There are lots of solutions out there, we suggest that your number one priority should be when choosing a solution, is to select the product from a company that will enter into a business associate agreement with you. By entering into a business associate agreement, the company takes responsibility for the privacy and security of email storage and transmission. If a breach happens, they are legally responsible, not you.

Relating to security, the biggest companies are often the best, as they have the most money to spend on technology and infrastructure. Below are some options what we recommend:

Office 365 has security certifications for HIPAA compliance such as FISMA, ISO 27001, and SSAE 16. They will enter into a Business Associate Agreement with you, click here for further details. You can pay for full access to Microsoft products including: Word, Excel, PowerPoint, OneNote, Outlook, Publisher and Access. Office 365 is compatible on PCs or Macs, tablets and smartphones. Alternatively, you can just pay for an email only plan. Click here for more info.
​

Similarly, Google has the security certifications for HIPAA compliance and will enter into a Business Associate Agreement with users that have an Administrator account with Google Apps.The BAA covers services including Gmail, Google Calendar, Google Drive, and Google Apps Vault services (Google's online documents, spreadsheets, and presentations). For more info, please click here At Kalix we use Gmail.

There are a number of other solutions out there. We highly recommend you read the following review of HIPAA compliant email services, click here to read.

Regarding email security breaches, most are related to the hacking of email passwords. Emails solutions will not cover you if this happens. We have written an article about password security it is worth a read, click here to read.

It is also worth knowing that HIPAA does not prohibit the use of email to transmit electronic protected health information (ePHI). Instead, the HIPAA Security Rule requires covered entities (you) to implement administrative, physical and technical safeguards if engaged in the transmission of ePHI (email). A big part of this is getting your clients' to sign a consent form (or Privacy Notice) prior to sending PHI via email.