In this blog post, we review nine email encryption vendors (Barracuda, Egress, Hushmail, Indentillect, LuxSci, MailHippo, NeoCertified, Protected Trust, ProtonMail, Rmail, & Virtru) who provide HIPAA compliant email encryption services that will keep your information safe when in transit. All of these products offer similar features and price points. These companies are equipped to handle all of your HIPAA compliant email encryption needs, and they also provide the services at a reasonable price that even small and medium-sized businesses can afford.
Most importantly, all of these vendors will sign a Business Associate Agreement, which is required by HIPAA.
HIPAA requires all Covered Entities to protect PHI ( Protected Health Information ) at rest, in storage, and in transit. There is a common misconception that email is a secure way to send and receive PHI. Implementing HIPAA compliant email encryption practices is a requirement for protecting PHI. End-to-end encryption configures the data so that only the sender and intended recipient can read the email’s content. Encryption works by assigning a unique “key” for unlocking the contents of the email that only the intended recipient gets.
Ultimately your organization will have to decide which provider offers the solution that best fits your needs. We have listed these HIPAA compliant email encryption services in alphabetical order and divided each company’s description into four sections: setup, encryption and security, additional features, and cost.
You can access this HIPAA compliant email encryption service through their web portal called “cloud control.” Through cloud control, users can manage security options and access their message log and archive. It is entirely cloud-based and requires no hardware or software installation. Setup takes less than 30 minutes. This service works with Office 365, Microsoft Exchange, and other SMTP mail servers.
Barracuda complies with all portions of HIPAA and HITECH that apply to their services (for example, transmission security, audit controls, etc.). The Barracuda Message Center utilizes Advanced Encryption Service with a 256-bit cipher. The first time a recipient receives an email, Barracuda generates a unique key. Encrypted emails use the recipients key using Transport Layer Security (TLS) encryption
Barracuda’s service offers many additional features. Advanced threat protection automatically scans email attachments in real-time for potential threats. Specifically, it looks for malicious links, malware, phishing, typosquatting, spam, and virus protection. They also offer an archiving feature for secure storage of important messages.
Outbound filtering prevents users from sharing cyberattacks originating from inside the network. The data leak prevention feature detects emails with sensitive information and blocks or automatically encrypts them. Email spooling ensures delivery even during server failures and loss of connectivity. Additionally, Barracuda’s Denial of Service Attack Prevention helps stop spammers from overloading the server.
Barracuda’s services cost $4.73/per user/per month. They require a minimum of ten users. There is not setup fee for this HIPAA compliant email encryption service and the company offers a free trial.
Users can easily set up an account with Protected Trust in as little as 10 minutes. This HIPAA compliant email encryption service can either be accessed through their web portal, using any web browser, or the user’s Microsoft Outlook email application. Setting this up is as simple as opening an account with Protected Trust and accessing your account with your login information. The web-based portal is a nice feature because it can be accessed anywhere, including mobile devices. There are also mobile apps for iPhone and iPad.
Protected Trust uses end-to-end AES-256 bit encryption and two-factor authentication for encrypted messages. It stores and encrypts messages at rest. Users may utilize this HIPAA compliant email encryption service through Microsoft Outlook or their company’s electronic medical record (EMR) system. Users can send up to 5GB of data per message with this service.
Protected Trust also offers a read receipt feature so the user knows when the recipient has opened and read their email. Users are also able to revoke emails both before and after the message has been opened. Protected Trust also allows the sender to set an expiration time on the email so, after a specified amount of time, the recipient will no longer have access to the email or its contents.
The service comes with unlimited secure messaging and unlimited free guest accounts. While the email encryption accounts have 10-year message retention, the guest accounts only have 30-days message retention. Additionally, Protected Trust has proof of delivery log. They also offer an email archiving service; however, it is separate from the email encryption service.
This HIPAA compliant email encryption service offers 24/7 support to all customers, and they operate their own service centers. All of their employees are trained on HIPAA compliance, so they understand the importance of protecting the sensitive information they help users transmit. They often perform penetration testing and conduct voluntary audits in their own organization. Though they have never experienced a data breach, they have breach insurance for added protection. Their services are designed to comply with major government regulations, including HIPAA, HITECH, GLBA, SOX, and more.
When sending an encrypted email to someone not registered with Protected Trust, the user can require verification in 3 different forms. First, establish a secret code. The recipient must enter the secret code in order to open the email. Secondly, set up phone verification. The recipient can either receive a phone call or an email with a randomly generated key code to enter for access to the email. Lastly, recipients can set up a free guest account. One time verification grants the recipient with access to future emails.
Protected Trust costs $36/month for a minimum of three users. Additional users are $12/month each. The company will set up a single user license for $15/month if their client only needs one account for the entire company. There is no setup fee. Additionally, this HIPAA compliant email encryption service offers a free trial for new users.
ProtonMail is one branch of Proton For Business, which also includes ProtonCalendar and ProtonVPN. ProtonMail is an online portal that can be accessed by creating a username and password, with the option of adding a recovery email.
Once you’ve logged in, you’ll have the option of migrating data from other email services such as Gmail or Outlook into ProtonMail. This feature ensures you’re not starting from scratch but have ongoing access to your email history.
ProtonMail relies on zero-access, end-to-end encryption. Users can securely send emails to non-ProtonMail Users by enabling the “Encrypt for Outside” for an email. This sends a link to the intended recipient that loads an encrypted message onto their browser which they can only access through a given passphrase. Proton Mail’s strenuous encryption easily complies with HIPAA regulations.
As a Swiss company, ProtonMail also complies with some of the strictest data privacy laws on earth. By default, they don’t track IP addresses, making complete anonymity possible for users that want it. ProtonMail protects the data of your patients and the data of your business.
ProtonMail’s migration capability is among its most important tools, though this feature is only available for Plus, Professional, Visionary, and Lifetime accounts. When it comes to navigation, ProtonMail offers a variety of tools, including custom labels, quick filters, and multiple layout options.
Registering for ProtonMail also leads to the creation of a free ProtonVPN account, allowing users to browse the web through the guise of an IP address of one of their intermediary servers. As a result, you have complete privacy while searching the web.
Storage, the number of email addresses, the number of messages sent per day, and the number of folders a user can create all vary according to the version purchased.
For businesses, ProtonMail offers three possible plans. The Mail Essentials plan costs $6.99 /user per month and includes ten email addresses per user, support for three custom email domains, and 15 GB of storage per user, among others. The Business plan costs $10.99/user per month and includes 15 email accounts per user, support for 10 custom email domains, and 500 GB storage per user. The customizable Enterprise plan can be negotiated with Proton service representatives.
Note: RMail is the email encryption service of the company RPost.
RMail promises an easy to set up and intuitive use. The RMail “add-in” installation can be performed from the RMail website. Simply select the configuration that matches your current scenario. For example, Gmail users would select “RMail for Gmail.” After closing out your current email, you can install the software using a standard Installation Wizard approach. Once the installation completes and you reopen your email, the RMail add-in button is included when you compose a message. Contact support@rpost.com for setup help or call 866-468-3315 8 am to 10 pm ET Monday through Friday.
This HIPAA compliant email encryption service provides true direct delivery of your encrypted message and attachments into your recipient’s inbox without requiring any extra links. That means recipients won’t need to register for an account, open a web browser, or otherwise leave their inbox to access messages. RMail offers an automatic encryption mode. All encrypted messages are sent by TLS automatically when TLS is detected and supported by both sender and recipient mail servers. Otherwise, RMail encrypts and delivers messages and attachments directly into the recipient’s inbox (at 256-bit encryption). There is no need to retrieve it from an outside server or website. With options for secure end-to-end delivery, you can be sure that your email message will only be read by its intended recipient(s). There are several delivery configurations available.
This service also does much more than email encryption. RMail tracks your important emails so you know precisely when the recipient receives and opens them. Its Registered Email technology and Registered Receipt™ email record eliminates uncertainty around email delivery by providing proof of correspondence, as well as proof of encrypted delivery. Use RMail’s E-sign feature to get recipients’ electronic signatures and securely transfer files as big as 1GB. New subscribers can continue utilizing their existing email addresses or create an RMail domain address for free. RMail also includes a click-to-sign feature and can also track emails and access information about email delivery and receipt. RMail works with several kinds of email clients and platforms, including Outlook and Gmail for messaging flexibility. They also offer a feature that allows users to keep an audit trail of the emails they send and receive.
RMail’s technical support includes a knowledge base, FAQs, downloads, and training videos, as well as the ability to open a support ticket via their website with promises of a response within 24 hours. Notably, this feature is only available to Personal and Professional plan holders. Phone support is available for Enterprise plan holders only.
RMail offers a free service level for those that only need to encrypt occasionally. The free service works with any email address and lets you send five encrypted emails per month, with no credit card required. For business users, this HIPAA compliant email encryption service is available on a per user per month basis. Plans are tiered based on the number of users and the number of messages sent monthly. Their standard professional plan includes one to ten users and costs $14.99/user/month. Also available is their Personal plan (one user) and Enterprise plan (100+ users). For the enterprise plan, you will need to request a quote. Also, there is no setup fee.
Note: This service is more expensive than some other email encryption providers but they offer a great deal. Your $14.99/user/month subscription also includes the features we mentioned: secure file sharing (up to 1GB), time-stamped proof of delivery, and e-signature. You can try Rmail for free here .
Note: Virtru for Personal Use (the free plug-in), does not include a BAA, and therefore is not HIPAA compliant. You must purchase the paid version or Virtru to use their HIPAA compliant email encryption service.
Virtru Data Protection for healthcare organizations is suitable for everything from small organizations to large enterprises. It allows users to easily share HIPAA compliant emails and attachments with anyone, right from their existing inbox. Users can download the Virtru extension via their web browser or integrate Virtru into their Outlook or Gmail application.
Virtru supports a number of platforms, including G Suite and Microsoft 365. It offers a web browser extension, as well as applications for your iOS and Android devices. This service does not require users to create a new account or password, so integration is fairly seamless.
This HIPAA compliant email encryption service guarantees end-to-end encryption, with only the sender and intended recipient able to decrypt the message. Therefore, no third-parties (including Virtru) have access to any email content. It only takes one click in your usual browser to send an email with Virtru, and preferences can be set with each email. Virtru also allows admins to revoke a message at any time (even after it’s been opened), to see and control where messages are forwarded, and to set expiration dates for messages.
Virtru is extremely easy to use. Recipients don’t need to have Virtru to access the secure message. They first need to quickly verify that they are the intended recipient, and the message will effortlessly decrypt in Virtru’s Secure Reader. See how easy it is for recipients with their video tutorial . For an extra layer of security, Virtru uses an “ephemeral key exchange” to create a new key each time users log in to their email accounts.
Virtu does not make its pricing public. You must contact a sales representative for customized pricing information.
| Company Name | Additional Features | Cost | Free Trial | Setup Fee |
|---|---|---|---|---|
| Barracuda | Threat protection scanning, archiving, automatic encryption, Denial of Service Attack prevention | Starting cost $4.73/user/month (minimum 10 users) increases with added features | Yes | No |
| Egress | Multi-factor authentication, secure large file sharing, Automated DataLoss Protection (DLP), controls over email recipient actions (like preventing copy/paste) | Varies based on the size of the company, on average, it costs $100/user/year ($8.30 monthly) | Yes | No, but the organization does charge an “Infrastructure Cost” fee |
| Hushmail | Archiving, the ability to create unlimited email aliases, email record management(for audits), integration with a website for accessing EMRs and other special features for healthcare industry clients | $9.99/user/month for one user with 10GB storage,$19.99/month for up to five users and 15GB storage | No, only for personal use users (not those who need the HIPAA compliant solution) | Yes, $9.99 |
| Indentillect | Optional business admin account for implementing additional security controls, automatic encryption, eSigning, recipient multi-factor authentication | $5.95-10/user/month depending on the plan | Yes | No |
| LuxSci | Automatic timeout, optional business admin controls, secure productivity tools (calendars, workspaces, file sharing, and address books), HIPAA trained staff | $10/month for up to 50 users with 50GB storage,$67.50/month for unlimited users and storage (also dependant upon the number of client’s servers) | Yes | No |
| MailHippo | Help with branding, large file upload, message recall, message expiration | $4.95/month for 5,000 messages and 5GB storage, $7.95/month for 10,000 messages and 10GB storage | Yes | No |
| Protected Trust | 10 minutes setup, works with EMR systems, mobile apps, multi-factor authentication for both users and email recipients, email expiration controls, 10year message retention, 24/7 customer support, free guest accounts |
In conclusion, Total HIPAA sees these eight solutions as a great fit price and features wise for small and mid-size businesses.
All of the recommended services sign Business Associate Agreements with their client for HIPAA compliance. Barracuda, Egress, Hushmail, Indentillect, LuxSci, MailHippo, Protected Trust, Rmail, and Virtru all have extensive experience working with HIPAA compliant clients. Therefore, they will be able to service all your HIPAA compliant email encryption needs.
We encourage you to check out the free trials for each and determine which will best work for you and your organization.
Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.
