Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

20 min read

Top 12 HIPAA compliant email services

Top 12 HIPAA compliant email services

Email is one of the most valuable tools in the healthcare industry–from reaching new clients to sending and receiving protected health information. A strong and secure email service isn't just about staying HIPAA compliant; it's also the key to building a sustainable, trustworthy, and secure healthcare business. 

We've compiled a list of the top HIPAA compliant email services and how we evaluated them. 

The top ten:

  1. Paubox
  2. LuxSci
  3. Zix/Webroot
  4. Mimecast
  5. Proofpoint
  6. Hushmail
  7. Barracuda
  8. Cured
  9. Virtru 
  10. ActiveCampaign
  11. Proton Mail
  12. Bitdefender GravityZone


HIPAA compliance and why it matters

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets the national standard for protecting the privacy and security of protected health information (PHI). 

HIPAA includes two primary rules: the Privacy Rule, which establishes the standards for protecting the privacy of PHI, and the Security Rule, which specifies how PHI can be used and disclosed. 

Being HIPAA compliant allows patients to know their data is cared for. Many of the standards for HIPAA compliance are designed to prevent data breaches or personal information from getting into the wrong hands. Failing to follow HIPAA standards can lead to both financial and legal problems. Ensuring HIPAA compliance is one of the best ways to support the longevity of your healthcare organization. 

Related: HIPAA Compliant Email: The Definitive Guide


How to evaluate HIPAA compliant email services

Many healthcare organizations want an email service that is HIPAA compliant, reliable, and easy to use. We looked at a range of secure email services to find the best ones for healthcare organizations. 

We evaluated organizations based on the following: 

  • HIPAA compliance: Is the company HIPAA compliant? Does it focus on healthcare specifically? 
  • Usability/integration: How easy is integrating the service into existing platforms? Is it easy for providers and administrators to use? 
  • Customer service: What avenues do customers have when they need help?
  • Encryption system: Does the service encrypt emails or use portals? Does encryption need to be done manually, or is it automatic? 
  • Reviews: What are the reviews of the service? How is it rated?
  • Breaches: Has the company ever experienced a data breach? 
  • Pricing structure: How does the company price its service? What is included in the various tiers? 

We also looked at what makes each service unique and why they received their rank. 


Top HIPAA compliant email service companies

In the world of HIPAA compliance, healthcare organizations have many different companies to choose from. We've explored the options out there and curated a list of the top HIPAA compliant email services, alongside their unique benefits and potential drawbacks. 


1. Paubox

Paubox is a consistent leader in HIPAA compliant communication. As of 2023, Paubox was ranked #1 in ease of use, customer support, email encryption, and best results by G2 rankings

Unlike other secure email services, Paubox focuses on the healthcare industry, keeping a constant pulse on compliance protocols and changes in healthcare cybersecurity. 

Let's dive into why Paubox remains one of the most respected email security companies.

Founded in: 2015

Available Services:


How it stacks up: 

  • Usability/Integration: Paubox seamlessly incorporates into current systems, including Google Suite and Microsoft. Employees do not need training for Paubox to be effective. Because Paubox encrypts everything by default, staff does not need to learn a new system, click special buttons, or take additional steps to send encrypted emails. Paubox can also integrate with Salesforce CRM, Zendesk, and others.
  • HIPAA compliance: Paubox will always prioritize HIPAA compliance, saving you time and money from potential HIPAA violations. Paubox is niched to specifically focus on healthcare and is HITRUST CSF certified, proving the highest standards of HIPAA compliance. 
  • Customer servicePaubox has a dedicated US-based customer support team, an often-stated reason many companies love working with Paubox. Paubox also has a straightforward help center that lets customers quickly find solutions to most problems.
  • Encryption: Paubox automatically encrypts every email by default, removing the risk of staff accidentally forgetting to encrypt. Unlike other services, Paubox emails can be opened in the inbox by the recipient without requiring them to log in to a portal.  
  • Reviews: Rated as a 4.9/5 by outside reviewers on G2. Over 290 5-star reviews.  
  • Breaches: Paubox has never been breached/hacked.   
  • Pricing structure: Paubox offers a free trial. If you decide Paubox is the right option for you, you'll choose between three plan options that start at 5 users and then add a fee per additional user: 
    • Standard ($29.00/month): Includes up to 5 users and many benefits: secure email, secure calendar invites, secure contact forms, business associate agreement, two-factor authentication, access to email reports, phone support, and more. 
    • Plus ($59.00/month): Includes up to 5 users and everything in the standard plan, plus name-spoofing protection, automatic quarantine with new domains, malware and virus protection, ransomware protection, robust spam filtering, and more. 
    • Premium ($69.00/month): Includes up to 5 users and everything in the Plus plan, as well as email archiving, data loss prevention, and HIPAA compliant voicemail transcription. 


What makes Paubox unique:

  • Automatic encryption: while most systems require users to actively encrypt each email, this is where mistakes can happen. Paubox takes away all risk by seamlessly encrypting emails. Employees simply send encrypted emails as they always would send any other email. No extra steps needed.
  • Email marketing: Paubox Marketing is a HIPAA compliant email marketing platform. While many email marketing platforms exist, few are genuinely HIPAA compliant.
  • Forms/data gathering: Paubox Email Suite includes Paubox Forms. Users can now use secure forms with patients and remain HIPAA compliant.


Why Paubox is #1

Paubox takes the top spot on our list for effectiveness and ease of use. Customers confirm that Paubox makes security simple. Paubox balances extreme security with ease. Paubox also has other features, like email marketing and forms, streamlining your marketing and communication process. 

As a company focused on HIPAA compliance in the healthcare industry, you can expect Paubox to stay on top of trends, news, and guidances.


2. LuxSci

Founded by Erik Kangas in 1999, LuxSci is designed to provide high-quality infrastructure that helps healthcare companies keep email secure. The organization offers flexibility in its services and focuses on reducing human error. LuxSci also partners with Oracle Cloud to improve sustainability. The company began providing HIPAA compliant email services in 2005. 

Founded in: 1999 

Available Services:


How it stacks up: 

  • Usability/integration: LuxSci uses its own hosting platform rather than shared clouds. Clients are provided with a dedicated server, cluster, or unique custom deployment, and each email server is isolated from others. LuxSci email works with third-party email programs, including Outlook and Gmail. However, some have complained integration with Outlook is challenging. 
  • HIPAA compliance: The company focuses heavily on HIPAA compliance and provides additional support and resources to help companies maintain compliance. 
  • Customer Service: LuxSci has generally positive reviews regarding customer service. They provide 24/7/365 customer support for emergencies. Outside of this, they provide quick responses to non-emergency issues. They state customer service is their number one priority to ensure the different tools available to clients can be utilized.  
  • Encryption system: Their model of encryption, SecureLine, integrates SMTP TLS, SecureLine Escrow, and SecureLine PKI. Utilizing all three models, the system will go through the encryption options and select the most secure depending on the receiver and message data. In general, everything is encrypted and no set-up is required. Instead of opting to encrypt, users must opt out if needed.  
  • Reviews: LuxSci has a rating of 4.8/5 stars on G2, with generally positive reviews. Some claim the interface is outdated and lacks additional features other programs offer.  
  • Breaches: LuxSci has no reported breaches.
  • Pricing: LuxSci does not publicly release their pricing; potential clients must contact customer service. They do, however, reveal what their primary services include. 
    • Secure email hosting: SecureLine email encryption, secure mobile email, calendar, contact, task, and notes accesses, compatibility with all major email programs, mobile access, spam and virus filtering, and more.
    • Secure forms: HIPAA compliant service, SecureLine email encryption, integration with web-based forms, integration with PDF-based forms, and web form builder.  
    • Secure high-volume sending: HIPAA compliant service, ePHI in emails, SecureLine encryption, dedicated IP address, dedicated server, email sending via SMTP and API, and more. 


What makes it unique: 

Provides additional secure web hosting: Organizations looking for additional security can opt into a dedicated web hosting service. LuxSci's website describes this as a strong option for accounts needing high availability and performance and more fine-grained application and data segmentation.   


Why LuxSci is #2 

LuxSci has fairly positive reviews but has received criticism for simplified technology and being difficult to integrate into existing platforms. With many options for encryption, LuxSci remains a good choice.


3. Zix/Webroot

Webroot, previously known as Zix, is a cybersecurity company focusing on providing security in the cloud. Webroot and its parent company, Carbonite, were acquired by OpenText in 2019. The organization offers email encryption and email threat protection for homes and businesses.  

Founded in: 1988

Available Services


How it stacks up: 

  • Usability/integration: When a company opts for Webroot, the system will be integrated into its existing email platform. When sending to other Webroot users, the email will be delivered as normal, while non-Webroot users will receive an additional link to a secure portal. Webroot is generally effective but can have some issues with recipients opening emails. 
  • HIPAA compliance: Webroot is HIPAA compliant and is also compliant with many other government regulations. While they do stay up to date on HIPAA regulations, they are designed to follow several other government regulations, which could create limitations on use. 
  • Customer Service: Zix, the company's name before Webroot, had a strong reputation for customer service. Since then, no major complaints have been issued against the company. However, there is no consensus on how accessible or helpful Webroot's customer service is. 
  • Encryption system: Webroot offers email encryption with on-demand and automatic encryption options for the sender and recipient, multiple secure delivery options, and external collaboration via their Secure Compose portal. 
  • Reviews: Webroot currently has no reviews for its email platform. Zix, however, has 30 reviews and averages 4.5/5 stars according to G2. With limited reviews, it can be difficult to assess the overall user experience.  
  • Breaches: Neither Zix nor Webroot have confirmed any breaches. 
  • Pricing: Webroot provides pricing when potential customers fill out a survey and opt into a free trial. 


What makes it unique: 

Email continuity: Webroot ensures email access even if the infrastructure is down. Webroot email can still be accessed if there is an outage in company systems. 


Why Webroot is #3

Webroot earns our 3rd spot because it has a strong reputation. It also offers advanced security features. However, with limited reviews and data, companies may prefer a more reviewed service. 


4. Mimecast

Mimecast is a global cybersecurity company operating in North America, Europe, the United Kingdom, Africa, Australia, and Singapore. They focus on email and cloud network security products and provide employees with security training. Mimecast focuses on the use of AI, particularly machine learning and computer vision to assist with spam, anomaly, and malware detection. While Mimecast has favorable reviews and quality services, they have faced a cyberattack before, resulting in their customer's company data being leaked by a malicious organization.   

Founded in: 2003

Available services:


How it stacks up on:  

  • Usability/Integration: Mimecast is easy to integrate into existing systems, and unlike some email security software, Mimecast does not require users to follow specific steps to protect email and data. Instead, their software is designed to run in the background, using AI to constantly scan emails, attachments, and links for malicious content. Users must message through Mimecast's Secure Message system and allow time for messages to be processed by Mimecast's software. 
  • HIPAA compliance: Mimecast states their services are HIPAA compliant. The company serves a variety of industries around the globe, meaning that HIPAA compliance is just one of its security focuses. While they are compliant, HIPAA is an evolving landscape, and cyber attacks, specifically on healthcare organizations, are increasing in complexity and frequency. 
  • Customer service: Mimecast has received favorable reviews for its responsivity. Some have said that Mimecast support can be vague when discussing ideal settings or solutions. Mimecast also offers varying levels of support with associated costs. Each package is customized but can determine the response time to requests and types of assistance available. Organizations that do not pay for additional support may experience longer wait times or differentiated assistance.  
  • Encryption system: Mimecast utilizes encryption to protect data. Users will choose to send a message securely. Once sent, the Mimecast software scans the email, and the recipient is prompted to open the email in the secure messaging portal. 
  • Reviews: According to G2, Mimecast is rated 4.4/5 stars, with 179 reviews. While reviews are generally positive, some say it can disrupt workflow by delaying emails or asking users extraneous questions. 
  • Breaches: Mimecast was linked to a breach of SolarWinds, a US-based software company in 2021. 
  • Pricing: Mimecast offers 3 different plans for email security. 
    • Protect email security ($4.50 per user/month): includes AI detection, phishing protection, URL analysis, attachment scanning, spam filtering, and anti-virus. 
    • Protect Plus email security ($6.00 per user/month): includes everything in the Protect plan plus social graphing, dynamic email bannering, insider risk protection, browser isolation, and email continuity. 
    • Protect suite email security (custom pricing): includes everything in Protect Plus, along with awareness training, email backup and restoration, DMARC management, and cloud archiving. 


What makes it unique:

Security training: unique to Mimecast is security training programs. Many cybersecurity incidents are the result of inadequate employee training or user errors. Mimecast hopes to lower these statistics through education involving videos, assessments, and risk scoring. 


Why Mimecast is #4

Mimecast lands at number five for its strong focus on email security, encryption, and customer support. With a global approach, those in healthcare may wish to find a company specifically focused on the needs within the healthcare industry. 


5. Proofpoint

Proofpoint is a global email security company that serves organizations throughout the United States, Australia, Canada, France, Germany, the United Kingdom, and others. Proofpoint's priorities are email security and data protection, but they do not specifically emphasize HIPAA compliance. The company serves a variety of industries, including the government, financial services, higher education, healthcare, and more. 

Founded in: 2002

Available Services


How it stacks up: 

  • Usability/integration: Proofpoint is generally considered user-friendly with a straightforward integration process. Past customers have complained that it is not effectively integrated with Google. On the admin side, some customers struggle with compiling data or switching between different platforms within their security stack. 
  • HIPAA compliance: Proofpoint does not specifically discuss HIPAA compliance on its website but claims to have 80+ templates designed to ensure compliance with varying government regulations. Through their Intelligent Compliance service, they can monitor employee communication and actions, keep security measures up to date with regulatory compliance requirements, and assist organizations in archiving information for their research or preparing for litigation.  
  • Customer Service: Customer support services can vary depending on the service utilized. Generally fast and responsive, customers can expect to submit tickets into a portal and be assisted as quickly as possible. 
  • Encryption system: Proofpoint software works in the background for employees, automatically encrypting messages and attachments. Users do not need to manually encrypt their email to send or receive secure messages. Administrators generally control access but can allow users to revoke, expire, or restore access as needed. 
  • Reviews: According to G2, Proofpoint has a ranking of 4.4/5 based on a small number of reviews. While reviews are generally positive, there are only 18. 
  • Breaches: Proofpoint has no reported breaches. 
  • Pricing: Proofpoint provides varying bundles and levels of protection. Pricing is always customized. Interested users must request a meeting to discuss their needs. Generally, Proofpoint will then complete a security audit and report any security gaps. They will then provide a list of custom recommendations and suggested services. 


What makes it unique: 

Intelligent compliance servicesthis program could help take any guessing out of HIPAA compliance and ensure that organizations are ready to respond to litigation, which is becoming increasingly common when breaches occur. 


Why Proofpoint is #5

Proofpoint claims our fifth spot because of its strong track record and overall positive reviews. While we always suggest prioritizing companies that specifically focus on HIPAA compliance, Proofpoint is a reliable choice for healthcare organizations.  


6. Hushmail 

Hushmail is a Vancouver-based cybersecurity service founded in 1999. They offer encrypted email, secure web forms, and electronic signatures. They work in several industries, focusing on healthcare, finance, non-profit, and law. While Hushmail is generally viewed as reliable and secure, it did come under fire for revealing customer information via court order, revealing that Hushmail employees may be able to access protected and confidential data. As Hushmail is based in Canada, organizations in the United States may find themselves also impacted by security laws affecting how Hushmail operates.    

Founded in: 1999

Available Services


How it stacks up: 

  • Usability/integration: While Hushmail is simple to use, it does require creating a new email account. The account can be used on the web, iPhone and Android. Changing to a new email service may be possible for new organizations but could add complexity if you maintain and utilize other programs, such as Google Suite or Microsoft 365. In certain situations, individuals can encrypt third-party emails by using special keywords. 
  • HIPAA compliance: Hushmail has a strong focus on HIPAA compliance. For healthcare organizations, they have specific services designed to protect healthcare information. They also provide HIPAA resources and tools. 
  • Customer Service: Reviews are limited regarding Hushmail's customer service. The company offers a variety of help articles, as well as messaging and live chat. They are also available by phone during business hours.   
  • Encryption system: Hushmail requires customers to create a Hushmail account to send encrypted emails. However, they do not need to be opened using a Hushmail account. When sending emails to other Hushmail users, information is automatically encrypted. When sending information to outside users, employees must enable encryption. 
  • Reviews: On G2, Hushmail has a rating of 3.7/5 stars. Customers generally say Hushmail is effective but can be difficult to use and some customers have difficulty resolving technical errors. 
  • Breaches: Hushmail has no reported breaches but did receive some fall-out for disclosing customer information when demanded by court order. 
  • Pricing: Hushmail provides 3 main plans, each of which can be discounted when if signed on for longer. 
    • Starter package ($11.99/month): includes one email address, HIPAA compliance service, 60-day money-back guarantee. Forms and additional emails can be added on. 
    • Recommended package ($24.99/month): includes up to 5 email addresses and 5 secure web forms, and electronic signatures. It also includes everything in the starter pack, and additional emails or forms can be added. 
    • Custom package ($47.99/month): includes up to 10 email addresses and 10 web forms, and everything else in the recommended plan. 


What makes it unique: 

New email addresses: This feature helps ensure information is encrypted securely but could pose challenges for larger organizations. 


Why Hushmail is #6

Hushmail can be a good option for smaller or new organizations. Their focus on HIPAA compliance places them in the top half of our list, but a few things may lead potential customers to pause. Being based in Canada could lead to US-based organizations facing additional laws. There could be concerns regarding Hushmail's security, and the company may require organizations to change their current communication systems. 


7. Barracuda

Barracuda is a global cybersecurity company with a focus on email protection. The large organization has acquired other cybersecurity companies, continually expanding their products and services. While Barracuda is generally trusted, they experienced a severe zero-day attack in the fall of 2023, affecting numerous government organizations and companies.  

Founded in: 2002

Available Services


How it stacks up: 

  • Usability/integration: Barracuda is generally viewed as user-friendly. While they don't mention the Google Suite, their products can be integrated into Microsoft 365. Some users desire more user preference, stating that the features are too simple for larger companies. 
  • HIPAA compliance: While Barracuda focuses on email and data security, they do not focus specifically on HIPAA compliance. Barracuda is HIPAA compliant and discusses some healthcare and cybersecurity trends. If you decide to work with Barracuda, we recommend discussing your specific needs with them to ensure compliance and data safety. 
  • Customer Service: Barracuda has favorable customer support reviews. They also provide enhanced support for an additional fee. Professional services support offers onsite and remote services to maximize the effectiveness of Barracuda. The premium support option provides a support manager and access to a team of technical engineers to assist with any challenges.  
  • Encryption system: Barracuda's email service provides automatic encryption to prevent user error. They do not specify their encryption process.
  • Reviews: Barracuda's email security has a rating of 3.2/5 stars on G2. While reviews are generally positive, some customers have reported Barracuda's software mistakenly identifies emails as risky. 
  • Breaches:  Barracuda experienced a zero-day breach in early 2023.
  • Pricing: Barracuda's pricing structure requires individuals to meet and discuss a custom plan option. Although they don't publish specific pricing, they do have 3 plans available
    • Advanced: Includes spam and malware protection, attachment protection, link protection, email continuity, phishing and impersonation protection, account takeover protection, automatic remediation, email encryption, and data loss prevention. 
    • Premium: Includes everything in the advanced plan, plus domain fraud protection, web security, SIEM/SOAR/XDR integration, threat hunting and response, and automated workflows. 
    • Premium Plus: Includes all in the premium plan, plus zero-trust access for Microsoft 365, attack simulation, security awareness training, cloud archiving, cloud-to-cloud backup, and data inspection.   


What makes it unique: 

Cybersecurity platformThe Barracuda platform is an inclusive data-protection plan that offers network security, email protection, application protection, and data security as an all-in-one program. 


Why Barracuda is #7

While Barracuda has much to offer customers, their recent data breach may be cause for concern. Data breaches from third-party organizations, especially ones uniquely handling private information, can hurt healthcare institutions financially and reputationally and impact patients. Barracuda also does not focus heavily on healthcare companies and the unique issues faced in the healthcare world. While Barracuda offers several helpful services, they do not offer ways to collect data or send marketing emails. 


8. Cured

Cured describes itself as a digital marketing and customer relationship management (CRM) platform. Cured focuses on providing HIPAA compliant marketing solutions. 

Founded in: 2018

Available Services

  • Healthcare marketing platform that provides data, campaigns, and insights. 


How it stacks up: 

  • Usability/integration: Cured assists in sending emails and creating meaningful content for current and potential clients. Cured customers will be required to utilize a new platform to view data and complete marketing campaigns. 
  • HIPAA compliance: As a company geared towards healthcare organizations, Cured is focused on HIPAA compliance. The organization explains that within marketing, HIPAA compliance is necessary to ensure that patients can receive information relevant to their livelihood without exposing protected health information. Cured's platform, like Paubox, is HITRUST certified.  
  • Customer Service: According to their website, Cured staff will assist with set-up, implementation, data services, and team training. Considering the company is relatively new, limited information is available about customer experience or outcomes. 
  • Encryption system: Cured encrypts data at rest using Advanced Encryption Standard to ensure PHI protection. Cured also utilized TLS encryption to authenticate and protect outbound information.
  • Reviews: Cured currently has no reviews available on G2. 
  • Breaches: Cured has not reported any breaches.  
  • Pricing: Cured uses customized pricing for their platform services. To receive pricing information, companies must request a demo to receive more information about specific services. 


What makes it unique:

Campaign marketing for healthcare organizations: Cured provides a platform that can assist organizations in marketing efforts. Having specific marketing support could help grow healthcare organizations. 


Why Cured is #8

Cured is a newer option for email marketing but does not offer HIPAA compliant email communication like most others on this list. 


9. Virtru 

Virtru is an email security company serving commercial industries such as aerospace, education, finance, healthcare, technology, and government agencies like defense and intelligence. They boast compliance with numerous privacy regulations, including FERBA, FINRA, HIPAA, and more. 

Founded in: 2011

Available Services

  • Integration with Google Workspace, Microsoft 365, and Secure Share
  • SaaS Data Protection
  • Private Keystore and Encryption


How it stacks up on:

  • Usability/Integration: Virtru can be integrated into various platforms, including collaboration platforms like Zendesk and Salesforce. Virtru has an extensive suite of options with different integration capabilities. Employees may need additional training to utilize the different programs.  
  • HIPAA compliance: Virtru supports HIPAA compliance, but its focus isn't solely on healthcare. They ensure their products are compatible with a variety of regulations. As a result, some features may be limited to meet regulations unrelated to healthcare privacy protections. Organizations focusing on HIPAA and healthcare may also have a better pulse on changing requirements and security trends.  
  • Customer service: According to reviews, Virtru's customer service quickly works to resolve any issues. Virtru's support page is dense and filled with many resources that could overwhelm some users.  
  • Encryption system: Virtru's system generally requires users to opt into encryption or send an email/file securely. The extra step will require employee training and could lead to potential mistakes.  
  • Breaches: Virtu has no reported breaches. 
  • Reviews: Virtru has a 4.4/5 score on G2. Customers generally say it is user-friendly, but there can be technical issues that are time-consuming to resolve. 
  • Breaches: Virtru has no reported breaches. 
  • Pricing: Virtru provides demos to help users choose the right package. After a company decides to use Virtru, they have the following pricing options
    • Starter ($109/month): includes 5 users, email security, data loss prevention, ability to change data access controls, encrypted search, and online support. 
    • Business: ($189/month): includes 5 users, secure share options, additional compliance support, advanced identity management, and everything in the starter pack. 
    • Enterprise (custom pricing): designed for larger organizations with advanced security needs. Includes Google Workspace and Google Cloud solutions and 


What makes Virtru unique: 

Variety: Virtru offers a large suite of options, which can be helpful for large companies needing several different services. Conversely, the number of options could be overwhelming for some users. 


Why Virtru is #9

With a lot to offer, Virtru offers a robust system for many organizations. Virtru is significantly more expensive than even the most premium Paubox plans. If you choose Virtru, you may find yourself with unnecessary features that cost more money. You'll also find Virtu catering to multiple industries, which could mean customer support isn't as tailored to your healthcare security needs. 


10. ActiveCampaign

ActiveCampaign is a global digital marketing and security company focusing on email and marketing automation, sales, e-commerce, and application programmable interface (API). The business has grown exponentially and now has customers in 170 different countries. 

Founded in: 2003

Available Services


How it stacks up: 

  • Usability/integration: ActiveCampaign offers several different services. They offer both email marketing and an email suite, but both operate differently. Their email marketing allows users to create campaigns on their platform while integrating their API into existing services.   
  • HIPAA compliance: According to Paubox research, ActiveCampaign is not currently HIPAA compliant, as "customers are responsible for their own HIPAA compliance." ActiveCampaign will, however, sign a Business Associate Agreement (BAA), a requirement under HIPAA. 
  • Customer Service: ActiveCampaign allows users to send in tickets or access information through their support center. Some reviews state that customer service interactions are generally quick and helpful.  
  • Encryption system: ActiveCampaign does not discuss their encryption methods, if any. 
  • Reviews: On rating site G2, ActiveCampaign has a rating of 4.4/5 stars. Users say the platform is user-friendly and easy to automate. Some say it can be time-consuming and expensive and that not all support requests are responded to quickly. 
  • Breaches: ActiveCampaign has no reported breaches. 
  • Pricing: ActiveCampaign is used for marketing purposes, so they charge based on emails sent. The first 100 are always free. Up to 10,000 emails cost $15, and the price goes up with more emails sent.  


What makes it unique: 

Keeps content history: ActiveCampaign is a mature marketing platform and is full-featured. 


Why ActiveCampaign is #10

ActiveCampaign takes the final spot on our list because it can be an effective tool for mass emails or email marketing. However, there are concerns regarding HIPAA compliance. We recommend potential customers speak with ActiveCampaign to ensure usage maintains compliance and protects patient data. 


11. Proton Mail 

The Swiss email company provides email encryption services alongside cloud storage, a calendar, password protection, and VPN services. The company is backed by Swiss privacy laws and focuses on security and data freedom. 

Founded in: 2014

Available services:

How it stacks up on:

  • Usability/integration: Proton Mail boasts quick integration and usability. Individuals can switch to Proton Mail in just one click and will see features that resemble Gmail and other common mail platforms. Although it’s easy to implement, Proton notes that not every website recognizes the platform; some may not recognize it as a valid email address, which could pose problems with critical healthcare information. Proton Mail allows easy encryption when sending emails to users who also utilize the service, but for outside users, it has to be enabled.     
  • HIPAA compliance: Proton Mail says they can be HIPAA compliant and allow users to send Protected Health Information. Proton Mail will also sign a BAA, a requirement under HIPAA. While the service is secure and HIPAA compliant, it could require additional training to ensure emails are safely sent; users must create a password and enable encryption for the data to remain secure.   
  • Customer service: Users have shared that customer support is helpful, but only companies with more than six users have access to the Customer Success Team, which only works during Swiss working hours (9 am to 6 pm CET). In other cases, users will have to submit a report and wait for a technician to respond. While some issues are quick to resolve, others may be more time-consuming.  
  • Encryption system: Proton uses end-to-end encryption between Proton Mail users. If a recipient is not a user, the sender will have to opt into encryption and create a password. Passwords must be pre-agreed upon, or senders can create a hint. Proton Mail offers support on this process, but recipients may need to familiarize themselves with the process.  
  • Reviews: According to rating site G2, Proton Mail has generally positive reviews. The company has an average of 4.4 out of 5 stars across 125 reviews. Users share that it is easy to use and secure. Others share that it limits the number of emails and storage. Lastly, some customers wish there was more readily available customer support. 
  • Breaches: Unfortunately, ProtonMail has experienced leaks in the past. Users have shared that their accounts have been hacked, and vulnerabilities have been discovered and exploited. ProtonMail has been generally quick to release updates and fixes. 
  • Pricing: Proton Mail is one of the less expensive options on our list. They offer three plans
    • Mail Essentials: Starting at $6.99/user per month, which provides secure email and calendar features. 
    • The Business plan: Starting at $10.99/user per month and includes 15 email addresses per user, support for ten custom email domains, and more. 
    • The Enterprise plan: Customizable with varying features. 


What makes it unique?

  • Freedom focused: Proton Mail is focused on privacy and digital freedom and frequently criticizes how companies and governments are able to monitor and track data. Proton does not sell data and focuses on users rather than advertisers or other third parties. 


Why is Proton Mail #11?

Proton Mail is a unique mission-driven service that may appeal to some users. While Proton Mail is generally safe and reliable, past vulnerabilities are concerning as the focus for HIPAA compliant email is to keep data safe. Furthermore, customer support is not always available, which could present challenges if a problem arises. Lastly, it’s likely that an overwhelming majority of patients will not have Proton Mail, requiring senders to frequently enable encryption and create passwords, leaving room for error. 


12. Bitdefender GravityZone 

Bitdefender GravityZone is a Romanian-based cybersecurity technology company with offices in Romania, the United States, Europe, Australia, and the Middle East. 

Founded in: 2001

Available services:

How it stacks up on:

  • Usability/integration: Email security is an add-on feature to Bitdefender's cloud services. Bitdefender email services can be added and work with Gmail, Outlook, and several other popular email services. Users must create a keyword at the start of the email to ensure it is secure. Recipients will be required to register, open, and log into a SecureMail dashboard to view the message and reply. 
  • HIPAA compliance: Bitdefender boasts over 30 layers of prevention and detection technology to keep data secure. The company states they are regularly audited for HIPAA compliance. However, the company also provides a legal notice stating that every organization using its service is responsible for maintaining compliance. The company does not mention signing a BAA, a requirement for HIPAA. 
  • Customer service: Bitdefender offers 24/7 customer support through their online portal. They also offer various how-to guides for troubleshooting, alongside video tutorials. Some users have complained that customer service does not sufficiently resolve troubleshooting issues.   
  • Encryption system: Bitdefender does not go into details on their encryption services, but does offer layers of scanning to prevent malware and attack attempts. They state they offer police-based encryption capabilities and TLS. The company further says they are compliant with HIPAA requirements. 
  • Reviews: Across 60 reviews on G2, Bitdefender earned a 3.9 out of 5-star rating. Unfortunately, Bitdefender has somewhat lower views than other platforms. Users state that while the system is secure, it can be difficult to use, and customer support is not always helpful. 
  • Breaches: Bitdefender was recently hacked in 2023, resulting in customer data being stolen. According to one report, the company lacked proper authentication protocols for data sharing and had poorly implemented security measures. 
  • Pricing: Email security through Bitdefender is an add-on to other products. Users must opt into one of the company's business security plans, which range in price and services. Plans begin at around $199.49/year, but we recommend connecting with the company to get a specific understanding of how the service can serve your company. 


What makes it unique?

  • Full mail control allows users complete control over the mail flow and supports multiple email providers, allowing administrators significant access and monitoring capabilities.  
  • Advanced threat intelligence that conducts algorithmic analysis alongside nearly 30 layers of protection for significant screening and inspection. 


Why is Bitdefender GravityZone #12? 

Bitdefender doesn't have very favorable reviews and has faced a data breach in the recent past. The company claims HIPAA compliance, but does not provide significant details on how compliance is maintained. We would suggest companies further research Bitdefender to determine if it's right for them. 


The final consensus 

After looking through several great email service providers, it's clear that each has its own advantages. We always recommend thoroughly researching a company to understand how it can fit your needs. 

For those in healthcare, work with a company that prioritizes HIPAA compliance and the security of patient data. When it comes to ease of use, efficacy, and reliability, Paubox has been, and continues to be, an excellent option. 

Try any Paubox solution for free.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.