Protecting patients’ privacy and their sensitive data is essential to building a successful healthtech company, and it requires adhering to the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA mandates that covered entities — which include U.S. health plans, healthcare providers and healthcare clearinghouses — are required to have safeguards and disclosure conditions in place for all collected protected health information (PHI). This act applies to PHI held or transmitted electronically, orally or on paper.
Top HIPAA-Compliant Email Providers
- HIPAA Vault
- Protected Trust
In response to this need for patient information protection, many companies have dedicated themselves to delivering HIPAA-compliant email services. Employing AI technologies, these organizations help companies within the healthcare space secure patient emails and prevent HIPAA breaches. Some offer automated spam blocking, virus checking, email access auditing and more as a part of their end-to-end email encryption solutions.
We rounded up 20 HIPAA-compliant email providers that you should know.
HIPAA-Compliant Email Providers
Virtru offers a wide range of privacy solutions. Its end-to-end email encryption service includes third-party access prevention, sensitive data control, and email and attachment access auditing. Virtru’s HIPAA-compliant email is designed to fit within companies’ pre-existing infrastructure, providing constant protection for PHI and medical records and granular audit trails.
Paubox delivers email security services for modern healthcare organizations. Its HIPAA-compliant email marketing solution allows organizations to send and store PHI securely, easily update patients through secure email, and compose personalized emails. Paubox also offers a HIPAA-compliant email API that boasts comprehensive client libraries and real-time analytics.
NeoCertified is a secure communications provider that focuses on email encryption. The company offers a HIPAA-compliant email service, which includes access and audit controls, person or entity authentication, and transmission security. NeoCertified’s technology integrates with Gmail, Microsoft Edge, Outlook Mail, and Office 365.
HIPAA Vault delivers HIPAA compliance through a wide range of managed security and cloud services. The company offers a HIPAA-compliant email solution for Outlook and Gmail, which includes unlimited archive storage, anti-virus and anti-malware, inbox management and more. Additionally, HIPAA Vault provides HIPAA-compliant WordPress development.
Aspida Mail is dedicated to offering compliant technology solutions that help businesses meet healthcare regulations. The company’s HIPAA-compliant email solution is compatible with a wide range of programs including Outlook, Google Apps for Business, and Windows Live Mail. Aspida Mail also offers enterprise-grade disaster recovery and firewall protection.
A brand originating from cloud security company Protected Trust, Send It Secure is an encrypted email service available for integration into existing business email accounts. Along with being HIPAA and GLBA-compliant, Send It Secure offers message read receipts, expiration and revocation options.
MailHippo specializes in delivering HIPAA-compliant email services. The company’s HIPAA-compliant platform encrypts email body copy and attachments, keeping track of access to messages including authorized users, IP addresses, and more. MailHippo is compatible with a wide range of email providers.
LuxSci offers a broad range of HIPAA-compliant email communications services. Its HIPAA-compliant solutions encompass email marketing, high-volume sending, day-to-day email hosting, and SMTP connections. Additionally, LuxSci provides web hosting as well as secure web and PDF form solutions.
Founded by physicists and engineers from Switzerland’s CERN laboratory, Proton Mail provides a variety of encrypted email services. Its HIPAA-specific email security solution involves end-to-end encryption, account owner authentication, automated virus checking, and more. Proton Mail also offers GDPR-compliant email and other IT security services.
Hushmail offers a broad range of encrypted email, web form and e-signature services. Its HIPAA-compliant email solution includes built-in encryption, email archiving, and a Business Associate Agreement (BAA). With Hushmail, healthcare organizations can also send secure messages protected with a passphrase or security question to clients that use services like Gmail and Hotmail.
Egress specializes in numerous aspects of email security. Using contextual machine learning, the company enables healthcare companies to send HIPAA-compliant emails and attachments, and measure and quantify the risk of a HIPAA breach. Egress’ intelligent email security solution involves content and recipient domain analysis, message-level encryption, comprehensive data search, and more.
Identillect provides secure email and e-signature solutions. Its email security services include HIPAA compliance, control over recipients’ printing privileges and content downloads, and secure access from any device. Identillect also uses Ethereum blockchain technology to verify emails.
Mimecast is a cybersecurity provider that delivers solutions for a wide range of industries, including healthcare. The company’s HIPAA-compliant email solution includes ransomware infection prevention, email outage elimination, and encrypted mail messages. In addition, Mimecast offers awareness training and archiving, risk, and compliance.
Enterprise Guardian, or EnGuard, focuses specifically on delivering HIPAA-compliant email. The company’s HIPAA-compliant email service includes access and privacy control, transmission security, and integrity and audit controls. Enterprise Guardian also offers HIPAA-compliant telehealth and HIPAA-compliant cloud storage, secure file sync and sharing solutions.
Barracuda specializes in enterprise-grade, cloud-based security solutions, including email protection. The company offers AI-powered total email protection, which involves email filtering, spam blocking, encryption, archiving, and backup. Barracuda’s approach to HIPAA compliance includes protection of patient records, corporate and patient financial data, HR records, strategic planning documents and more.
A product of RPost, RMail provides a variety of encrypted email and e-signature solutions. The company offers a HIPAA-compliant email service, which involves advanced open and delivery tracking and proof. Additionally, RMail specializes in HIPAA-compliant secure file-sharing, email automation, and inadvertent email prevention.
Entrust provides a variety of encryption and management products and solutions, one of which is its email encryption support service. Using S/MIME, PGP and Entrust-brand encryption formats, the service is created for protecting sensitive information and meeting email compliance standards, including those under HIPAA. In addition, the software offers integration into pre-established applications and customization in needed security measures.
MailProtector offers a broad range of cloud-based email security, management and hosting services. The company provides end-to-end HIPAA-compliant email encryption, done by simply wrapping an email’s subject in brackets. MailProtector also adds extra security to the process by asking email recipients to view messages through a secure link, which expires 15 minutes after delivery.
MaxMD is a healthcare IT firm that provides a variety of security solutions. Its HIPAA technical safeguards include access control, encryption and decryption, audit controls, entity authentication, and transmission security. Additionally, MaxMD offers a clinical message integration hub, an intelligent event notification service, patient direct messaging, and more.
Specializing in providing digital marketing services for medical practitioners, PBHS also hosts HIPAA-compliant email platform SecureMail. The email service can be used by medical professionals and patients to send and receive emails containing PHI content. Users are able to securely communicate, share digital images and documents as well as access the service through any smart device.
HIPAA Compliance Guidelines for Email
To maintain HIPAA-compliant email communications, here’s a few unofficial guidelines to consider:
1. Ask for Patient Consent Before Using Email
It’s best for covered entities to ask for patient consent before sending protected health information (PHI) over email. If a patient initiates communication with a healthcare provider through email, it can be assumed that future email communications are acceptable to the patient, unless stated otherwise.
2. Establish Authorized Users
Ensure that emails containing PHI can only be accessed by authorized individuals, such as the patient, associated provider and associated professionals tasked with managing patient PHI. Also, ensure these emails include only the minimum amount of information necessary to communicate with the recipient.
3. Use Email Encryption
Encryption and decryption should be utilized as a “reasonable and appropriate safeguard” to protect e-PHI where necessary for covered entities. Encrypting e-PHI isn’t required by HIPAA if an alternative measure already accomplishes this for a covered entity, but it is still a recommended feature to use when communicating via email.
Frequently Asked Questions
How do I get HIPAA-compliant email?
HIPAA-compliant email tools can be obtained from a HIPAA-compliant email provider or developed independently in accordance with HIPAA standards and regulations.
What are the HIPAA rules for email?
Many HIPAA rules for email compliance are outlined under the Security Rule of HIPAA, which covers requirements to safeguard electronic protected health information (e-PHI).
As general practices for creating and sending HIPAA-compliant emails, it's best to ask for patient consent before using email communications, establish authorized users for who can access PHI through email and to use email encryption.