If your SaaS handles healthcare data, HIPAA compliance isn't optional for your email tool. Any platform that processes, stores, or transmits Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement (BAA) and meet HIPAA's security and privacy requirements.

The problem: most email marketing tools don't support HIPAA. They weren't designed for healthcare data. Sending an email with patient information through a non-compliant platform is a HIPAA violation, regardless of how the patient signed up.

Important note: Sequenzy is not HIPAA compliant today and does not offer a BAA. Do not use Sequenzy for emails that contain PHI, patient identifiers, or patient-specific segmentation.

Here's which email platforms actually support HIPAA compliance and what that means practically.

What HIPAA Compliance Requires From Your Email Tool

Business Associate Agreement (BAA): A legal contract between you (the covered entity or business associate) and the email platform (the subcontractor). This is non-negotiable. Without a BAA, you cannot legally use the platform for any communication that involves PHI.
PHI safeguards: Technical, physical, and administrative safeguards for any PHI the platform processes. This includes everything from server security to employee training at the email vendor.
Encryption: Data encrypted in transit (TLS) and at rest. This means emails containing PHI are encrypted while being sent and while stored on the platform's servers.
Access controls: Role-based access, authentication, and audit logging. Only authorized team members should be able to access subscriber data, and every access should be logged.
Breach notification: The platform must notify you within 60 days of discovering a breach involving PHI. This is a legal obligation under the BAA.
Minimum necessary: The platform should only access the minimum PHI necessary for its function. Your email tool doesn't need access to full medical records to send an appointment reminder.

Important: HIPAA compliance is about the overall system, not just one tool. A HIPAA-compliant email platform doesn't make your entire email program compliant. You also need compliant processes, training, and documentation.

The Cost of Getting It Wrong

HIPAA violations aren't theoretical. The Office for Civil Rights (OCR) actively investigates breaches, and penalties are steep. Fines range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for violations of the same provision. Willful neglect with no correction can result in criminal penalties including imprisonment.

Beyond fines, a HIPAA breach damages patient trust and your reputation in the healthcare industry. News of healthcare data breaches travels fast, and the OCR publishes a "Wall of Shame" listing breaches affecting 500 or more individuals.

Quick Comparison

Tool	Best For	Starting Price	Free Tier	HIPAA Features
Amazon SES	AWS-based healthcare infrastructure	$0.10/1K	No	AWS BAA, CloudTrail, KMS encryption
Mailgun	Healthcare email infrastructure	Custom	No	Enterprise BAA, TLS, audit logs
SendGrid	Transactional + marketing with BAA	Custom	No	Twilio BAA, encryption, event webhooks
Postmark	Best deliverability + BAA	$15/mo	No	BAA, TLS, activity logs
Paubox	Healthcare-specific encryption	$29/user/mo	No	BAA included, zero-step encryption
LuxSci	Healthcare email hosting	Custom	No	BAA, HIPAA-specific features
Virtru	Email encryption layer	Custom	No	BAA, end-to-end encryption
Salesforce Marketing Cloud	Enterprise healthcare marketing	Custom	No	BAA, enterprise controls
Dotdigital	Healthcare marketing automation	Custom	No	BAA, EU storage option
Campaign Monitor	Healthcare-focused agencies	Custom	No	BAA on enterprise plans
Proton Mail Business	Privacy-first encryption	$7.99/user/mo	No	BAA, end-to-end encryption
HubSpot (Enterprise)	Healthcare marketing + CRM	Custom	No	BAA on Enterprise tier
Mailchimp (with BAA)	General healthcare marketing	Custom	No	BAA on premium plans
Constant Contact	Simple healthcare outreach	Custom	No	BAA available
iContact	Small healthcare practices	Custom	No	BAA on enterprise
Benchmark Email	Affordable healthcare	Custom	No	BAA on request
AWeber	Small healthcare practices	Custom	No	BAA on request
SparkPost	Email infrastructure	Custom	No	BAA, enterprise tier
MessageBird	Multichannel healthcare	Custom	No	BAA, healthcare-ready
Sequenzy	Non-PHI marketing only	$29/mo	Yes	Not HIPAA compliant
Klaviyo	Non-PHI health marketing	$45/mo	Yes	Not HIPAA compliant

The 21 Tools: HIPAA-Eligible and Non-PHI Options

1. Amazon SES

Amazon SES screenshot

Best for: HIPAA-eligible infrastructure for technical teams

Amazon SES is HIPAA-eligible, meaning AWS will sign a BAA that covers SES. AWS has extensive HIPAA compliance documentation and a well-established BAA process. For technical teams building healthcare applications on AWS, SES is the natural choice for email.

The trade-off: SES is pure infrastructure. You get sending APIs, but no marketing features, templates, or automations. Your application handles everything else. For healthcare companies that need email sending infrastructure within a HIPAA-compliant AWS environment, this is the most straightforward path.

AWS's HIPAA compliance extends beyond SES. If your healthcare application runs on EC2, uses RDS for databases, and S3 for storage, you can cover the entire infrastructure under a single AWS BAA. This unified approach simplifies compliance management significantly.

The setup requires engineering work. You'll need to build your own email template system, manage sending reputation, handle bounces and complaints, and build any marketing automation from scratch. For teams that already have developer-friendly email infrastructure, this may be acceptable. For teams wanting a ready-to-use marketing platform, SES alone isn't enough.

BAA: Available (AWS BAA covers SES) Encryption: TLS in transit, encryption at rest (AWS KMS) Audit logging: Via CloudTrail Pricing: $0.10 per 1,000 emails Pros: AWS BAA, well-documented compliance, scales, part of broader HIPAA AWS infrastructure, unified compliance management Cons: No marketing features, pure infrastructure, requires significant development work, no templates or automation

2. Mailgun

Best for: Email infrastructure with BAA for healthcare applications

Mailgun offers HIPAA-compliant email infrastructure with BAA availability on enterprise plans. The platform provides email sending, receiving, and routing with the security controls HIPAA requires. Mailgun's parent company (Sinch) has experience with healthcare communications.

Like SES, Mailgun is primarily email infrastructure rather than a marketing platform. You get APIs for sending, inbound processing, and email validation. Marketing automation and campaign management would need to be built on top or handled by a separate compliant tool.

Mailgun's advantage over SES is slightly more built-in functionality. Email validation helps maintain list hygiene (important for healthcare where bounced emails may indicate outdated patient contact information). Inbound email processing can be useful for healthcare applications that need to receive and route patient communications.

The enterprise pricing for HIPAA compliance is a consideration. You'll need to contact Mailgun directly for pricing, and it will be significantly more than their standard plans. Factor this into your build vs. buy decision for healthcare email.

BAA: Available on enterprise plans Encryption: TLS in transit, encryption at rest Audit logging: Via API logs and webhooks Pricing: Custom for HIPAA (enterprise plan) Pros: BAA available, email infrastructure, inbound processing, email validation, Sinch healthcare experience Cons: Enterprise pricing for HIPAA, no marketing features, requires custom development

3. SendGrid

SendGrid screenshot

Best for: HIPAA-eligible email with both transactional and marketing capabilities

SendGrid (owned by Twilio) is HIPAA-eligible, and Twilio will sign a BAA that covers SendGrid. This gives you both transactional email and marketing campaigns within a HIPAA-compliant framework. SendGrid is one of the few platforms that offers marketing email features with BAA coverage.

For healthcare companies that need to send both operational emails (appointment confirmations, test results, billing) and marketing emails (health tips, wellness campaigns, service announcements), SendGrid can handle both under one BAA. This is significant because most HIPAA-compliant email tools are infrastructure-only with no marketing capabilities.

SendGrid's marketing features include a template builder, contact management, and basic automation. While not as sophisticated as dedicated marketing platforms, having marketing capabilities under a BAA removes the need for a second email vendor and a second compliance review.

The deliverability is reliable, which matters for healthcare. An appointment reminder that lands in spam is a missed appointment. A prescription notification that doesn't arrive can affect patient care.

BAA: Available (Twilio BAA covers SendGrid) Encryption: TLS in transit, encryption at rest Audit logging: Activity feed, event webhooks Pricing: Custom for HIPAA (Pro plan and above) Pros: BAA available, transactional + marketing, broad features, reliable infrastructure, Twilio compliance ecosystem Cons: HIPAA features on higher-priced plans, marketing features less polished than dedicated platforms

4. Postmark

Postmark screenshot

Best for: HIPAA-compliant transactional email with best deliverability

Postmark offers a BAA for customers who need HIPAA compliance. Given Postmark's focus on transactional email (appointment confirmations, prescription notifications, test result alerts), the HIPAA compatibility is a natural fit. These are exactly the kinds of emails healthcare applications need to send reliably.

Postmark's deliverability advantage matters for healthcare. An appointment reminder that lands in spam is a missed appointment. A test result notification that doesn't arrive causes patient anxiety. Postmark's consistent inbox placement reduces these risks. Their dedicated IP pools and strict sending policies keep deliverability high across all customers.

The trade-off is clear: Postmark is for transactional email only. You won't build marketing campaigns, newsletters, or promotional sequences in Postmark. If you need marketing email alongside transactional, you'll need a second platform (and potentially a second BAA). For teams that separate transactional and marketing email by design, this specialization is a strength.

BAA: Available Encryption: TLS in transit, encryption at rest Audit logging: Activity logs, webhooks Pricing: Standard pricing with BAA Pros: BAA available, best deliverability, transactional email focus, reliable, transparent pricing Cons: Limited marketing features, primarily transactional, need separate tool for marketing

5. Paubox

Best for: Healthcare-specific email encryption and compliance

Paubox is built specifically for healthcare email. The platform provides HIPAA-compliant email encryption that works seamlessly with standard email clients (recipients don't need to use a portal or special software to read encrypted emails). Paubox signs a BAA and includes features specifically designed for healthcare compliance.

Unlike the other options on this list, Paubox is not a marketing email platform. It's an email encryption and compliance layer that ensures all email sent by your organization meets HIPAA requirements. For healthcare organizations whose primary concern is securing email communication (not marketing), Paubox is purpose-built.

The seamless encryption is Paubox's key differentiator. Traditional healthcare email encryption requires recipients to log into a portal, create an account, and read messages in a web interface. Patients hate this. Paubox encrypts email transparently, so recipients read it in their normal email client. This dramatically improves patient communication since people actually read the emails.

Paubox also offers a compliance dashboard that shows encryption status, delivery tracking, and audit trails. For healthcare compliance officers who need to demonstrate email security during audits, this centralized visibility is valuable.

BAA: Included (healthcare-first platform) Encryption: Zero-step encryption (transparent to recipients), TLS with fallback Audit logging: Comprehensive audit trails, compliance dashboard Pricing: From $29/month per user Pros: Healthcare-specific, seamless encryption, no portal for recipients, BAA included, compliance dashboard Cons: Not a marketing platform, per-user pricing, limited automation, not suitable for SaaS marketing use cases

6. LuxSci

Best for: HIPAA-compliant email hosting for healthcare organizations

LuxSci is one of the original HIPAA-compliant email service providers. They offer a full suite of HIPAA email solutions including secure hosting, large message sending, and form tools designed specifically for healthcare organizations.

The platform provides BAA as standard and their entire infrastructure is designed around HIPAA requirements. Unlike general email providers that added HIPAA compliance as an option, LuxSci's architecture was built with healthcare in mind from the start.

For healthcare organizations that need HIPAA compliance across email hosting, marketing, and forms, LuxSci's unified approach is compelling. The compliance documentation is extensive, and they have a long track record with healthcare clients.

BAA: Standard (healthcare-first platform) Encryption: TLS in transit, encryption at rest, secure message delivery Audit logging: Comprehensive HIPAA audit logs Pricing: Custom pricing Pros: Healthcare-purpose-built, BAA standard, unified compliance, long track record Cons: Less polished UI, expensive, limited modern marketing features

7. Virtru

Best for: Adding HIPAA-compliant encryption to existing email workflows

Virtru provides a data protection platform that adds end-to-end encryption to email communications. It works with Google Workspace and Microsoft 365, enabling healthcare organizations to send HIPAA-compliant emails through their existing email systems.

The BAA is available for healthcare customers, and the encryption works at the message and attachment level. Recipients can open encrypted messages through a browser-based reader without special software, though the experience is slightly more friction than Paubox's seamless approach.

For healthcare organizations already using Gmail or Outlook who need to add HIPAA compliance without switching platforms, Virtru's overlay approach is practical.

BAA: Available for healthcare customers Encryption: End-to-end encryption for Gmail and Outlook Audit logging: Encryption activity logs Pricing: Custom pricing Pros: Works with existing email platforms, end-to-end encryption, BAA available Cons: Not a marketing platform, requires recipient interaction, higher pricing for healthcare tier

8. Salesforce Marketing Cloud

Salesforce Marketing Cloud screenshot

Best for: Enterprise healthcare organizations with complex marketing needs

Salesforce Marketing Cloud offers HIPAA compliance for enterprise healthcare clients. The platform includes BAA, encryption, access controls, and audit logging at the enterprise tier. For large healthcare organizations with complex marketing needs, SFMC provides sophisticated campaign management under HIPAA compliance.

The integration with Salesforce Health Cloud enables patient journey mapping, care coordination communications, and health-condition-aware personalization - all within HIPAA-compliant infrastructure. This combination is unique in the market.

The cost and complexity of SFMC is significant. Implementation requires specialist expertise, and licensing is expensive. For smaller healthcare organizations, the investment doesn't justify the capabilities.

BAA: Available on enterprise contracts Encryption: Enterprise-grade encryption Audit logging: Comprehensive enterprise audit trails Pricing: Custom enterprise pricing Pros: Enterprise healthcare capabilities, Health Cloud integration, sophisticated automation Cons: Very expensive, complex implementation, requires specialist expertise

9. Dotdigital

Dotdigital screenshot

Best for: Healthcare marketing automation with European operations

Dotdigital offers HIPAA compliance for healthcare customers on enterprise plans. The platform provides BAA, encryption, and access controls. For healthcare organizations with EU operations, Dotdigital's EU data storage option addresses both HIPAA and GDPR requirements simultaneously.

The marketing automation features are more sophisticated than many HIPAA-eligible tools, including behavioral triggers, preference centers, and detailed analytics. For healthcare marketers who need both compliance and marketing capability, Dotdigital provides a middle ground.

BAA: Available on enterprise plans Encryption: Encryption in transit and at rest Audit logging: Enterprise audit logs Pricing: Custom pricing Pros: Healthcare + GDPR dual compliance, marketing automation, EU storage option Cons: Enterprise pricing, complex onboarding

10. Campaign Monitor

Campaign Monitor screenshot

Best for: Healthcare agencies needing branded email compliance

Campaign Monitor offers HIPAA compliance agreements on enterprise plans for healthcare clients. The platform's template lock-in feature is particularly useful for healthcare email, ensuring that required legal disclaimers, privacy notices, and compliance language remain in place across all emails.

For healthcare-focused agencies managing email for multiple healthcare clients, Campaign Monitor's workspace separation and compliance features provide a workable framework.

BAA: Available on enterprise plans Encryption: TLS in transit, encryption at rest Audit logging: Activity logs Pricing: Custom for HIPAA compliance tier Pros: Template lock-in for compliance content, multi-client management, BAA available Cons: Premium pricing for HIPAA, enterprise-only availability

11. Proton Mail Business

Best for: Privacy-first healthcare organizations

Proton Mail Business provides end-to-end encrypted email with a BAA available for healthcare customers. Based in Switzerland with servers in EU, Proton offers some of the strongest privacy protections available in email.

The zero-knowledge architecture means even Proton cannot read your emails. For healthcare organizations where patient privacy is paramount, this level of protection exceeds standard HIPAA requirements.

The trade-off is that Proton is primarily an email provider, not a marketing platform. You can send HIPAA-compliant emails through Proton's infrastructure, but you won't have marketing automation, template builders, or campaign analytics.

BAA: Available for business customers Encryption: End-to-end encryption (zero-knowledge), Swiss law protections Audit logging: Access logs Pricing: From $7.99/user/month Pros: Strongest privacy, BAA available, end-to-end encryption, Swiss privacy laws Cons: Not a marketing platform, limited marketing features

12. HubSpot Enterprise

HubSpot screenshot

Best for: Healthcare organizations deeply committed to the HubSpot ecosystem

HubSpot offers HIPAA compliance on their Enterprise tier with BAA. For healthcare organizations already using HubSpot for CRM, sales, and customer service, extending to marketing email under HIPAA compliance maintains ecosystem integration.

The Enterprise features include sophisticated segmentation, smart content, and attribution that can operate within HIPAA guardrails when configured appropriately. Healthcare marketing teams benefit from HubSpot's comprehensive documentation on HIPAA configuration.

BAA: Available on Enterprise plans Encryption: Enterprise-grade encryption Audit logging: Comprehensive enterprise audit trails Pricing: Enterprise pricing (significant investment) Pros: HubSpot ecosystem integration, sophisticated marketing, enterprise features Cons: Very expensive, enterprise-only HIPAA, overkill for simple needs

13. Mailchimp (with BAA)

Mailchimp screenshot

Best for: Healthcare organizations wanting familiar tools with compliance

Mailchimp offers BAA on premium plans for healthcare customers. This makes one of the most widely used email platforms HIPAA-eligible for qualified customers. The familiar interface, extensive template library, and broad integrations remain available under the compliance agreement.

For healthcare organizations whose marketing teams already know Mailchimp, obtaining a BAA to continue using the platform is often the path of least resistance. The compliance configuration requires some setup, but the core platform remains familiar.

Note that not all Mailchimp features are covered by the BAA, and careful configuration is required to ensure PHI doesn't flow through non-compliant features.

BAA: Available on premium plans (requires contact with Mailchimp) Encryption: TLS in transit, encryption at rest Audit logging: Activity logs Pricing: Premium plan pricing plus BAA fee Pros: Familiar platform, broad features, BAA available Cons: Not all features BAA-covered, requires careful configuration, premium tier pricing

14. Constant Contact

Constant Contact screenshot

Best for: Simple healthcare outreach for small practices

Constant Contact offers BAA availability for healthcare customers on appropriate plans. For small healthcare practices that primarily send appointment reminders, health tips, and general newsletters, Constant Contact's straightforward platform handles the basics under a compliance agreement.

The event management features are valuable for healthcare organizations that run patient education events, health fairs, and wellness programs. These work within the HIPAA-compliant framework.

BAA: Available on qualifying plans Encryption: TLS in transit, encryption at rest Audit logging: Basic activity logs Pricing: Custom for healthcare compliance Pros: Simple platform, event management, BAA available Cons: Basic compliance features, limited for complex needs

15. iContact

Best for: Small healthcare practices needing affordable compliance

iContact offers HIPAA compliance agreements for healthcare organizations. The platform provides a straightforward email marketing tool with BAA, making it accessible for smaller healthcare practices that need compliance without enterprise pricing.

The builder and template library are functional rather than exceptional. For practices sending periodic patient newsletters and health updates, iContact covers the requirements at reasonable cost.

BAA: Available Encryption: TLS in transit, encryption at rest Audit logging: Basic activity logs Pricing: Custom for healthcare Pros: Accessible pricing, BAA available, simple workflow Cons: Basic features, less comprehensive compliance tools

16. Benchmark Email

Benchmark screenshot

Best for: Affordable healthcare email compliance

Benchmark Email offers BAA arrangements for healthcare customers requiring HIPAA compliance. The platform provides a clean interface and solid template library at accessible pricing.

For healthcare organizations that need HIPAA compliance but have modest email marketing needs, Benchmark's pricing model is appealing. The compliance features cover the essentials without requiring enterprise investment.

BAA: Available on request Encryption: TLS in transit, encryption at rest Audit logging: Activity logs Pricing: Custom for HIPAA compliance tier Pros: Affordable, clean interface, BAA available Cons: Limited advanced features, compliance depth less than dedicated tools

17. AWeber

AWeber screenshot

Best for: Small healthcare practices with newsletter focus

AWeber offers BAA arrangements for healthcare customers. The platform's extensive template library (700+) and newsletter-focused features work well for small healthcare practices sending regular patient communications.

For practices that primarily send health tips, provider spotlights, and community updates to patient populations, AWeber's newsletter features under a BAA provide a workable solution.

BAA: Available on request Encryption: TLS in transit, encryption at rest Audit logging: Activity logs Pricing: Custom for healthcare compliance Pros: Extensive templates, newsletter focus, BAA available, long track record Cons: Dated interface, basic compliance tools

18. SparkPost

SparkPost screenshot

Best for: High-volume healthcare email infrastructure

SparkPost (now part of MessageBird) offers HIPAA compliance for enterprise healthcare customers. The platform provides high-volume email sending infrastructure with BAA, encryption, and detailed analytics.

For healthcare organizations sending millions of patient communications monthly, SparkPost's infrastructure scale and deliverability expertise make it suitable. The predictive deliverability tools are particularly valuable for healthcare where email delivery directly affects patient outcomes.

BAA: Available on enterprise plans Encryption: TLS in transit, encryption at rest Audit logging: Comprehensive event logs Pricing: Custom enterprise pricing Pros: High-volume capability, predictive deliverability, BAA available Cons: Enterprise-only HIPAA, infrastructure tool (no marketing features)

19. MessageBird

Best for: Multichannel healthcare communications

MessageBird (parent of SparkPost) offers HIPAA compliance for healthcare customers across their communications platform. The multichannel capability - email, SMS, WhatsApp - under a single BAA is valuable for healthcare organizations that need to reach patients across multiple channels.

For healthcare organizations where patient outreach includes appointment reminders via SMS, email newsletters, and potentially WhatsApp - all under HIPAA compliance - MessageBird's unified platform reduces complexity.

BAA: Available on enterprise healthcare plans Encryption: Enterprise-grade encryption across channels Audit logging: Comprehensive audit trails Pricing: Custom enterprise pricing Pros: Multichannel BAA, email + SMS + messaging compliance, unified platform Cons: Enterprise-only, expensive, complex implementation

20. Sequenzy - Non-PHI Marketing Only

Sequenzy screenshot

HIPAA status: Not HIPAA compliant - included for reference on non-PHI use cases

Sequenzy is not a HIPAA-compliant email tool. It does not offer a BAA, and it should not be used to store patient data, segment on health conditions, or send any email that contains or implies PHI.

If you are a health tech company, Sequenzy can only be used as a separate non-PHI marketing layer. That means provider onboarding, product education, billing notices that contain no health information, and general newsletters are fine. Appointment reminders, patient-specific campaigns, condition-based segmentation, and any workflow that touches PHI are not.

For teams that want lifecycle email automation for non-clinical communication, Sequenzy can sit beside a HIPAA-compliant delivery tool. Keep the boundary strict: your HIPAA system handles PHI, and Sequenzy handles only non-PHI marketing.

HIPAA status: Not HIPAA compliant BAA: Not available Safe use case: Non-PHI marketing only Unsafe use case: Any email, event, profile field, or segment that contains or reveals PHI

21. Klaviyo - Non-PHI Health Marketing

Klaviyo screenshot

HIPAA status: Not HIPAA compliant - included for reference on non-PHI use cases

Klaviyo is not HIPAA compliant and does not offer a BAA. Like Sequenzy, it can only be used for health and wellness marketing that contains absolutely no PHI.

For health and wellness brands - fitness apps, supplement companies, wellness coaching platforms - that don't handle PHI, Klaviyo's e-commerce-focused features work well. The segmentation, behavioral automation, and product-based personalization apply to wellness products without HIPAA implications.

For health tech companies that handle PHI, Klaviyo cannot be used for any email that touches patient data. A fitness tracker app that shows general workout stats is likely fine. A platform that tracks blood glucose readings is not.

HIPAA status: Not HIPAA compliant BAA: Not available Safe use case: General health and wellness marketing with no PHI Unsafe use case: Any email involving patient data, medical conditions, or PHI

Comparison Table

Feature	Amazon SES	Mailgun	SendGrid	Postmark	Paubox
BAA availability	Yes	Enterprise	Pro+	Yes	Included
Marketing features	None	None	Basic	None	None
Automation	None	None	Basic	None	None
Encryption at rest	AWS KMS	Yes	Yes	Yes	Yes
TLS enforcement	Yes	Yes	Yes	Yes	Yes (with fallback)
Audit logging	CloudTrail	API logs	Activity feed	Yes	Dashboard
Transactional email	Yes	Yes	Yes	Yes	Yes
Starting price	$0.10/1K	Custom	Custom	$15/mo	$29/user/mo

HIPAA Email Best Practices

Minimize PHI in Email

The safest approach is to avoid including PHI in email content altogether:

Instead of: "Your blood test results show elevated glucose levels"
Send: "Your test results are available. Log in to view them: [link]"

This approach means the email itself doesn't contain PHI, reducing compliance risk. The PHI stays in your HIPAA-compliant application. Even with HIPAA-compliant email infrastructure, minimizing PHI in email content reduces the blast radius of any potential breach.

Consider the email subject line too. "Your diabetes medication is ready" in a subject line is PHI. "You have a new message from [Provider Name]" is not. Subject lines are often displayed in notification previews on phones and smartwatches, making them particularly risky for PHI exposure.

Encryption Is Non-Negotiable

All email containing or potentially containing PHI must be encrypted in transit (TLS) and at rest. Most modern email platforms support TLS by default, but verify that your platform enforces it (doesn't fall back to unencrypted if TLS negotiation fails).

Ask your email vendor specifically: "What happens if the recipient's email server doesn't support TLS?" Some platforms fall back to unencrypted delivery. Others hold the email and notify you. For PHI, you want the latter behavior.

Separate Marketing and Clinical Email

Use different sending infrastructure for:

Clinical/operational: Appointment reminders, test results, prescriptions (PHI involved)
Marketing: Wellness tips, service promotions, newsletters (no PHI)

Marketing emails typically don't contain PHI and can use standard email platforms. Clinical emails require HIPAA-compliant infrastructure. By separating these streams, you can use a full-featured marketing platform for your wellness newsletter while keeping clinical communications on HIPAA-compliant infrastructure.

This separation also protects your sending reputation. If your marketing emails generate spam complaints (it happens), those complaints don't affect the deliverability of your clinical transactional email.

Document Everything

HIPAA compliance requires documentation of your email practices:

What PHI is transmitted via email and the justification for it
What safeguards are in place (encryption, access controls, audit logging)
Which platforms have signed BAAs and when they were last reviewed
How you handle breaches (your incident response plan)
Staff training records (who was trained, when, on what)
Risk assessments for your email program (conducted annually)

Access Controls and Audit Trails

Limit who on your team can access subscriber data in your email tool. Not everyone needs admin access. Configure role-based access so that:

Marketing team members can create and send campaigns but not export subscriber data
Compliance officers can view audit logs and run reports
Administrators can manage team access and platform settings
Developers can access APIs but not the marketing interface

Review access periodically. Remove access for employees who leave or change roles. Audit logs should capture who accessed what data and when, creating a trail you can present during compliance audits.

Choosing Between Infrastructure and Platform

The biggest decision for healthcare email is whether you need:

Infrastructure only (SES, Mailgun, Postmark): Maximum control, minimum features. You build everything on top. Best for engineering teams with the resources to build and maintain email functionality.
Platform with BAA-backed marketing features (SendGrid and similar enterprise tools): Marketing features included. Less control over the underlying infrastructure, but faster time to value. Best for teams that need to run actual email programs, not just send transactional messages.
Healthcare-specific (Paubox, LuxSci): Purpose-built for healthcare, but not for marketing. Best for organizations whose primary concern is securing staff-to-patient email communication.
Separate non-PHI marketing layer (Sequenzy or another standard marketing platform): Useful only if it never stores PHI and never powers patient-specific email flows.

If you're a health tech SaaS company that needs lifecycle email automation, options 1 (infrastructure-only) will require building everything from scratch. Option 2 (platform with BAA-backed marketing features) gets you marketing capabilities under a BAA, which is usually the better trade-off unless you have very specific infrastructure requirements. If you use option 4, the operational rule is simple: keep PHI out entirely.

FAQ

Can I use Mailchimp for HIPAA-compliant email? Mailchimp does not sign BAAs by default and is not HIPAA-compliant on standard plans. On premium enterprise plans, a BAA may be available - contact Mailchimp directly. Using Mailchimp without a BAA to send emails containing PHI is a HIPAA violation. You can use Mailchimp for marketing emails that contain zero PHI (wellness tips, general health announcements), but be very careful about subscriber segmentation. If your audience segments reveal health conditions (e.g., "diabetes patients"), that segmentation criteria is PHI and shouldn't be in Mailchimp.

Is Sequenzy HIPAA compliant? No. Sequenzy is not HIPAA compliant and does not offer a BAA. You can use it only for non-PHI marketing that is kept completely separate from patient data and PHI-triggered workflows.

Is email inherently non-compliant with HIPAA? No, but standard email (Gmail, Outlook without encryption) is not HIPAA-compliant for PHI. Email sent through HIPAA-eligible platforms with proper encryption and BAAs can be compliant. The key requirements are encryption (in transit and at rest), a signed BAA, access controls, and audit logging.

What's the penalty for sending PHI through a non-compliant email tool? HIPAA violations range from $100 to $50,000 per violation, up to $1.5 million per year for violations of the same provision. Willful neglect with no correction can result in criminal penalties including fines up to $250,000 and imprisonment up to 10 years. The OCR has increased enforcement in recent years, making violations more likely to be caught and prosecuted.

Do patient appointment reminders require HIPAA compliance? Yes. An appointment reminder reveals that the patient has an appointment with a healthcare provider, which is PHI. The email platform sending the reminder needs to be HIPAA-compliant with a signed BAA. Even a simple "You have an appointment tomorrow" email, when sent to a specific patient, constitutes PHI.

Can I use a marketing email tool for non-PHI healthcare marketing? Yes. General health tips, wellness content, service announcements, and newsletters that contain zero PHI can be sent through standard email platforms without HIPAA requirements. The key is ensuring no PHI is included in the content, subject line, or recipient targeting criteria. If your segment is "all subscribers" or "people interested in wellness," that's fine. If your segment is "patients with condition X," that's PHI.

What about email analytics and HIPAA? Email analytics (open rates, click rates) can create PHI if they reveal health-related behavior. For example, if you track that a patient clicked a link in an email about a specific condition, that click data is PHI. Ensure your analytics platform is covered under your BAA, and be thoughtful about what tracking reveals. Platforms with built-in analytics that operate under a BAA handle this cleanly.

How do I handle HIPAA compliance when using multiple email tools? If you use separate tools for transactional and marketing email, each tool that handles PHI needs its own BAA. Tools that never touch PHI (your marketing newsletter tool) don't need BAAs but should still follow good security practices. Document which tools handle PHI and which don't, and make sure your team knows the boundaries. Consider using a platform that handles both transactional and marketing email under a single BAA to simplify compliance.

Does HIPAA apply to health and wellness apps that aren't traditional healthcare? It depends on whether you qualify as a covered entity or business associate under HIPAA. Traditional healthcare providers, health plans, and healthcare clearinghouses are covered entities. If your app processes data on behalf of a covered entity, you're a business associate. Consumer health and wellness apps that don't work with covered entities may not be subject to HIPAA, but may be subject to FTC regulations on health data. When in doubt, consult a healthcare privacy attorney.