free Gmail offer no BAA, so a covered entity or business associate storing PHI there has an unauthorized vendor holding ePHI, a missing-BAA violation under §§ 164.308(b) and 164.504(e). Third, there are no healthcare-grade controls: no data loss prevention to catch a misdirected attachment, no audit trail satisfying § 164.312(b), no enforced access controls on stored mail. Misdirected and unencrypted email remains one of the most frequent unintentional HIPAA violations reported to HHS OCR.

What criteria should you evaluate before signing up?

  • BAA scope. The vendor must sign a BAA covering the exact services you use, including archiving and forms, not just the mailbox.
  • Enforced encryption with safe fallback. Ask what happens when a recipient's server rejects TLS: does the message bounce, fall back to a secure portal, or deliver in plaintext? Only the first two are acceptable.
  • Encryption at rest. Stored mail and attachments should be encrypted per § 164.312(a)(2)(iv), with documented key management.
  • Recipient experience. Portal logins suppress patient response rates; no-portal delivery matters for patient-facing communication, less for provider-to-provider traffic.
  • DLP and audit logging. Outbound rules that detect PHI patterns, plus logs that support § 164.312(b) and incident investigation.
  • Access controls. MFA, role-based admin, and automatic logoff support under § 164.312(a)(2)(iii).

How do the main HIPAA email vendors compare in 2026?

Paubox

Paubox encrypts every outbound message by default and delivers it to the recipient's ordinary inbox with no portal or extra clicks, falling back to a secure message when forced TLS is unavailable. A BAA is included on all paid plans. Email Suite tiers listed at roughly $32, $65, and $75 per user per month in mid-2026, with the upper tiers adding inbound threat protection, archiving, and DLP. Tradeoffs: it rides on top of Google Workspace or Microsoft 365 rather than replacing them, so you pay for both, and per-user cost is at the higher end for small practices.

Virtru

Virtru adds client-side encryption, access revocation, expiration, and watermarking to existing Gmail and Outlook through browser extensions and gateways, typically sold as a per-user add-on in the $5 to $15 range on top of your email plan, with a BAA on paid healthcare tiers. Strengths are granular control of individual messages and strong key management options. Tradeoffs: recipients without Virtru open messages through a verification flow, which adds friction, and the experience depends on the sender installing and using the extension consistently.

LuxSci

LuxSci is a healthcare-focused secure email and forms provider with highly configurable TLS-first delivery, portal fallback, and options for high-volume transactional sending. BAAs are standard. Pricing is quote-based, which suits organizations sending large volumes of patient email but adds procurement friction for a two-clinician office. Tradeoff: more configuration surface than the plug-and-play options, which is power for IT teams and risk for offices without one.

Hushmail for Healthcare

Hushmail replaces your mailbox entirely, with healthcare plans starting near $11.99 per user per month including a BAA, encrypted delivery with an escrow portal for non-secure recipients, secure intake forms, and e-signatures. It is priced and packaged for solo and small practices, especially therapists. Tradeoffs: it is a separate mailbox rather than a layer on your existing domain setup in some configurations, and the included form builder is basic compared with dedicated form platforms.

Google Workspace and Microsoft 365

Both sign BAAs on paid business plans at no extra charge, and both can support compliant email, but neither is configured for PHI out of the box. The customer must enforce TLS or add an encryption layer, enable audit logging, restrict third-party app access, and exclude non-covered services from PHI workflows per each vendor's HIPAA implementation guidance. Many practices pair Workspace or 365 with Paubox or Virtru precisely to close the enforced-encryption gap. Verify plan-by-plan BAA coverage in each vendor's current documentation before relying on it.

Which service fits which practice?

  • Solo or small practice, patient-heavy email: Hushmail for Healthcare or Paubox, for the BAA-included pricing and low recipient friction.
  • Practice already on Google Workspace or Microsoft 365: add Paubox for default-on encryption or Virtru for message-level control, and accept the BAA on the underlying platform too.
  • High-volume or transactional patient email: LuxSci, for deliverability tooling and configurable sending infrastructure.
  • Form notifications from your website: the better fix is usually to stop emailing PHI entirely and send a link to a secure dashboard instead; see our guides to therapist contact forms and making WordPress HIPAA compliant.

Whatever you pick, document the choice in your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). OCR's active enforcement initiative targets entities that cannot produce one, and email is an ePHI system that belongs in it. Email is also only one leg of the stack; the HIPAA-compliant hosting guide covers the website and server side, which is the part we handle at hipaacomplianthosting.com.

Frequently asked questions

Is it a HIPAA violation to email PHI?

Not inherently. The Security Rule requires transmission safeguards under 45 CFR § 164.312(e) and a BAA with any vendor storing the mail; unencrypted PHI through a consumer account is where violations arise.

Can patients email me PHI from their own Gmail?

Yes. Individuals may use any email they like for their own information, and HHS OCR guidance permits providers to correspond by unencrypted email if the patient is warned of the risk and still prefers it. Your replies and stored copies on your side still need safeguards.

Are these services "HIPAA certified"?

No service is. There is no official HIPAA certification; vendors offer BAAs and attestations like HITRUST CSF or SOC 2 Type II, and compliance depends on how you configure and use the tool.

Do I need email encryption if I only use a patient portal?

If PHI genuinely never leaves the portal, the portal's safeguards carry the load. In practice, staff forward portal notifications and attachments into ordinary email, so most practices need a compliant email path anyway.

Does the encrypted email vendor need to be in my risk analysis?

Yes. Every system that creates, receives, maintains, or transmits ePHI belongs in the risk analysis required by 45 CFR § 164.308(a)(1)(ii)(A), including email and its archive.

This article is general information, not legal advice. Vendor features, plans, and BAA terms change; verify current details with each provider, consult counsel, and base safeguards on a documented risk analysis. Reviewed June 2026.

Sources

← Back to all posts