Skip to main content

Best HIPAA-Compliant Email + Free Encryption Options

Which email providers sign a BAA, what actually makes email HIPAA compliant, how to add encrypted email to the setup you already have, and where free encryption fits in.

Get Compliance Help Becoming HIPAA Compliant

When email has to be HIPAA compliant

Email becomes a HIPAA concern the moment a message contains protected health information (PHI) — a patient name tied to an appointment, a lab result, a billing question that names a condition. Standard email travels across the open internet and sits on servers that, without a Business Associate Agreement, are not authorized to hold PHI.

HIPAA doesn't outright ban regular email, and it doesn't require you to encrypt every message. Encryption is an "addressable" technical safeguard — meaning you either implement it or document a defensible reason not to. In practice, the only defensible posture for a healthcare organization is to encrypt any email that carries PHI and to run that email through a provider that has signed a BAA.

What makes email HIPAA compliant

A compliant mailbox is more than a lock icon — it's a set of safeguards working together.

Signed BAA

Your email provider signs a Business Associate Agreement taking legal responsibility for the PHI in your mailboxes.

Encryption in Transit

Enforced TLS encrypts messages as they move between mail servers so PHI isn't readable on the wire.

Encryption at Rest

Stored messages and attachments are encrypted on the provider's servers and in backups.

Access Controls & MFA

Unique logins and multi-factor authentication keep mailboxes from being opened by anyone but authorized staff.

Audit Logging

A retained record of mailbox access and admin actions so you can investigate and prove who saw what.

External Encryption

When PHI is sent to a patient or outside party, the message is encrypted or delivered through a secure portal.

Best HIPAA compliant email providers

There's no single "best" — the right choice is the one that signs a BAA, encrypts PHI, and fits the platform your team already lives in. The strongest options:

  • Google Workspace — signs a BAA and supports HIPAA compliant email when configured correctly (see our Google Workspace HIPAA guide). Best if you already use Gmail and Google Docs.
  • Microsoft 365 — signs a BAA and offers built-in message encryption; a natural fit for Outlook-based practices.
  • Paubox — encrypts every outbound message automatically with no portal or passwords for recipients; layers on top of Google Workspace or Microsoft 365.
  • Virtru — on-demand, end-to-end encryption that bolts onto Gmail and Outlook with per-message control.
  • Hushmail for Healthcare and Proton for Business — standalone secure-email providers built around encryption that sign BAAs, good for small practices that want compliance out of the box.

Free HIPAA compliant email encryption — what's realistic

People search for "free HIPAA compliant email encryption" hoping for a no-cost mailbox. The honest answer: encryption itself can be free, but full HIPAA compliance can't, because a BAA is mandatory and providers tie BAAs to paid plans. Here's where free actually helps:

  • Enforced TLS is free. Configuring forced/opportunistic TLS on your mail server or provider encrypts messages in transit at no extra cost.
  • Free tiers and trials from encryption gateways let you test message-level encryption before committing.
  • Open-source tooling (S/MIME, PGP, self-hosted gateways) can encrypt messages, but you take on the configuration, key management, and a BAA-covered mailbox underneath.

Bottom line: lean on free TLS for transit encryption, but budget for a BAA-covered mailbox and at-rest encryption. A "free" tool with no BAA is not HIPAA compliant, no matter how strong the cryptography.

How to add encrypted email for HIPAA compliance

You usually don't have to replace your email — you add an encryption layer to it. The path most practices follow:

  1. Sign a BAA with your email provider (Google Workspace, Microsoft 365, or a dedicated secure-email service).
  2. Enforce TLS so all mail is encrypted in transit.
  3. Add message-level encryption — a gateway like Paubox or Virtru, or your provider's built-in encryption — so PHI is encrypted at rest and when it reaches outside recipients.
  4. Turn on MFA and unique logins for every mailbox that can touch PHI.
  5. Document it in your risk analysis so the encryption decision is on the record.

Most of these layers install as an add-on, connector, or DNS change — no migration required.

Standard email vs. HIPAA compliant email

Why a normal inbox can't legally hold PHI.

Signed Business Associate Agreement (BAA)
Standard Hosting
Not included
HIPAA Compliant
Included
Enforced Encryption in Transit (TLS)
Standard Hosting
Not included
HIPAA Compliant
Included
Encryption at Rest
Standard Hosting
Not included
HIPAA Compliant
Included
Multi-Factor Authentication
Standard Hosting
Not included
HIPAA Compliant
Included
Access & Audit Logging
Standard Hosting
Not included
HIPAA Compliant
Included
Encrypted Delivery to External Recipients
Standard Hosting
Not included
HIPAA Compliant
Included

HIPAA compliant email FAQ

What makes email HIPAA compliant?
Email is HIPAA compliant when it is covered by a signed Business Associate Agreement (BAA) with the email provider, encrypts messages in transit and at rest, enforces access controls such as unique logins and multi-factor authentication, and retains audit logs of access. HIPAA does not require encrypting every email, but if protected health information (PHI) leaves your network unencrypted it must be addressed through a documented risk decision — so practical compliance means encrypting any message that contains PHI.
What is the best HIPAA compliant email provider?
The best HIPAA compliant email depends on your stack. Google Workspace and Microsoft 365 both sign a BAA and, when configured correctly, support HIPAA compliant email for organizations already using those suites. Dedicated services such as Paubox, Virtru, Hushmail for Healthcare, and Proton for Business add transparent or on-demand encryption and also sign BAAs. The 'best' choice is the one that signs a BAA, encrypts PHI end to end, and fits the email platform your team already uses.
Is there free HIPAA compliant email encryption?
There are free and low-cost ways to add HIPAA compliant email encryption, but no provider is truly free at scale because a BAA is required. Options include free tiers or trials from encryption gateways, open-source TLS enforcement on your own mail server, and consumer encryption tools — but a tool only contributes to compliance if the vendor signs a BAA. Free TLS (such as enforced opportunistic or forced TLS) protects messages in transit at no cost, but you still need a BAA-covered mailbox and encryption at rest for full compliance.
How do I add encrypted email for HIPAA compliance?
To add encrypted email for HIPAA compliance: (1) sign a BAA with your email provider, (2) enable enforced TLS so messages are encrypted in transit, (3) layer on message-level encryption — either a gateway like Paubox or Virtru, or your provider's built-in encryption — so PHI is encrypted at rest and to external recipients, (4) turn on multi-factor authentication and unique logins, and (5) document the configuration in your risk analysis. The encryption layer usually installs as an add-on or DNS/connector change on top of Google Workspace or Microsoft 365.

Related: becoming HIPAA compliant, HIPAA compliant WordPress forms, and HIPAA compliant hosting.

Compliant hosting, compliant communications

We host healthcare websites and applications on a HIPAA compliant platform with a signed BAA — and we'll point you to the right email encryption for your stack.

Talk to Us See Hosting Plans