Best HIPAA-compliant email providers for small practices

According to the Radicati Group’s estimation, 281 million emails are sent each day. The same March 2018 report estimated that there will be 3.8 billion email accounts by the end of the year.

Why does this matter to medical practices? Email helps practices stay in contact with their patients, take care of administrative processes, and automate communication. You can’t afford not to use email as part of a modern healthcare practice.

But how does HIPAA (the Health Insurance Portability and Accountability Act) affect the way your medical practice uses email?

HIPAA allows electronic communication such as email, but there are regulations to keep in mind. If you’re not careful about how you use email, you can get into a lot of trouble. You need to protect your patients’ privacy and make sure their PHI (Protected Health Information) remains safe and secure.

This can be difficult for medical professionals as their expertise, naturally, isn’t in email security.

Healthcare providers can’t simply discard email since it’s an incredibly useful and necessary business tool. To prepare your team to use email effectively, let’s go over what a HIPAA-compliant email looks like and how to send one.

What is HIPAA compliant email?

While the rules for email vary depending on how you use it in your organization, following HIPAA guidelines can ensure you maintain compliance. To ensure emails are HIPAA compliant, you must

• Send email in a way that provides end-to-end encryption
• Enter into a business associate agreement with your provider
• Configure your email platform correctly
• Get consent from patients before communicating via email
• Retain emails permanently

These steps will help you deliver email securely and in accordance with HIPAA. Additionally, you can prevent your team from inadvertently breaking HIPAA laws by setting up policies that guarantee adherence to privacy rules and training them on best practices for email usage.

Understanding how HIPAA-compliant email works is the first step to sending emails that respect patient privacy. Next, we’ll discuss how to send those emails.

How to send HIPAA-compliant email

Sending HIPAA-compliant email isn’t as simple as logging into any platform and shooting off a quick message. HHS states that the security rule requires covered entities to “ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.”

This includes implementing technical policies and procedures that allow only authorized persons to access electronic protected health information. So any email containing PHI that leaves your office must be encrypted — even if it’s going to another doctor.

Once you’ve ensured that your email meets the requirements mentioned in the previous section, there are a few ways to send it. The most secure method is to use an encrypted email service or secure message portal. This ensures security on both ends, including the client device.

It’s possible to meet HIPAA requirements using an email service like Outlook (Enterprise version only) and Gmail (only for G Suite customers) since both services will provide encrypted emails and enter into a BAA agreement. But be aware that these platforms require additional configuration.

Another low-cost option is ProtonMail, which offers a BAA agreement for those on Proton for Business plans. Users will need a data retention plan because ProtonMail deletes all data at the end of a contract, and HIPAA rules require providers to give patients access to their data.

Another option is to use a service like Virtru to secure applications you already use. For example, users can use Virtru to add end-to-end encryption to Google and Microsoft products. Just keep in mind that you’ll need a BAA for both services to stay HIPAA compliant.

Now that we’ve discussed what HIPAA-compliant emails look like, let’s make your life easier by considering 14 popular HIPAA-compliant email providers. We’ll break down what they do well and where they fall short so that you can make an informed choice.

1. Virtru

Virtru is an end-to-end encryption platform add-on for popular email services like Gmail and Microsoft email. Their software enables you to encrypt data for HIPAA compliance and control who has access to the content you send. This means users don’t have to switch email providers or the way they work to be HIPAA compliant.

Notable features include

• Integration with software you’re already using, like G Suite and Microsoft email
• Easy-to-use one-click technology
• The ability to audit and control access to content

2. Paubox

Like Virtru, Paubox seamlessly encrypts emails without requiring you to learn another software platform. Instead of a plugin that sits on top of your email, Paubox integrates directly with popular business email platforms like G Suite and Office 365, allowing users to send and reply to emails in a way that’s fully encrypted and HIPAA compliant. With Paubox you don’t need any extra logins, portals, buttons, or new apps.

Notable features include

• The ability to keep using your existing email account
• Cross-device functionality, including on mobile devices
• Free business associate agreements for all paid users

3. NeoCertified

NeoCertified has been delivering commercial-grade security and encryption since 2002. It provides HIPAA-compliant solutions through its secure portal or Outlook integration. While the other options act as an add-on or plugin, NeoCertified is truly a standalone product. This may be beneficial for practices that aren’t already using a major email service and prefer to stick with a specialized platform.

Notable features include

• Easy access through a secure portal that is compatible with mobile devices
• Integration with Outlook that gets you up and running quickly
• 24-7 customer support, a hefty FAQ section, and support videos

4. HIPAA Vault

Like NeoCertified, HIPAA Vault is a standalone email solution that’s HIPAA compliant. In addition to providing encrypted email services, HIPAA Vault also provides HIPAA-compliant hosting.

Notable features include

• A standalone solution that requires you to use their email client
• Affordable plans starting at $12/month
• HIPAA-compliant hosting

5. Aspida Mail

Aspida Mail provides HIPAA-compliant email by directing users to a secure portal where patients can log in and confirm their identity. Aspida prides itself on being highly compatible with the services you’re already using and making the transition process smooth and easy.

Notable features include

• Simple email migration service
• The option to use their domain or your own
• Compatibility with existing services

6. Protected Trust

Protected Trust allows you to send HIPAA-compliant email through Outlook and other select Windows applications. Protected Trust can be accessed from any device through its web portal. It also has printer drivers and a mobile app for additional accessibility.

Notable features include

• A mobile app with fingerprint security
• A 15-day free trial that includes all the features from the business version
• Multiple delivery methods for more flexibility

7. MailHippo

MailHippo enables medical institutions to send HIPAA-compliant emails to patients and other authorized people. MailHippo guarantees the safety of ePHI and issues a business associate agreement during registration. It also offers a seamless user experience between mobile and desktop, as the platform is fully reactive.

Notable features include

• Minimal configuration and easy setup
• 30-day free trial with limited features can help you decide whether this tool is right for you
• Compatible with any email providers that are already being used
• Plans can be canceled anytime

8. LuxSci

LuxSci is a complete HIPAA-compliant enterprise solution, although it offers plans for small businesses as well. LuxSci provides not only HIPAA-compliant email services, but also Zoom-based video conferencing and online forms. Since 1999, LuxSci has kept health information and communications secure. Many medical and dental institutions use its services.

Notable features include

• Complete solution with video conferencing, text messaging, web hosting, and online forms
• Plans start at $50/month; prices are negotiable and customized to your exact needs
• Migrates existing online forms and associated data to its HIPAA-compliant system

9. ProtonMail

ProtonMail differs from other software because it was developed by scientists and engineers in Switzerland who worked at the CERN laboratory. In addition to high-level data security, ProtonMail provides a BAA — a must for HIPAA compliance.

Notable features include

• Provides an anonymous email account
• Servers located in Switzerland for extra safety
• Open source code

10. Hushmail

Hushmail plans offer not only encrypted email but also secure web forms and legally binding e-signatures. Hushmail is available as an iOS application.

Notable features include

• Separate, secure email archive
• One free month for users who pay annually
• No extra fees for BAA
• Customer support via email and phone

11. Egress

Egress is an encrypted email service headquartered in the UK, but they provide HIPAA-compliant email solutions for medical institutions in the US as well. This tool’s strong machine learning algorithms and DLP technologies minimize the risk of emails’ being sent to unauthorized people, both inside and outside the medical organization. End-to-end email security is a valuable bonus to the already strong security measures.

Notable features include

• Pricing is fixed for each number of users until 25, then a quotation is required
• Their products are classified under preventive, protective and investigative packages
• Also California Consumer Privacy Act (CCPA) compliant
• Free users get 25 free credits to send 25 secure emails to anyone they like

12. Identillect

Identillect’s Delivery Trust provides HIPAA-compliant email encryption services for secure communications. Specifically designed for small and medium-sized businesses, Delivery Trust gives senders complete control over their emails by restricting recipients’ ability to print, forward, and download emails. It also provides add-ons and integrations for various email services (such as Gmail and Outlook).

Notable features include

• 24-7 customer support
• Pricing starting at $5.95 per month
• Compliance with regulations for various industries

13. Mimecast

Mimecast offers products and services for a variety of cybersecurity issues. Its cloud-based system provides a secure portal where messages are stored and checked for malware. Recipients can access and reply to HIPAA-encrypted emails via the portal. Mimecast also protects patient data from more sophisticated forms of cyber attacks, such as targeted threats and phishing. Inbound and outbound scanning allows you to defend your organization from both internal and external threats.

Notable features include

• Employee training on cybersecurity
• A wide range of integrations and API partners
• Continuous service, even when email is down

14. EnGuard

EnGuard is an American company, as American as HIPAA itself. The customer support team is entirely based in the U.S., and the servers are located in California. EnGuard uses its own webmail service for its email interface, which is feature rich and easy to use.

EnGuard plans start at $15 per month and require a minimum of five users. With the Standard plan, each additional user costs $3 per user, per month.

Notable features include

• HIPAA-compliant email account registered on your own domain
• Chat and videoconferencing enabled within webmail
• Responsive to all types of devices

Going digital while staying HIPAA-compliant

No organization can do without email today. Whether it’s sending forms, automatic appointment reminders, or follow-up information to patients, or consulting with other healthcare professionals, email is invaluable for your communication needs.

But medical practices have digital communication needs that go beyond email. If you’re thinking about converting to more digital solutions at your practice, you may also be interested in HIPAA-compliant forms. At Jotform we make it easy to create, manage, and send HIPAA-compliant forms. Try one today.

The information on this page does not constitute official healthcare or legal advice. Jotform is not liable for any damage or liabilities arising out of or connected in any manner with this platform.