what's a good hipaa compliant email servcice to use?


Selecting an email service can be one giant headache that keeps many healthcare providers from venturing into email marketing.

A question that usually comes up is:

“What’s a good HIPAA compliant email marketing service to use?”

There are hundreds of email service providers (ESP) to choose from and not one that’s perfect for every situation.

Some email services are designed specifically for healthcare, there are applications for business use that can be modified to be HIPAA capable and there are ones not HIPAA compliant that should never be used.

Listed below are several free email services that are NOT HIPAA compliant:

  • Gmail- Probably the most commonly used email program in the world is not HIPAA compliant. Google’s G Suite can be set up to be HIPAA capable. 
  • Microsoft Outlook- Microsoft’s free email and calendar tools are not HIPAA compliant. The business version in Office 365 can be made HIPAA capable.
  • Yahoo Mail- Known for its ability to integrate email, social networking and instant messaging is not compliant.
  • Apple Mail- Users of Apple devices are probably familiar with Apple’s email program. It is another free email program not suitable for healthcare communications.

Before we jump into my suggestions on selecting an email marketing service, I need to clearly state a disclaimer.

I’m not a HIPAA expert. I am not a lawyer nor do I have any HIPAA certifications. I recommend that you discuss any decision you make that includes protected health information (PHI) with an attorney that specializes in HIPPA compliance or is a certified compliance expert like Rick Gawenda from Gawenda Seminars. 

In previous articles, I covered the best practices for getting started with email marketing and the do’s and don’ts of email marketing in a therapy practice. Read those articles to get an understanding the important issues to address with email marketing as a healthcare business. I put together a quick start guide for selecting a HIPAA compliant email marketing service that narrows down your choices.   Get your HOW-TO Guide on Choosing an HIPAA Email Service

Before You Begin..

One overriding principle to keep in mind, we are talking about email marketing, not direct patient communication via email. 

Do not include PHI in your marketing communications, stay with information that is relevant and useful to large groups of recipients. Send neutral content like announcements of upcoming events, clinic news, and promotion of your clinic’s wellness/fitness services in the majority of your marketing emails.

Use email to engage and deepen your relationship with people throughout the patient lifecycle. View email as a way to enhance two-way communication both online and offline.  

The rules for sending emails that might be interpreted as containing PHI are more strict than general marketing emails. The more specific and targeted your emails the greater the requirements for HIPPA compliance.



To help you narrow down your choices for a suitable email service for your practice, answer these few qualifying questions before you begin shopping:

1. How many patients are on your list?

2. What email service do you currently use in your business?

3. What can you afford?

4. How savvy are you at learning and using new software?

5. How concerned are you about HIPAA compliance?

6. Will you use it primarily for marketing or patient communication that might include protected health information?

7. Do you want your email marketing to integrate with your EMR?

Let’s take each of these questions one by one. I’ve provided general answers to guide your thinking.

1. How many patients are on your list? (You have a list right?)

  • Less than 100
  • 100 to 1,000
  • 1,000 to 10,000

If you’re just getting your practice off the ground, your client list may be relatively small. No worries. Everyone starts with their first patient and grows from there.

The important thing is to make sure you’re recording the contact information of the people you meet. The most significant asset next to your knowledge and skill is your client list, trust me on this.

Your client list is different from the list of patients you’ve treated.  A client list is for ongoing communication and relationship management. 

Keep your system for staying in touch as simple and natural as possible. It’s better to start small sending emails once or twice a month to people who already know, like and trust you.

There are a lot of solutions that might work for you and your business. No matter your size you cannot afford to ignore the law in regards to protected health information.

No matter which platform you choose to do business with they will be considered a covered entity under HIPPA privacy laws.

One HIPAA requirement you can’t disregard is entering into a business associate agreement (BAA) with your email provider. The company agrees to assume responsibility for security and privacy of emails within their operations. Get your HOW-TO Guide on Choosing an HIPAA Email Service

More often the most substantial companies offer the best security because they have the money to invest and have the resources if a data breach happens.

Most security breaches are often due to the hacking of passwords. People are unbelievably careless with creating secure passwords.

Regardless of the service, you end up using it’s up to you to implement the physical, administrative and technical safeguards. As a rule, always get written consent from patients to send PHI via email.

Below are some recommended services:

Small Patient List

If your practice has a relatively small list, consider using G Suite from Google or Microsoft’s Office 365.


G Suite from Google has security certifications for HIPAA compliance, including a BAA. The BAA includes other Google Apps, but you must be judicious to implement privacy safeguards for protected health information (PHI).

Microsoft Office 365

Office 365 is compliant with HIPPA security certification requirements. Microsoft will enter into a Business Associate Agreement with you. You can purchase full access to business apps like Excel, Word, and Outlook. Or you can choose only to use their email program as long as it is the right version- Enterprise E or E5.

Medium Patient List

Once you get to 500 people on your email list, you may run into troubles with the CAN-SPAM Act. Email marketing services are designed to be compliant with anti-spam rules. You may also want more automation features that allow you to segment your list into different patient types and run in the background.

Email services like MailChimp, Drip, Prosperworks, and Agile CRM are free to use up to a certain number of subscribers if finances are a significant concern for you.

Large Patient List

Once you have a patient list over a thousand, you may want to use an ESP that has more automation and security capabilities. You’ll want a service that can you can grow into with more marketing features.

More advanced programs like Infusionsoft or Salesforce are large companies with HIPAA capability but require more technical expertise to set up and run. They are more expensive to operate, so the next question you need to answer is:

2. What can you afford?

  • Limited budget- I’m just starting out, money is tight.
  • On a budget- Cash flow is decent, but I’ve got to watch it.
  • Making a profit- I’m not concerned about the cost if there’s a good ROI.

Setting up an email marketing system will cost you time and money. It’s up to you to decide what you can afford in each category.

You will have to spend money on email marketing to eventually make money. Choose the email service that’s a good fit for the stage of growth your practice. Price is part of the equation, but it isn’t the only factor.

Choose a service that allows you to reach your current goals with the potential to scale in the future.

There’s nothing worse than subscribing to a service that you never get around to using. Your next question is:

3. What email service do you currently use in your business?

It makes sense to use the email service that you currently use for your business communications. Unless of course, you are casually using your personal email account to communicate with patients and other providers. Consider yourself warned if you use free email services like Gmail, Outlook or Hotmail that are not HIPAA compliant.  

Programs like Gmail and Microsoft Outlook can be structured to be HIPAA capable depending on how you intend to use them. If you are just getting started with email marketing I suggest you use what’s working for you. Work on segmenting your list and automate email delivery at key touchpoints. 

If you’re comfortable with Gmail or Outlook start with one of them before moving on to more advanced programs. You can always import your lists into the applications that have the features you desire once you have your email marketing chops.  

4. How savvy are you at learning and using new software?

  • Beginner- I usually need help with technology.
  • Moderate experienced- I can hack my way through most software
  • Tech savvy- I’m good at DIY if I have the time.

Most businesses can’t afford a full time IT person. The management duties for email marketing usually get added to someone’s job description. No matter what service you choose it will take time to set up and get running smoothly. 

If you are a solo entrepreneur, you’ll have limited time to devote towards email marketing. How experienced are you at learning and using new software? Do you enjoy technology or is it something you dread?

Larger clinics usually have someone on staff who has some degree of technological aptitude. Delegate the initial set up and maintenance of the email marketing program to them. Even if you contract IT services, you will need to have a leader identified for your internal marketing campaigns. 

I’ve found it counterproductive to blast people with bland newsletters and non-relevant emails. It takes time to research and write content that is consistent with your practice culture and values.  

Even though you can automate much of the email marketing process, you cannot just “set it and forget it.” You must manage and fine-tune your email system just like any other management function.



5. How concerned are you about HIPAA compliance ?

  • Moderately worried
  • Highly concerned
  • Extremely apprehensive

Most likely your business is a covered entity under the HIPAA Privacy Rule. HIPAA is ultimately about patient privacy. It’s about taking your responsibility for protecting sensitive patient data, including personal health information (PHI) seriously.

In light of the many recent data breaches, it is prudent that you have the necessary physical, network and process safeguards in place.

Do the best job you reasonably can at protecting patient information. You must determine after understanding HIPAA privacy laws what is necessary and reasonable for you to do.

Although it’s always to be safe than sorry, some situations require interpretation and sound judgment. If there is no PHI in the email’s content, then encryption normally isn’t necessary.

The question remains what constitutes PHI?

How are you going to understand PHI and safeguard it according to HIPAA/HITECH guidelines?

HIPAA regulations don’t require that you guarantee patient information privacy and security. It is up to each of us to determine how we are going to reasonably take necessary steps to safeguard patient privacy and security. 

6. Will you use email primarily for marketing or patient communication that might include protected health information?

  • I plan on using my client list exclusively to market to prospects interested in my practice.
  • I want to use my email service to communicate with prospects, current patients, and past patients.
  • I want an email service that allows me not to be concerned about sending PHI.

If you want to use email primarily for outreach to new contacts the levels of security are considerably less. If you want to communicate with large groups of people with content marketing you’ll need less security. In most cases, the storage and sending of emails should be kept separate from individual patient data stored in your EMR.

If you are sending emails that do not include individual PHI the levels of encryption and security are not as demanding. 

If you want to send welcome messages to new patients, communicate with current patients, and email targeted content at crucial touchpoints in the patient lifecycle, then you’ll need to send HIPAA compliant emails.

The majority of HIPAA compliant email services specifically designed for healthcare providers meet high standards of security. Most of HIPAA compliant email providers offer secure patient communication that may include PHI.

Services like Paubox or Virtru integrate with G Suite, Office 365 and other email providers offering HIPAA compliant encryption and safe email hosting.

Most of these programs do not include robust marketing automation. What you gain in data security you typically lose in marketing automation and conversion.

7. Do you want your email marketing to integrate with your electronic medical records (EMR)?

  • Yes
  • No

If you want to have a fully integrated email marketing-EMR system and you use WebPT you’re in luck. WebPT recently acquired Strive Labs, a patient relationship software company.

WebPT will probably have the most seamless integration with Strive Labs patient engagement platform. A tight integration eliminates double entry and more targeting patient communication.

Nonetheless, StriveHub will continue its current EMR software integrations. EMR platforms such as Clinicient, TherapySource, Raintree, A2C Medical, MW Therapy and BMS.

Strive Hub’s communication center is fully HIPAA-compliant and has a robust email marketing component.


Summary (The short version)

If you are an email marketing beginner with a small list and limited resources, don’t use a more advanced software like Infusionsoft or Strive Labs.

There are free programs you can use to begin a simple client engagement systems. G Suite, MailChimp, and HubSpot CRM are easy to use free software that you can make use of to communicate more effectively via email. 

Get started with a Business Associates Agreement (BAA) with G Suite or Office 365. With a small list, you can send group emails manually without investing a lot of time. Use this G Suite HIPAA Implementation Guide for Gmail. 

Do not send PHI via email while keeping your emails focused on converting prospects into patients. Send non-specific emails to current and patients to keep them engaged in your practice.

Once your client list grows, you’ll need to be more diligent with CAN-SPAM and HIPAA laws. Adding HIPAA compliant email services like Paubox or Virtru will allow you to continue to use G Suite and Office 365 with high-level security at an affordable price.

JotForm’s guide HIPAA compliant email providers for small practices provides a list of HIPAA Compliant email providers if Gmail doesn’t meet your needs.  

If you’re highly concerned with HIPAA compliance, I suggest you begin with Salesforce Sales Cloud or Strive Labs with higher levels of security and encryption. 

If you own a mature practice with an extensive patient list, you’ll want to automate your email marketing as much as possible. And take stricter measures to ensure HIPAA compliance throughout your entire organization.

Email services like Salesforce, Strive Labs, or Infusionsoft provides the array of features to grow your client list and business rapidly.

As you can read above, no single email service works in every situation. The primary way you can go wrong is not to do anything, completely ignoring the competitive advantage email provides.

In closing here are a few mistakes to avoid:

  • Nonchalantly using a free email account like Gmail or Hotmail in your business.
  • Paying month after month for advanced email services that you never use.
  • Subscribing to a “HIPAA compliant” email service and not implement physical, network and technical safeguards. 
  • Thinking email marketing automation means “set it and forget it” 
  • Sending obvious PHI through a non-HIPAA compliant email service

Download your free guide on how to choose a HIPAA compliant marketing service by clicking on the image below.

Click here to get free guide


Paul Potter is a physical therapist and mentor who lives in Lincoln, Nebraska, with his wife, who is also a therapist. They have four daughters. For more than 35 years he successfully managed his private practice. He now shares his knowledge and experience through teaching and mentoring therapists who want to launch their own business. 

He has authored On Fire: Ignite Your Passion with a Cash Therapy Practice and the Cash Practice From Scratch Course. His website PaulPotterpt.com is dedicated to helping therapists achieve professional and financial freedom. Connect with Paul on his website or LinkedIn paulpotterpt. You can also get more free resources at CashPracticeFromScratch.com.