[mh_key_takeaways]
Sending an encrypted email means applying an encryption method before the message leaves the sender. The specific steps vary by platform. Outlook, Gmail, Yahoo, and GoDaddy each handle encryption differently, and each has gaps that a dedicated service can fill.
This guide walks through the sender steps for each platform, covers attachments and password-protected files, and identifies where a HIPAA-focused encrypted email service fits the workflow.
The underlying protection is the same across methods. Content is unreadable to anyone without the correct key or credential. The differences are in setup, license, and recipient experience.
Sending an Encrypted Email in Outlook Uses Purview
The Outlook path starts in the compose ribbon of a new message. Click Options, then Encrypt, and pick a policy. Two policies are available: Encrypt-Only and Do Not Forward.
Encrypt-Only encrypts the content and lets the recipient reply, forward, and print. Do Not Forward encrypts the content and blocks forward, print, and download. The sender picks the policy at send time.
The tenant must be on Microsoft 365 Business Premium or higher for the Encrypt button to appear. Business Basic and Business Standard do not include the button. Adding it requires an upgrade or a per-seat license add-on.
External recipients see a notification with a Read the message button. The button opens outlook.office365.com in a browser. The recipient signs in with a Microsoft or Google account or requests a one-time passcode. Detailed steps are in the Microsoft support guide for encrypted messages in Outlook.
Sending an Encrypted Email in Gmail Depends on Workspace Plan
Gmail on Google Workspace Enterprise Plus or Education Plus supports client-side encryption. The admin enables it in the Google Admin console under Security, Access and data control, Client-side encryption. Users see a lock icon in the compose window.
The lock icon toggles encryption on for the message. The message content is encrypted in the browser before it reaches Google servers. The keys stay outside Google through a customer-controlled external key service.
Standard Workspace plans and personal Gmail do not support client-side encryption. Confidential mode is available on every Gmail account. Confidential mode sets an expiration date and disables forward, copy, print, and download. It does not encrypt content in a way that meets HIPAA transmission requirements.
Practices on standard Workspace plans that need encryption for HIPAA route outbound mail through a HIPAA email service. The Gmail interface stays the same. The encryption applies at the service layer.

Sending an Encrypted Email in Yahoo Requires a Workaround
Yahoo Mail does not offer native message-level encryption on standard consumer or business accounts. There is no Encrypt button in the Yahoo compose window equivalent to the Outlook or Gmail options.
Yahoo users send encrypted mail through one of three workarounds:
- Install a browser extension such as Mailvelope that adds PGP support to the Yahoo web interface.
- Attach a password-protected ZIP file to the message and share the password through a separate channel.
- Route outbound mail through a HIPAA email service that adds encryption at the outbound gateway.
Yahoo does not sign a business associate agreement for consumer accounts. The platform is not appropriate for PHI regardless of the encryption workaround. Practices sending regulated content should move to a compliant mail platform rather than relying on Yahoo with encryption bolted on.
Sending an Encrypted Email From GoDaddy Requires a Third-Party Layer
GoDaddy Professional Email is hosted mail on the godaddy.com or a custom domain. The service does not offer native message-level encryption in the web interface or in the standard IMAP client access.
Practices using GoDaddy for hosted email send encrypted mail through one of three options. Add a third-party S/MIME certificate to Outlook or Apple Mail connected to the GoDaddy account. Use a browser extension that supports PGP or S/MIME. Route outbound mail through a HIPAA email service.
GoDaddy signs a business associate agreement for some hosted email plans through a separate compliance add-on. The BAA covers storage of PHI on GoDaddy infrastructure. It does not cover the encryption of outbound transmission automatically.
Practices sending PHI from GoDaddy typically pair the account with a dedicated encryption service. The GoDaddy account handles inbound receipt and stored mail. The encryption service handles the outbound HIPAA-required protection.
[mh_example]
Sending Encrypted Files Uses the Same Message Encryption Path
Encrypted files travel as message attachments protected by the same encryption applied to the message body. S/MIME, PGP, Microsoft Purview, Google client-side encryption, and HIPAA email services all treat the attachment as part of the encrypted message.
The recipient sees one verification step. After the sign-in or key decryption, both the body and the attachments become readable. Do Not Forward rights in Microsoft Purview show attachments in the portal preview and block download.
Attachment size limits apply. Outlook caps standard attachments at 20 megabytes. Gmail caps at 25 megabytes. Larger files exceed the limit before encryption is even attempted. The message bounces with a size error.
For large files, use a HIPAA-compliant file transfer service and put the link in the message body. The email delivers the link. The file service handles the payload with its own encryption at rest and in transit.

Sending a Password-Protected File as a Workaround
Sending a password-protected file through email is a common workaround for accounts without full encryption. The sender ZIP-encrypts the file with a password and attaches the ZIP to the message.
Tools that support AES-256 encryption include 7-Zip, WinRAR, and the built-in Archive Utility on macOS with a strong password. The encrypted ZIP is unreadable without the password. This protects the file at rest and in transit.
The password must go through a separate channel. Phone call, text message, or a secure messaging app all work. Never include the password in the same email as the encrypted attachment. That defeats the encryption.
Password-protected attachments do not meet the HIPAA requirement for encrypted transmission of PHI when the message body itself contains identifying information. The workaround protects the file but leaves the body exposed. Dedicated encryption remains the required control for regulated content.
Sender Steps Compared Across Platforms
The sender view differs across platforms. The table below summarizes the steps and license requirements for each.
| Platform | Sender Step | License Required | Recipient Experience |
|---|---|---|---|
| Outlook | Options, Encrypt, pick policy | Business Premium or higher | Portal sign-in or passcode |
| Gmail (Workspace) | Lock icon in compose | Enterprise Plus or Education Plus | Portal sign-in with key service |
| Yahoo | Browser extension or gateway | None native | Depends on workaround |
| GoDaddy | Third-party layer | None native | Depends on layer added |
| HIPAA Email Service | Send Secure button or automatic | Service subscription | One-click portal, no account creation |
The service approach is the shortest path for accounts without built-in encryption. It also fits practices on Business Premium or Enterprise Plus that want a simpler recipient experience for patient communication.
[mh_protip]
Sending Encrypted Mail to Recipients With No Encryption Setup
The most common friction point in sending encrypted mail is the recipient. A patient with a personal Gmail account does not have S/MIME certificates. A small business partner may not know how to use PGP.
Portal-based encryption solves this. Microsoft Purview and most HIPAA email services deliver the recipient a notification with a link. The recipient clicks the link, authenticates with a sign-in or one-time passcode, and reads the message in a browser.
The recipient does not install anything. The recipient does not need a specific mail client. The recipient does not need to hold any cryptographic material. The portal experience matches how patients already use online banking or telehealth portals.
Practices sending to patients almost always want the portal experience for this reason. The one-click access matches patient tech literacy across a broad population.
HIPAA Applies to Encryption Choices for Covered Entities
Covered entities and business associates operate under the HIPAA Security Rule. Encryption is one required technical safeguard. The HHS Security Rule guidance treats encryption as an addressable specification.
Addressable does not mean optional. The covered entity must either implement encryption or document why an alternative safeguard is reasonable. Most compliance reviews expect encryption on any transmission of PHI outside the internal network.
The sending platform must also have a signed business associate agreement in place with the covered entity. Microsoft 365 and Google Workspace include a BAA as part of the standard business terms. Personal Gmail and consumer Yahoo do not.
Practices building the wider HIPAA posture around encrypted mail also need to cover the website and patient portal. See the guide on healthcare website security features for the site-side controls.
Dedicated HIPAA Email Services Simplify the Sender Workflow
A dedicated HIPAA email service handles the encryption, the BAA, the access logs, and the recipient portal in a single plan. The sender writes mail in a familiar Gmail or Outlook interface.
Mailhippo is one option in this category. It works with existing Gmail and Outlook accounts. The BAA is included in the base plan. Encryption applies to every outbound message. Recipients open messages with one click, without creating a Microsoft or Google account.
Related reading covers the platform-specific how-tos: how to send varracuda encrypted email, how to send encrypted email, how to send an encrypted email, how to send encrypted email using gmail, send encrypted email, and how to send encrypted email via comcast.
Practices coordinating encrypted email with a wider healthcare digital strategy often pair the mail service with a compliant site and portal setup. A healthcare marketing agency handles the marketing overlay on top of the compliance stack.
[mh_faqs]





