Best HIPAA-Compliant Email Services

Option 1: Generic Email Services

1. Google Workspace (Formerly G Suite)

• Pricing: Plans start at around $6 per user/month (Business Starter), but you’ll typically need at least the Business Plus plan ($18 per user/month) for HIPAA-related features and to sign a BAA. Always confirm your plan’s eligibility for a BAA and request it before storing PHI.

• Ease of Use: Google Workspace is easy to navigate for anyone already familiar with Gmail’s layout. The admin console simplifies user management and integrates seamlessly with other Google apps (Calendar, Drive, Docs), providing a broad ecosystem of tools.

• HIPAA Security: Google Workspace encrypts data in transit using TLS and offers additional security settings like two-factor authentication (2FA) and data loss prevention (DLP). You must sign Google’s BAA under an eligible paid plan to ensure HIPAA compliance.

2. Microsoft 365

• Pricing: Business Basic plans start around $6 per user/month, but HIPAA compliance typically requires the Business Premium tier ($22 per user/month) or an Enterprise plan. A signed BAA with Microsoft is essential before handling PHI.

• Ease of Use: Microsoft 365 provides a familiar suite (Outlook, Word, Excel, Teams) with both desktop and web versions. It’s known for robust collaboration features and a user-friendly environment that integrates file sharing, email, and video conferencing.

• HIPAA Security: Microsoft 365 includes encryption at rest and in transit, plus advanced threat protection on higher-tier plans. A BAA is available for organizations on certain business and enterprise plans, ensuring the proper safeguards for HIPAA compliance.

Option 2: Generic Email Services

3. Virtru

• Pricing: Plans usually start at around $60 per user/year ($5 per month). Costs may increase if you require features like DLP or persistent file protection. Pricing scales with the number of licenses and overall volume.

• Ease of Use: Virtru integrates with Gmail and Outlook through a browser extension or desktop plugin. Sending an encrypted email is as simple as clicking an “encrypt” toggle, making it very straightforward for end-users.

• HIPAA Security: Virtru uses end-to-end encryption based on OpenPGP standards, allowing you to set email expiration, disable forwarding, and revoke access. They also offer a BAA, supporting HIPAA compliance for healthcare communications.

4. Zix (Now Part of OpenText)

• Pricing: Zix’s subscription pricing varies based on the number of mailboxes and features (e.g., encryption, threat protection, archiving). Small business packages often start around $5–$8 per user/month. You’ll need a custom quote for exact pricing.

• Ease of Use: Zix offers seamless integration for Gmail and Outlook. Once the plugin is installed, encryption can be policy-based (triggered by keywords or PHI patterns), reducing manual steps. Recipients can view messages in a secure portal without creating a separate account if using ZixMail.

• HIPAA Security: Known for its robust policy-based encryption, Zix supports TLS, strong encryption algorithms, and advanced threat scanning. A signed BAA is available for organizations needing to protect PHI.

5. NeoCertified

• Pricing: Basic plans start at about $99 per user/year ($8–$10 per month). Larger organizations can benefit from volume discounts, making it flexible for different business sizes.

• Ease of Use: NeoCertified offers an Outlook plugin for quick encryption and a secure web portal for Gmail users. Its intuitive dashboard lets you manage secure messages, recipients, and encryption rules with minimal training.

• HIPAA Security: All emails are encrypted in transit and at rest, and NeoCertified provides a BAA alongside the necessary documentation for HIPAA compliance. Additional features include message recall and real-time message tracking.

Option 3: Dedicated HIPAA-Compliant Email Providers

6. Hushmail for Healthcare

• Pricing: Healthcare plans start around $9.99 per user/month and include secure forms, encryption, and a BAA at all tiers.

• Ease of Use: Hushmail is designed specifically for secure messaging, featuring a simplified webmail interface. It also supports optional integration with desktop clients like Outlook or Apple Mail via IMAP/POP. An encrypted forms feature makes it easy to collect patient information.

• HIPAA Security: Hushmail provides end-to-end encryption, secure web forms, and two-step verification for additional authentication. A signed BAA is included in its healthcare plans, ensuring full compliance.

7. Paubox

• Pricing: Plans usually begin around $29 per user/month, which includes unlimited email storage, spam filtering, and other security features. Higher tiers may add advanced threat protection and archiving.

• Ease of Use: Paubox focuses on behind-the-scenes encryption, so users don’t need extra logins or plugins. It works seamlessly with your existing email client (Outlook, Apple Mail) and domain. Encryption happens automatically, with no manual toggles.

• HIPAA Security: Paubox is HIPAA-compliant and HITRUST CSF-certified, offering zero-step encryption for every email. A BAA is provided, covering all aspects of data protection and compliance requirements.