[mh_key_takeaways]
Office 365 email encryption runs on Microsoft Purview Message Encryption. The service ships with Business Premium and higher plans. It powers the Encrypt button in the Outlook ribbon and handles external recipient delivery through a browser portal.
This guide covers the Office 365 email encryption setup, the license structure, the recipient experience, and the HIPAA configuration. It also covers the fit for a separate encrypted email service when the Office 365 plan does not include the Encrypt button.
The choice depends on plan level, seat count, and how many staff need to send PHI. Read each section and match the approach to the actual practice flow.
Purview Message Encryption Powers the Encrypt Button
Microsoft Purview Message Encryption is the underlying service for the Encrypt button in Outlook. The button appears in the Options ribbon on new messages. Users click Encrypt and pick Encrypt-Only or Do Not Forward.
Encrypt-Only encrypts the message content in transit and at rest. Recipients can reply, forward, and print. Do Not Forward applies rights management and blocks forward, print, and download. The sender picks based on the sensitivity of the content.
Both options deliver to internal Microsoft 365 recipients inline. Both options deliver to external recipients through a notification email with a browser tab open on outlook.office365.com. The recipient experience is consistent across the two options.
Detailed sender steps are in the Microsoft support guide for encrypted messages in Outlook.
License Tiers Determine Access to Encryption
The Encrypt button in Office 365 is not available on every plan. The license tier determines whether the feature appears in Outlook. Practices should confirm the plan level before assuming encryption is available.
The plans that include Purview Message Encryption are:
- Microsoft 365 Business Premium
- Microsoft 365 E3 and E5
- Office 365 E3 and E5
- Microsoft 365 Apps for Enterprise with Azure Information Protection Premium
- Standalone Azure Information Protection Premium P1 or P2
Plans that do not include the Encrypt button are Microsoft 365 Business Basic, Microsoft 365 Business Standard, Microsoft 365 Apps for Business, and Office 365 E1. Users on these plans do not see the Encrypt button in Outlook.
Adding the button requires either a plan upgrade or a per-seat Azure Information Protection Premium license add-on. The choice depends on how many features of Business Premium the practice needs beyond encryption.

Tenant Setup Takes Thirty Minutes on a Fresh Deployment
Enabling encryption on a fresh tenant takes about thirty minutes. The setup happens entirely in the Microsoft 365 admin center. No changes to individual mailboxes or client software are required.
The steps are: sign in as global administrator, activate Azure Rights Management under Settings and Org settings, verify Message Encryption availability under the compliance section, configure the default template that recipients see, and confirm license assignment for the users who will send encrypted mail.
Existing tenants with Azure Information Protection already licensed do not need additional activation. The Encrypt button appears in Outlook after the client restart. Administrators can push the setting through Group Policy or MDM to ensure consistent behavior across the fleet.
Test the setup with a small pilot group before rolling out to all users. Send an encrypted message to an external recipient. Confirm the notification, the browser tab, and the decrypted message. Fix any policy or template issues before wide rollout.
Comparing Office 365 Encryption Options at a Glance
Office 365 supports several encryption methods with different fit profiles. The right choice depends on recipient mix, plan level, and administrative overhead.
| Method | Recipient Setup | Plan Required | Best Fit |
|---|---|---|---|
| Purview Message Encryption | Browser tab, sign-in or passcode | Business Premium or higher | External patient and vendor mail |
| S/MIME | Certificate pre-installed | Any plan with desktop Outlook | Internal mail with managed PKI |
| Sensitivity Labels | Depends on label configuration | E3 or E5 | Enterprise policy-based encryption |
| Mail flow rule Encrypt-Only | Same as Purview portal | Business Premium or higher | Automated encryption on patterns |
| Third-party HIPAA service | One-click portal link | Any Office 365 plan | Small practices on Business Basic or Standard |
Practices with mostly external recipients on personal accounts choose Purview or a third-party HIPAA service. Practices with mostly internal or partner mail choose S/MIME. Enterprise deployments use Sensitivity Labels for policy-driven automation.
Map the send flow before committing. How many external recipients per week. How often the recipient list changes. How many staff need to send encrypted mail. The answers point to the right method.
[mh_example]
The BAA Is Included in Every Microsoft 365 Tenant
Microsoft signs a business associate agreement covering the Microsoft 365 services under the standard BAA terms. The BAA is available at no extra cost. Administrators accept it in the Microsoft 365 admin center.
The BAA covers Exchange Online, SharePoint Online, OneDrive for Business, Teams, and the Purview compliance services. It applies to the tenant from the acceptance date forward. New services added to the tenant fall under the BAA automatically if Microsoft lists them as covered.
The BAA does not cover consumer services like Outlook.com or Hotmail. Practices using consumer accounts for patient mail need to move to a business tenant to fall under the BAA. This is a common misconfiguration that HIPAA auditors flag.
The HHS guidance on business associate agreements lists the terms required. Confirm the Microsoft BAA against the HHS requirements at the time of tenant setup.

Sensitivity Labels Automate the Encryption Decision
Sensitivity Labels are the automated version of the Encrypt button. Administrators define labels in the Microsoft Purview compliance portal and configure rules that flag messages containing PHI or other regulated fields.
Applied labels can require encryption automatically, restrict forwarding, block download of attachments, and apply retention rules. The sender does not have to decide. The label is applied by policy based on the message content.
Deployment requires Microsoft 365 E3 or E5 licensing and Purview Information Protection configuration. Content patterns, sensitive information types, and label rules all need to be defined. This is a significant setup effort.
Sensitivity Labels pay back at enterprise scale where hundreds of users benefit from centralized policy. Small practices usually do not see the same payback and use the manual Encrypt button or a third-party service instead.
Mail Flow Rules Enforce Encryption on Patterns
Mail flow rules in Exchange Online provide a middle ground between manual Encrypt and full Sensitivity Labels. Administrators create rules in the Exchange admin center under Mail flow, Rules.
Rules match on conditions such as message subject containing a keyword, recipient domain matching a known partner, sender belonging to a specific group, or content matching a sensitive information type. Matched messages apply the Encrypt-Only or Do Not Forward template automatically.
This automation removes the sender decision on the most common regulated flows. A rule that encrypts every message with subject line containing [PHI] covers a large fraction of patient-record sends without training staff on the Encrypt button.
Mail flow rules also work as a safety net alongside manual Encrypt. If a sender forgets to click Encrypt but includes a PHI pattern in the body, the rule catches the message and applies encryption automatically.
[mh_protip]
GoDaddy-Provisioned Office 365 Follows the Same Structure
Office 365 licenses provisioned through GoDaddy follow the same plan and feature structure as direct Microsoft licenses. The Encrypt button appears on the same Business Premium and higher plans. The BAA is available in the same admin center.
Practices that provisioned Office 365 through GoDaddy sometimes cannot find the compliance settings because the admin panel is a subset of the full Microsoft 365 admin center. In that case, administrators can access the full center at admin.microsoft.com using the same credentials.
The BAA and the Purview settings are available in the full admin center. GoDaddy does not restrict access to compliance features. The initial setup routes through the GoDaddy dashboard, but administrators can move to the Microsoft admin center for full configuration.
Practices that need the Encrypt button and are on a GoDaddy Business Basic subscription should upgrade to Business Premium in the GoDaddy dashboard, or add per-seat Azure Information Protection through the Microsoft admin center.
Practices on Lower Plans Have Three Practical Options
Practices on Business Basic or Business Standard face a choice when they need encrypted email for HIPAA. The Encrypt button is not available on their plan. They have three practical options.
Option one is a full plan upgrade to Business Premium. This adds encryption, advanced threat protection, and device management at around ten dollars extra per seat per month. It fits practices that will use the other Business Premium features beyond encryption.
Option two is a per-seat Azure Information Protection Premium P1 add-on. This adds encryption without upgrading the base plan. Cost runs about two dollars per seat per month. It fits practices that only need encryption and not the other Business Premium features.
Option three is a dedicated HIPAA email service that works alongside Office 365. The service handles PHI-containing mail through its own encryption and BAA. Office 365 handles general mail. This fits practices where only a fraction of staff handle regulated content.
Mailhippo Works Alongside Office 365 for HIPAA Mail
Mailhippo secure email service works alongside Office 365 without changing the plan structure. The signed BAA is included in the base plan. Practices keep Office 365 for general mail and use Mailhippo for patient-facing PHI.
The sender uses Office 365 for internal communication, scheduling, and vendor mail. When a message contains PHI, the sender routes it through Mailhippo either from a browser interface or from an Outlook add-in. The message encrypts, delivers to the recipient link, and logs the send in the audit trail.
The recipient opens the message through a one-click link with a one-time passcode delivered to the same email address. No account creation, no password reset, no software install. This is the shortest recipient path among common HIPAA options.
The broader compliance stack pairs encrypted email with HIPAA-compliant website design and patient portal configuration. Encrypted email is one layer of the stack. The full stack covers the practice end to end.
[mh_faqs]





