Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
The Best HIPAA-Compliant Email Providers For Small Practices
HIPAA-compliant email providers to keep client messages and information secure. Find the best solution for your needs and budget with our detailed guide.
The first rule of earning your client’s trust is to keep their private medical information safe.
But just how secure is it to send client information using a regular Gmail account? Or even… via fax?
The truth is most practitioners may not even be aware that they have security gaps in their client communication. Most EHR software doesn’t offer secure email, and generic email providers (we’re looking at you, Gmail and Outlook!) aren't compliant out of the box.
As a result, customer communication can be exposed, and your practice could be at risk of breaching HIPAA.
The good news is that investing in the right HIPAA-compliant email provider can make your communications secure and keep your client’s trust.
This guide will discuss which email providers offer the best features and security for small practices without blowing your budget.
Let’s get started 👇
What are the main options for HIPAA-compliant email?
Out of all the different email providers on the market, only a select few are HIPAA-compliant out of the box.
Practitioners usually choose one of three options: a generic email service like Gmail, an add-on encryption tool, or a dedicated HIPAA-compliant email provider like Hushmail. Your choice will depend on your practice's needs, budget, and level of technical expertise.
However, deciding which option to pick is a minefield. Unless you choose a dedicated HIPAA-compliant email provider, be prepared to piece together (and pay for) different elements to stay compliant.
Why EHR/EMR software can leave a gap in client communication
Many practices rely on Electronic Health Record (EHR) software to keep client information safe.
While these platforms store medical records and have secure messaging features, most can’t send a simple email. EHRs work if you are messaging an existing client, but emailing a new client or external organization can leave gaps in your security.
This means there are some huge flaws if you rely on this software as your only tool for client communication.
If a potential client fills out a form on your website or contacts you over email, these messages will happen outside the EHR software and (most likely) won’t be secure. Most EHR tools can’t securely send emails to external organizations like managed care organizations, relying on secure messaging instead. And if you switch over to email to send information externally, it can expose your client’s protected health information (PHI) if your inbox isn’t HIPAA compliant.
What is Protected Health Information (PHI)?
PHI is information that relates to:
EHR platforms have some benefits, but at the end of the day, email offers more flexibility, makes it easier to communicate with everyone, and makes it easier to start your clinician-client relationship on the right foot.
So, what are your options if you want to stay HIPAA-compliant? 🤔
Let’s dig a little deeper into generic email services, add-ons, and dedicated HIPAA-compliant email providers.
The Best HIPAA-compliant Email Providers For Small Practices
Option 1: Generic email services
Most practitioners will think of a tool like Gmail or Outlook to get started with client email.
It’s easy to see why. Many of us already use Gmail or Outlook for personal emails, so why not for client communication as well?
There are some advantages. There's no need to learn how to use Gmail, and if you already use Google Drive or Calendar, it's easy to integrate them.
But there are also cons to trusting a generic email service like Gmail or Outlook with confidential information.
To start with, these tools are not HIPAA compliant out of the box. To make a service like Gmail HIPAA compliant, you need to upgrade to a paid plan (and jump through a lot of hoops).
Unfortunately, even after you’ve upgraded to a paid plan, you may still need to buy one more thing… encryption.
What is encryption?
Encryption is a method used to make information unreadable to anyone other than the intended recipients.
Strictly speaking, encryption is not required by HIPAA in all circumstances.
However, HIPAA considers it an “addressable” requirement which in layman's terms means:
- If it’s reasonable to use encryption, you should do so or carefully document why you haven’t
- You should consider the risks of not using encryption, and how you would otherwise balance those risks
This is why nearly all healthcare professionals conclude they need email encryption.
Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation.
Let's take a closer look at some general email options 👇
Tool #1. Paid version of Gmail (Google Workspace)
Gmail isn’t HIPAA compliant, but with some changes, you can make client communication safer.
Unfortunately, Gmail doesn't always encrypt emails while they're on the move from your inbox to your client's inbox. And once your client gets the email, there's no guarantee it's encrypted unless they also use Gmail.
Hushmail customer Dr. Karyetta Walker, LCMHC, was a Gmail user but felt uncomfortable sending sensitive information from her account.
You can make Gmail HIPAA compliant, but:
- You must pay for Google's business plan and sign a BAA
- A third-party encryption add-on is usually needed to help secure emails
- Setup won't be easy (just check out Google's 27-page instruction manual on how to get compliant!)
However, once it's up and running, it has some additional features to keep emails secure, like the ability to manage and restrict access to different employees. In large healthcare organizations with a lot of staff, these features can be useful, but for small practices, they are not really necessary.
Be warned—Google says third-party applications and add-ons are not covered under their Business Associate Agreement (BAA). So if you’re not confident about setting up Google Workspace yourself or you are worried about what’s involved, it’s easier to go with a dedicated HIPAA-compliant email provider.
- Minimal learning curve if you’re already a Gmail user
- Other Google Workspace apps easily integrate
- It's built for everyone, so the features are general and not specifically for practitioners
- Some of Google’s Workspace apps, like Google Contacts, are not HIPAA compliant. As Google keeps everything integrated, data may be accidentally shared between different apps, putting your HIPAA compliance at risk
- Making Google Workspace HIPAA compliant can be complex and time-consuming
The cheapest Google Workspace plan starts at $7.20/user/month when billed monthly (or $6/user/month when paid annually). But to ensure every email is secure, you’ll probably want to add a dedicated encryption service—this is when the monthly price skyrockets.
Tool #2. GoDaddy
GoDaddy is used by millions of people to buy and manage their websites.
But it also offers HIPAA-compliant email that can be set up quickly to start communicating with clients. Thanks to their HIPAA-compliant plan, you can buy a GoDaddy and Microsoft 365 bundle that encrypts emails and also comes with a BAA.
- Simple to access and setup if you buy other services from GoDaddy
- Automatically secures any external email you send if you add [Encrypt] to the subject line
- Not purposely built for healthcare
- GoDaddy is an expensive tool for what it does, particularly because only the most expensive plan includes the required archive and additional encryption for HIPAA compliance.
GoDaddy offers a large discount on your first year, but even at this price, this turns out to be a very expensive option for a small healthcare practice.
Tool #3. Paid version of Outlook (Microsoft 365)
Microsoft Outlook can be HIPAA compliant—if you set it up right.
It takes a lot of work, and you must upgrade to the paid version. Microsoft has created a (really technical) guide to help you with this process, but it's not for the faint-hearted.
Setting this up makes your Microsoft inbox HIPAA-compliant. However, there are some practices Microsoft recommends to stay covered by its BAA, like setting up 2-factor authentication (2FA) and email encryption.
Microsoft offers a free trial to its paid account so you can take it for a 30-day test drive and see if it’s a good fit. But for practitioners looking for a HIPAA-compliant email provider, there are other tools better suited than Microsoft 365.
- Easy to use for existing Microsoft customers
- Integrates with popular Microsoft apps like Word, Excel, and Powerpoint
- It’s expensive and not specifically built for healthcare practices
- If you don’t want to use the default Microsoft email address, you need to buy a domain (more on this later...)
Microsoft 365 has cheaper plans, like Business Basic and Business Standard, but they don’t have all the features needed to support your HIPAA compliance, such as encryption, an archive, and a BAA. To unlock these, you need to pay for the Business Premium plan, which starts at a whopping $22/user/month (with an annual commitment)!
Option 2: Add-on services for Gmail and Outlook
As we explained earlier, even if your practice has invested in a paid email service like Google Workspace or Microsoft 365, you may still lack one important feature that helps support your HIPAA compliance: encryption.
Email providers don't always encrypt emails when they move from your inbox to your client's or when they are sitting in your inbox. This is why most practitioners conclude they should buy an add-on encryption service to be safe. Make sure you crunch the numbers and decide if adding one to Gmail or Outlook is the best move for your budget and if it ticks all the boxes to keep you HIPAA compliant.
Nice to know
Encryption? BAA? HIPAA? We know, it’s a lot. This guide to HIPAA-compliant email will help you learn these terms.
Here are two add-ons 👇
Tool #1. Virtru
Virtru can turn a Google Workplace or Microsoft 365 inbox into a secure place to send emails to clients.
Thanks to encryption, Virtru fills the gaps left by Google Workspace and Microsoft 365 to help you stay HIPAA compliant. Just look at its settings to give you more control over messages with clients. If you send them private information, you can set the email to “expire” after a set time or date. There is also the option to immediately revoke access to email content, for example, if you send information to the wrong person or include certain medical details by mistake.
So, what’s the problem? It’s simple—have you seen that price tag? 😳
- Secures your Google Workspace, from Google Drive to Sheets and Slides, to keep information safe
- Encrypts files and attachments you send to clients
- Some users say they struggle to attach files
- Virtru's website is technical and full of acronyms (HSM, DLP, SIEM, CJAS, ITAR – any idea what these are?)
- Even if you are already familiar with Gmail, you still have to learn how to use this encryption software with it
- It’s geared towards large healthcare organizations, not small practices
Although Virtru is a popular tool to protect Google Workspace and Microsoft 365 inboxes, it’s not a great choice for small practices and solo practitioners.
The cheapest plan costs $109/month for five users, and you have to pay for a year upfront. Even if you are a solo practitioner, you still have to pay for the five-user plan—there's no way to reduce the cost. Add on the extra cost of Google Workspace or Microsoft 365, and you are easily looking at $100/month just to send secure emails to clients!
Tool #2. Paubox
Paubox is another purpose-built encryption add-on for Google Workspace and Microsoft 365.
It has many security features, including encryption, and it is HIPAA-compliant out of the box, without any tweaks. But unlike some other options on our list, you must already have a domain set up to use Paubox.
What is a domain?
The domain is the part of your email address after the @ symbol.
Imagine you’re a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients.
So instead of firstname.lastname@example.org, you could be email@example.com.
The downside of having a custom domain is paying a few dollars extra for it every year. However, if you’re with Hushmail, you can use domains like @therapysecure.com, @counselingmail.com, and a few others for free.
Paubox’s extra layer of security will cost you—a lot.
- It’s a “set it and forget it” encryption tool. Once it’s up and running, it keeps PHI secure.
- Paubox is cheaper than other add-ons like Virtru if you have five users.
- Some users say the setup is tricky, and they needed help to get it working with their existing email provider.
- The only option is to pay for a minimum of five users, which is unnecessary for some small practices.
Like Virtru, Paubox isn’t cheap. The basic plan is $37.70/month for up to five users, but once again, you must pay this rate even if only one or two people in your practice need email.
A solo practitioner will pay at least $44.90/mo if they use Google Workspace + Paubox or $59.70/mo for Microsoft 365 + Paubox. Keep in mind that these prices are just with Paubox’s basic package.
If you don’t want the hassle of generic email inboxes and expensive add-ons, there are HIPAA-compliant email providers made specifically for healthcare practitioners to keep client communication secure 👇
Option 3: Dedicated HIPAA-compliant email providers
Dedicated HIPAA-compliant email providers are the easiest choice to protect client communication.
These providers allow practitioners to message clients and securely send PHI to medical billers, insurers, and other practitioners. Out of all the options on our list, we believe dedicated HIPAA-compliant email providers are the simplest to set up and the easiest to use for a small healthcare practice.
Here are the best choices for a dedicated HIPAA-compliant email tool 👇
Tool #1. Hushmail: The best choice for small healthcare practices
Hushmail is a purpose-built HIPAA-compliant email provider for healthcare practitioners. It's the most affordable option for practitioners who want a HIPAA-compliant email provider but don't want to pay for add-ons and piece together various tools to keep customer emails secure.
The all-in-one solution has features like encrypted email and secure forms built for healthcare practitioners. Hushmail can secure every message as well as information on your practice forms, like your intake form or your contact form in your Psychology Today profile.
It also includes HIPAA requirements like a Business Associate Agreement (BAA) and email archiving out of the box. Finally, it also offers hands-on customer support, including setup, onboarding, and ongoing assistance over the phone, email, and chat!
Hushmail: Best features for small practices
- It’s not a DIY solution. Hushmail is an all-in-one platform to secure client communication completely
- It's built for healthcare—fully HIPAA-compliant with BAA, encryption, and email archive
- Additional features, such as healthcare form templates that protect from the first time a client makes contact
- Practices can send files securely to external organizations, such as insurers and billers
Hushmail has kept its pricing simple.
Plans start at $11.99/mo for solo practitioners. If you need more email accounts, plans for small practices start at $24.99/mo —one of the most affordable options on our list for solo practitioners and small practices!
Tool #2. Aspida
Aspida’s selling point is the tool “takes the headache out of HIPAA”.
It ticks all the boxes recommended for HIPAA compliance, like a BAA and encrypted email. It also integrates with many platforms practitioners may already be using, like Microsoft Outlook, Google Apps for Business, and Apple Mail.
The problem is the interface feels like it was built for a software engineer or programmer. Add in the technical jargon all over the Aspida website, and it’s not the best choice for modern practitioners who want to focus on their clients—not a software manual.
- It integrates with several dental EHRs
- You can only use your domain name in the email address if you pay for the Aspida Mail + plan, which starts at $15/month for a single email address
- Onboarding and training are pretty poor. To learn how to use the platform, you only get access to documentation
Aspida Mail starts at $10/month for the platform’s basic package. This includes one @aspidamail.net email address. The Aspida Mail + plan allows you to use your own email domain but starts at $15/month and $10 per additional address.
What should you look for in a HIPAA-compliant email service?
Choosing the right HIPAA-compliant email service is tricky.
You need to pick a tool that covers everything required by HIPAA. But it’s also important that the email provider is affordable and easy to use. Most email providers fail at least one of these tests because they're too complex or don't fully secure client data without expensive add-ons, as you can see from our breakdown 👇
|A comparison of 7 HIPAA-compliant email providers
(last updated: Nov 2023)
|Hushmail for Healthcare
|Basic email encryption
|Dedicated to healthcare
|Aimed at small practices1
|Monthly payment option
|Plan for single user
|Price for single user
|$16.99/mo (renews at $25.97)
|$15/mo (using your domain)
|Price for five users
|$84.95/mo (renews at $129.85)
|$55/mo (using your domain)
1 We based this on various factors, including testimonials, website language, and pricing.
Make sure you really do your homework on what each email provider promises before paying for a plan. To ensure the tool ticks all the right boxes for you, ask questions like:
- Is it a generic email provider or built for healthcare practitioners?
- Does it offer features to help support your HIPAA compliance, like encryption, an archive, and a BAA?
- Does it fill basic security gaps, like client intake, with secure forms?
- Does it offer a free trial so your practice can test it before signing up? Or do they offer a money-back guarantee if it’s not a good fit?
To make your decision easier, we’ve put together a simple checklist you can use to guide you on which email provider is the best fit for your practice. Just fill out the form below to get your hands on it 👇
[Checklist]: What to look out for when evaluating HIPAA-compliant email services for your practice
There is only one solution that ticks all the boxes for HIPAA-compliant email: Hushmail for Healthcare. It offers total security and peace of mind when you communicate with clients. Don’t take our word for it—sign up here!