[mh_category_pill]

HIPAA Compliant Email Platforms Compared for Healthcare Practices

[mh_post_meta]
hipaa compliant email platforms guide featured image

[mh_key_takeaways]

HIPAA compliant email platforms are mail services that support the required technical safeguards under the Security Rule and where the vendor signs a Business Associate Agreement with the covered entity. That combination is what makes an email service usable for protected health information.

The market includes major cloud providers, dedicated healthcare mail services, and gateway products that layer on top of Gmail or Outlook. This guide compares the practical options against the criteria a healthcare practice actually uses when choosing.

For a portal-based service that works on top of any existing mail provider and includes a BAA in the base plan, Mailhippo offers a HIPAA-focused secure email service designed for this use case.

What Makes an Email Platform HIPAA Compliant

Three components are required. A signed BAA with the vendor. Technical safeguards under the Security Rule. Administrative policies and workforce training.

Technical safeguards include encryption in transit and at rest, access controls, unique user identification, session timeouts, and audit logging. The HHS Security Rule lays out the full list.

Administrative safeguards include a security officer, workforce training, sanctions policy, incident response, and periodic risk assessment. These are practice-level responsibilities that no vendor covers.

Physical safeguards apply to on-premise components. Cloud-first practices with no on-premise servers meet most of these through the vendor data center. Practices with local backup drives or paper printouts still need physical safeguards for those items.

hipaa compliant email platforms in article illustration one

Google Workspace as a HIPAA Compliant Email Platform

Google Workspace supports HIPAA on Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, Education Plus, and Nonprofits.

The admin signs the BAA through the Admin console under Account Settings, Legal and Compliance. Core services covered by the BAA include Gmail, Drive, Calendar, Meet, and Chat. Marketplace add-ons are outside the BAA unless individually BAA-covered.

Confidential mode is not end-to-end encryption. Google holds the keys. For a HIPAA workflow, confidential mode alone is not sufficient. Practices need either hosted S/MIME on Enterprise or a portal gateway.

Hosted S/MIME is available on Enterprise Standard and above. See Google Workspace admin help for the current setup steps. Related linked topic: HIPAA compliant email Gmail.

Microsoft 365 as a HIPAA Compliant Email Platform

Microsoft 365 supports HIPAA on Business Standard, Business Premium, and every Enterprise tier. Business Basic also includes the BAA for covered services but does not include the Encrypt button.

The BAA is signed through the Volume Licensing or Products and Services agreement. Microsoft publishes the covered service list in the HIPAA Implementation Guidance document available in the Microsoft Trust Center.

Microsoft Purview Message Encryption provides the Encrypt button in Outlook. Business Standard and above include the base Purview features. Business Premium adds automatic DLP rules that trigger encryption on sensitive data patterns.

Enterprise E5 adds advanced audit, eDiscovery, and Customer Lockbox. These support the administrative safeguards for larger practices with more complex compliance requirements. Related linked: HIPAA compliant email for a general overview.

[mh_example]

Dedicated HIPAA Email Services

Dedicated HIPAA email services fall into two categories. Standalone mail providers that host the mailbox and deliver a full mail platform. Gateway services that layer on top of Gmail or Outlook.

Standalone providers include some healthcare-focused vendors that offer a hosted mailbox with a BAA. These require MX migration and usually cost more per user than Google Workspace or Microsoft 365.

Gateway services keep the existing mail provider. They add portal-based encrypted delivery for external recipients. Mailhippo is one example. The sender writes in Gmail or Outlook, and the service handles portal encryption when triggered.

Gateway services are the lower-friction choice when the practice does not want to migrate mailboxes. Related linked topic: HIPAA compliant email for therapists for a specialty-specific angle.

hipaa compliant email platforms in article illustration two

Providers That Are Not HIPAA Compliant

Several common providers do not sign BAAs and are not HIPAA-appropriate for PHI. This includes some that many practices assume are safe.

GoDaddy Professional Email does not sign a BAA. Yahoo Mail, personal Gmail, personal Outlook.com, personal iCloud, AOL, and most consumer-focused providers also do not.

Some hosting providers include email as a bundled service. Cheap shared hosting rarely includes a BAA. Practices should confirm the BAA in writing before storing or transmitting PHI on any bundled hosting mailbox.

Common non-compliant providers to watch for:

  • GoDaddy Professional Email
  • Yahoo Mail and Yahoo Mail Plus
  • Personal Gmail, Outlook.com, iCloud Mail
  • AOL Mail
  • Bundled email from shared web hosts
  • Free ProtonMail (paid Business tier does sign a BAA)

Cost of HIPAA Compliant Email Platforms

The cheapest paths start around $12 per user per month. Google Workspace Business Standard runs $12 per user per month with the BAA included. Microsoft 365 Business Standard runs $12.50 per user per month with the BAA included.

Business Premium tiers add automatic DLP encryption and more advanced audit. Google Workspace Business Plus runs about $18 per user per month. Microsoft 365 Business Premium runs about $22 per user per month.

Enterprise tiers add hosted S/MIME, advanced audit, and Customer Lockbox. Google Workspace Enterprise Standard runs about $23 per user per month. Microsoft 365 E5 runs about $57 per user per month.

Gateway services add roughly $5 to $10 per user per month on top of the base provider. For a five-user practice on Business Standard plus a gateway, the total is roughly $85 to $110 per month. Related linked: free HIPAA compliant email for a look at the limits of free options.

[mh_protip]

Feature Comparison Across the Main Platforms

The table below compares the platforms most practices consider.

Platform BAA Included Native Encryption S/MIME Automatic DLP Base Price
Google Workspace Business Standard Yes Confidential mode No No $12 per user per month
Google Workspace Enterprise Standard Yes Confidential mode plus S/MIME Yes Yes $23 per user per month
Microsoft 365 Business Standard Yes Purview Encrypt button Yes with certificate No $12.50 per user per month
Microsoft 365 Business Premium Yes Purview plus DLP Yes Yes $22 per user per month
Mailhippo gateway Yes in base plan Portal encryption Not required Trigger word or plugin Sits on top of existing mail
GoDaddy Professional Email No None No No Not for PHI

Migration Steps When Moving to a HIPAA Compliant Platform

Migration follows a standard sequence. Sign the BAA with the new provider first. This creates the legal cover before any PHI moves.

Configure the tenant. Add users. Set retention. Enable audit logging. Configure encryption defaults. Enable MFA on all accounts.

Migrate mail. Google Workspace has a Data Migration Service that pulls IMAP mail from the old provider. Microsoft 365 has a similar migration wizard in the Exchange admin center. Both take hours to days depending on volume.

Cut over MX records after the migration completes. Update transactional mail sources like the practice management system, EHR, and appointment reminder services. Train staff on the new client and the encryption workflow. Related: HIPAA-conscious website design for practices also refreshing their public site.

Choosing the Right Platform for Your Practice

The right platform depends on three inputs. Where the practice already runs. How technical the recipient set is. Whether hosted S/MIME is a real requirement.

Practices on Windows with Active Directory usually stay with Microsoft 365. Business Standard covers the base HIPAA use. Business Premium adds automatic DLP for the extra assurance that PHI never sends unencrypted.

Practices on Mac or with Chrome-heavy workflows usually stay with Google Workspace. Business Standard covers the base HIPAA use. Adding a gateway service is usually cheaper than upgrading to Enterprise Standard for hosted S/MIME.

Mailhippo operates as the gateway option across both Google Workspace and Microsoft 365. It includes a BAA in the base plan, requires no per-user certificate management, and works uniformly on desktop and mobile. Practices building a public site alongside their email program can pair this with healthcare web design so the whole intake, contact, and email chain stays inside the same compliance boundary. Related linked topics: best HIPAA compliant email and HIPAA compliant emails for further reading.

[mh_faqs]

[mh_post_tags]

Leave a Reply

Your email address will not be published. Required fields are marked *

🔒 Send secure email, free HIPAA-compliant, encrypted email in minutes. No setup, no hassle. Start Free Trial → No credit card required
[mh_categories]
[mh_popular_tags]
[mh_featured_posts]
Send your first secure email today Start free — no credit card required. HIPAA-compliant encryption in minutes. Start Free →