skip to main content

In this installment of “Let’s Get Technical,” our panel of experts review three email platforms that meet HIPAA compliance requirements.

graphic of a person holding a cell phone

As practices have moved online, emailing between providers, staff, and patients has significantly increased making secure email services an essential tool for psychologists. It may be easy to overlook HIPAA requirements when it comes to email, but this can be risky. Our panel of psychologists rate and review three HIPAA-secure email platforms to help you find one that balances available features and security with ease of use and cost.


Hushmail for Healthcare

Hushmail logo

Review Ratings

4
★★★★☆

4
★★★★☆

MailHippo

MailHippo logo

Review Ratings

4
★★★★☆

3
★★★☆☆

ProtonMail for Business

ProtonMail logo

Review Ratings

5
★★★★★

5
★★★★★


Hushmail

Hushmail logo Hushmail for Healthcare is a web-based email service that allows psychologists to send and receive encrypted emails and web forms. There is also an app for iPhone users. Plans include the required Business Associate Agreement (BAA) (PDF, 282KB) for HIPAA compliance. Users create a new email address using Hushmail’s domain (i.e. @hushmail.com, @therapysecure.com), or using a custom domain name (i.e. @yourcompany.com), or a Hushmail subdomain (@yourcompany.hush.com). You can also move your intake forms, referral forms, and contact forms online, and patients can complete them securely on the web. An electronic signature option is included with most plans.

There are three types of Hushmail for Healthcare plans:

  • $9.99 a month for one email account, 2 web forms, $109 annually
  • $19.99 a month for five email accounts, 5 web forms, electronic signature feature, $219 annually
  • $39.99 a month for 10 email accounts, 10 web forms, electronic signature feature, $439 annually

Hushmail offers a full refund if you cancel within 60 days.

Overall review ratings

4

★★★★☆

—JoAnna Romero Cartaya, PhD

4

★★★★☆

—Kevin D. Arnold, PhD, ABPP

Hushmail panelist ratings and comments

JoAnna Romero Cartaya, PhD “I recommend Hushmail for Healthcare given its privacy and security standards, the ease of obtaining a BAA, and it being HIPAA compliant. I found their secure email service to be user friendly, clean to look at, and easy to organize emails. Hushmail offers several features that are highly desirable for telehealth, especially the integration of creating online forms and e-signatures. I do wish that Hushmail offered in their mid-range plan flexibility to increase forms and decrease email accounts to make it more adaptable to smaller practices. While they do not currently have an app for Android users, only for iPhone, there are other easy-to-use options for mobile devices that make reading and responding to email simple when away from the computer.”
—JoAnna Romero Cartaya, PhD

description
Privacy/Security

5 ★★★★★

Hushmail for Healthcare is easily accessible with secure measures provided for all communications (transmissions) between the Hushmail servers and providers’ computers and devices. All users are provided with a Security Policy white paper describing Hushmail’s security and privacy protections. The BAA is quick and easy to obtain.

description
Available Features

4 ★★★★☆

Hushmail can be adapted for different size practices with a variety of easy-to-use and customizable features. Importantly, automatic encryption is included for internal emails along with the ability to send an encrypted email to all other external addresses. Secure intake, feedback, and questionnaire (such as the PHQ-9) forms can quickly and easily be created and linked to your practice website, signature line, or social media.

description
Ease of Use

5 ★★★★★

Hushmail is easy to navigate and use. While it can be accessed on any web browser, two-step authentication is required. Patients generally had an easy time receiving and responding to messages; however, for some there was resistance to having to create and remember another password to access the encrypted email.

description
Functionality

5 ★★★★★

Hushmail performs well and is reliant on internet access. While an app is only available via iPhone, Hushmail can be integrated into other mobile email apps and programs such as Outlook, Apple Mail, and Thunderbird.

description
Customer Support

5 ★★★★★

Customer service is prompt, knowledgeable, and helpful in answering questions via email, call, and chat. In addition, Hushmail provides a resource library with a variety of articles on getting started and to help users understand the product, security, and privacy. Hushmail also has a blog that provides resources for HIPAA-compliant practices and using Hushmails’ features.

description
Value for money

5 ★★★★★

Given its security measures and focus on health care providers, Hushmail’s price point appears to be reasonable, especially since two of the three packages include secure web forms and e-signatures. This is a plus for psychologists who are doing more web-based communication and telehealth services.

description
Recommendations for use

For providers who have moved online, Hushmail offers high levels of security and privacy for email correspondence and electronic forms and signatures. I would recommend double checking that the box to encrypt outgoing mail is checked prior to sending out any email to a patient. It may also be helpful to discuss with patients the proper development of passwords or security questions, so they have an easier time adjusting to reading encrypted emails from their providers.

Hushmail panelist ratings and comments

Kevin D. Arnold, PhD, ABPP “If your practice requires encrypted emails and e-forms, then Hushmail is a good option. It is cost-effective, is relatively reliable, and has few bugs. Psychologists wishing to be HIPAA compliant will find Hushmail for Healthcare useful, as will those looking to establish a proprietary email domain name for marketing purposes. With the pricing options and the ability to set-up a practice domain name, Hushmail should work for small and large practices alike.”
—Kevin D. Arnold, PhD, ABPP

description
Privacy/Security

4 ★★★★☆

Hushmail for Healthcare provides more than adequate encryption methods. Sent emails remain available to the patient through the Hushmail servers for 14 days, then are destroyed. Future external emails to the same recipient are automatically encrypted. Hushmail is not a U.S. company, and other countries have different privacy and security laws, some that are more lax than laws in the U.S. Psychologists may wish to discuss the implications using this service with their attorney.

description
Available Features

4 ★★★★☆

Hushmail for Healthcare’s capacity to create and transmit fillable office forms is a bonus. Another feature is the auto-delete function for emails sent to non-Hushmail systems. Deletion occurs 14 days after the encrypted email is sent, adding a protective feature often not seen in such cost-friendly programs.

description
Ease of Use

4 ★★★★☆

Hushmail’s email system is relatively easy to set-up and use, except for the automatic encryption function. Once a sender encrypts an email to a non-Hushmail address, the sender must always send emails encrypted unless they manually turn it off. The e-forms are relatively easy to create, but are not in an Adobe product and do not allow for a drawn e-signature requiring additional consent language and creation of unique identifiers within the e-signature (e.g., last 4 of the SSN).

description
Functionality

4 ★★★★☆

Hushmail provides more than adequate email and forms management functionality, however, like many web-based email protocols, the connectivity can sometimes be challenging. There are times when the email processing will take too long or fail to engage resulting in an email being moved into drafts without the sender’s knowledge.

description
Customer Support

4 ★★★★☆

Hushmail’s online resources, along with the program’s manuals, are generally adequate for most common questions. Hushmail also has customer service representatives available to answer questions, providing a second level of support. Most interactions with customer service produced either guidance, or sometimes, a software bug to be fixed.

description
Value for money

4 ★★★★☆

For the money, Hushmail is a good value. Other encrypted email systems can cost more, and likely not provide any additional security or support. The costs of using various programs for documents and email likely would exceed the costs of Hushmail.

description
Recommendations for use

I recommend Hushmail for Healthcare as an alternative to other encrypted email systems and secure e-document programs. It is cost-effective, offers a BAA, and has additional functionality beyond email itself (e.g., forms). Should a practice rely on telehealth, online forms that transmit in an encrypted manner overcome the need to send consent and intake forms via the postal service (decreasing costs and reducing the lag time for the patient to be initially seen). Psychologists may need to get into the habit of checking the draft box to ensure that each email was sent.


MailHippo

hippo-square MailHippo is a web-based platform that allows psychologists to send and receive emails and attachments securely. Plans include the required Business Associate Agreement (BAA) (PDF, 282KB) for HIPAA compliance. Users keep their existing email address as MailHippo works with any email provider. Patients can send you secure communications using a personalized web link. While there is not an app, MailHippo is mobile-friendly and can be used on any smartphone or tablet.

There are three MailHippo plans:

  • $4.95 per month/per user basic plan with 5,000 messages per month, 5GB storage, the ability to send files up to 50MB in size, and message recall
  • $7.95 a month/per user pro plan with 10,000 messages per month, 10GB storage, the ability to send files up to 100MB in size, and message expiration and recall
  • $8.95 per month/per user pro+ plan that includes PDF forms with e-Signature, 10,000 messages per month, 10GB storage, the ability to send files up to 100MB in size, and message expiration and recall*

MailHippo offers a 30-day free trial of a version of its basic plan with 1,000 messages per month, 2GB storage, and ability to send files up to 20MB in size. The trial does not include message recall or expiration features.

*Note: This plan was not available at the time the panelists conducted their review of MailHippo.

Overall review ratings

3

★★★☆☆

—Charmain F. Jackman, PhD

4

★★★★☆

—Mary O’Leary Wiley, PhD, ABPP

MailHippo panelist ratings and comments

Charmain F. Jackman, PhD “For the security that MailHippo offers, this is an excellent product. However, it is best suited for practitioners who have very basic email needs and who do not already have an email service with other features. For example, for practitioners who use generic email accounts (Gmail, Yahoo, etc.) to communicate with clients. It gives you the ability to recall emails sent accidentally. I also like that people can easily send you secure email from a web link. It is relatively inexpensive, and you can cancel the subscription at any time.”
—Charmain F. Jackman, PhD

description
Privacy/Security

5 ★★★★★

MailHippo was built for the sole purpose of sending and receiving secure, HIPAA-compliant emails following the federal security laws for protected health information (PHI). You can access the BAA within minutes of signing up.

description
Available Features

2 ★★☆☆☆

MailHippo is solely a HIPAA-compliant and secure email messaging system. Psychologists can include their company name in branding but not a logo. Paid subscribers have the ability to recall any emails sent in error. There is no option to schedule an email for a later date or time, a valuable feature on some other email services.

description
Ease of Use

5 ★★★★★

MailHippo’s advantage is its simplicity. It is extremely easy to navigate as the functions are similar to most basic email platforms. Patients just put your personalized web link into any browser, which will open a window with an email template that allows them to easily send you an email.

description
Functionality

3 ★★★☆☆

While you can use your current email address, you have to log in to the MailHippo platform to send and read emails. This will mean having to manage another email system. The platform does not allow you to store names and contact information, so you must type in an email address each time you send an email.

description
Customer Support

3 ★★★☆☆

Customer support is via email only, however, the software is not complicated. You can expect to receive a response within a 24-hour time frame. There are no videos or demos on the website, but there is a frequently asked questions section that describes the security features and how the software works.

description
Value for money

3 ★★★☆☆

If you use an email account that does not offer HIPAA protection and you are not interested in a system with added features, this could be a valuable option for you. There are other products with minimal additional cost, however, that provide secure messaging and many other features beyond MailHippo’s limited capacity.

description
Recommendations for use

MailHippo provides a secure way to send and receive emails and attachments very easily. It is worth the investment if you are not currently using HIPAA-compliant practice management software with integrated HIPAA-compliant email messaging.

MailHippo panelist ratings and comments

Mary O'Leary Wiley, PhD, ABPP “I really liked MailHippo and would easily recommend it to other psychologists. It is super easy to use and integrates smoothly into regular email accounts (e.g. Gmail). I think that it would be most useful for psychologists who send PHI through email, including psychological reports. It can also be used, however, for communicating about things that require conversations, such as scheduling or billing questions. There is a slight hassle for the client, who must create and remember a password to participate in conversations through MailHippo, but it is an easy process. Although an app is not available, emails can be read and sent on a smartphone. Unfortunately, customer support and additional resources are not as strong.”
—Mary O’Leary Wiley, PhD, ABPP

description
Privacy/Security

5 ★★★★★

MailHippo is specifically designed for use by medical professionals, and the creators are very specific about its emphasis on HIPAA compliance. The platform guarantees the safety of electronic protected health information and a BAA is provided during initial registration.

description
Available Features

5 ★★★★★

MailHippo can be used with any email platform that you already use. Attachments can be sent, and clients can then respond and include attachments when desired. While contacts cannot be stored, MailHippo saves the addresses of people you have sent emails to, so when you begin to type in an email to a previous address, it autofills.

description
Ease of Use

3 ★★★☆☆

MailHippo is very easy to use as it is similar to other email platforms. Clients receive the emails at their own email address without having to check an additional platform but do need to set up a password to view the email content. Some clients reported having to create an account to reply, while others were able to respond without doing so, making things a bit confusing.

description
Functionality

5 ★★★★★

MailHippo functions very well and works seamlessly from the email app on my phone. The website is clean, clear, and intuitive. MailHippo implements a robust backup solution which ensures data integrity and business continuity of the MailHippo platform.

description
Customer Support

2 ★★☆☆☆

Customer support on MailHippo is only via texting or emails within the platform and there are no educational or video tutorials. That said, the app is clear and easy to use. Requests for clarification sent through the support website link took several hours.

description
Value for money

5 ★★★★★

MailHippo, a relatively new service (esp. 2019), is a great value for the money. After a 30-day free trial, Basic service is $4.95 per month. Most solo practicing psychologists would not need more than the Basic plan.

description
Recommendations for use

MailHippo is easy to use as a secure way to send emails. The emails you send while logged into the platform appear to the recipient as a regular email, though the subject line is not encrypted, and therefore the user must not include PHI in the subject line, which MailHippo is careful to tell you.

MailHippo would be especially helpful when sending psychological reports to clients or other parties or sending clinical summaries that include clear PHI. Billing or scheduling information could also be used with this platform if HIPAA compliance is desired.


ProtonMail

ProtonMail logo ProtonMail is a secure email platform based in Switzerland and developed by scientists and engineers to protect civil liberties online. ProtonMail uses client-side encryption to protect email content and user data and does not use cloud hosting, but rather owns and manages its own server hardware and network in two locations in Switzerland, one of which is in a bunker 1,000 meters under the Swiss alps.

Email features increase with differing levels of paid plans. Psychologists will need to use ProtonMail for Business, which includes a signed BAA and is fully HIPAA compliant. Psychologists can create an email address with ProtonMail’s domains (pm.me or protonmail.com) or use your own domain to establish a unique brand. ProtonMail can be accessed through a webmail client or through iPhone and Android apps.

ProtonMail offers different plans for individuals and businesses, including a free version. For this review, we’ve focused only on the Business plan that includes a BAA:

  • €8.00 (~$9.69) per month/per user professional plan with unlimited messages, 5GB storage, up to five different email address, and 2 custom domains, €75 (~$90) annually

Overall review ratings

5

★★★★★

—Mary O’Leary Wiley, PhD, ABPP

5

★★★★★

—JoAnna Romero Cartaya, PhD

ProtonMail panelist ratings and comments

Mary O'Leary Wiley, PhD, ABPP “ProtonMail describes themselves as the world’s largest secure email service, offering end to end encryption and other security features to keep email communications private. The company works to defend civil liberties online, which includes medical and mental health professionals, but also other business and governmental interests. The ProtonMail platform is excellent, easy to navigate, and integrates directly with your current email system. The price is good for such high-level email privacy protection. Patients found it to be impressively easy to use and liked it very much.”
—Mary O’Leary Wiley, PhD, ABPP

description
Privacy/Security

5 ★★★★★

ProtonMail takes security and privacy seriously and provides an email platform with the highest levels of protection, beyond what is required for HIPAA compliance. Since the user chooses the key for encryption, the contents of encrypted emails are inaccessible by ProtonMail’s employees and staff.

description
Available Features

5 ★★★★★

ProtonMail can be used with any email platform already in use. Attachments can be sent, and clients can then respond and include attachments when desired. Contacts can be stored securely, you can customize your inbox, and you can store emails in folders if desired.

description
Ease of Use

5 ★★★★★

ProtonMail is quite easy to use. Emails sent through the platform appear as a regular email to the recipient. When they respond, it goes to your Proton account, and a notation comes to your regular email account that an email has been posted to your Proton account.

description
Functionality

5 ★★★★★

ProtonMail is very functional, and the website is clean, clear, and intuitive. It worked seamlessly when I accessed it from my phone.

description
Customer Support

4 ★★★★☆

Direct access to customer service representatives is only available to subscribers at the Business or Professional plan levels, however, there is a wealth of information available on the website. I didn’t have to contact customer service because the platform is so intuitive and functional.

description
Value for money

5 ★★★★★

The Business account offers high-level email privacy protection for a competitive price with well-functioning message volume, storage, folders, custom domains, and customer support. Annual rates offer a savings of 25–33% compared to monthly payments.

description
Recommendations for use

It is easy to overlook HIPAA requirements when it comes to email, and this can be risky. ProtonMail was not specifically designed for health care, but for anyone desiring highly private and encrypted email. It is intuitive and well designed for medical and mental health providers to use as their professional email platform.

ProtonMail panelist ratings and comments

JoAnna Romero Cartaya, PhD “ProtonMail is a unique encryption email service given its high levels of privacy and security protection. It is a streamlined platform with features that make emailing with encryption feel much like any other email experience. I appreciate that emails sent externally automatically delete within 28 days (or sooner if the user chooses). The Professional/Business Plan does offer the ability to reset passwords with administrative functionality, which is helpful especially in a private practice. I would recommend ProtonMail to colleagues, especially those who work with populations that are most comfortable with providers who offer higher than standard levels of security and privacy within their practices.”
—JoAnna Romero Cartaya, PhD

description
Privacy/Security

5 ★★★★★

ProtonMail provides highly detailed security and privacy policies. No identification information is needed to create and use the service; however, a user can link a secondary email address for password recovery. ProtonMail does not track site visitors or conduct any type of analytics or advertising. Obtaining a signed BAA was quick and easy.

description
Available Features

5 ★★★★★

ProtonMail offers most features that one would expect in a less secure email service. The Professional Plan includes administrative functionality (including ability to reset user passwords), customized domains, email filters, automatic responder, and a support team to help set up. It also includes an integrated encrypted calendar.

description
Ease of Use

4 ★★★★☆

ProtonMail’s streamlined and clean interface makes it easy to use and tailor to personal preferences for email use; however, it is limited in ways that it can be customizable. Patients seemed to find it easy to decrypt messages and appreciated not having to create a password as I set a specific password for each patient and provided it to them during our telehealth visit.

description
Functionality

5 ★★★★★

ProtonMail worked well without any issues. It is web-based and has apps available for both Android and IOS for Apple products and can be accessed from any web browser.

description
Customer Support

4 ★★★★☆

Users at the Professional Plan level can request a phone call for customer support on the website. Email support is available 24/7. ProtonMail provides a step by step guide on their website as well as a questions library. A blog with additional information and articles regarding ProtonMail’s service is also available.

description
Value for money

5 ★★★★★

The Professional/Business Plan is reasonably priced given its flexibility in customizing the number of users and practice needs. They also offer a discount for non-profits. While it does not have the bells and whistles of some of the other encryption email services, the more robust and in-depth security measures are unique and offer a good value for the money.

description
Recommendations for use

ProtonMail offers intense privacy and security for populations who are more conscientious of these issues. For those patients who may be less cautious regarding email correspondence, using ProtonMail has still been a seamless process. Users are prompted to create a password for each encrypted email they send; however, the way the password is given to the recipient is on the user to figure out (i.e., in-person, phone, via telehealth). I set a specific password for each patient and provided it to them during our telehealth visits.


Psychologist panel review ratings key

Categories rated from 1 to 5, with 5 being the most positive score.

Privacy/Security

If applicable, do the creators acknowledge that providers need to be HIPAA-compliant? Is it HIPAA-compliant? Do they offer a BAA? Are there other legal/regulatory issues to consider? Is there a privacy policy? Is data collected, stored, shared? Is data de-identified? Is there a security policy? Data encryption?

1-HIPAA relevant and ignored, no privacy policy etc.; 5-Highest levels of privacy and security

Available Features

Does the software have all the features your practice needs? What are the key features? What is lacking?

1-Missing many key features; 5-Has all the features our practice needs and more

Ease of Use

Is it easy to navigate? Is it customizable?

1-Very difficult; 5-Very easy

Functionality

Does it perform well? Is it web-based? Is there an app?

1-Very poor; 5-Very well

Customer Support

Is customer support responsive when needed? Do they provide support through the following contact options: Phone, email, online, educational resources, video tutorials?

1-Very unresponsive; 5-Very responsive

Value for Money

Does this software provide good value for the money spent?

1-Poor value for money; 5-Highly valuable

Overall Rating

Would you recommend this software to other psychologists? Why or why not? Summarize your thoughts on the software.

1-Strongly do not recommend; 5-Strongly recommend

Applications reviewed January 2021


This column discusses various software and applications available to psychologists for their professional use. The views expressed in this column are the views of the authors and do not reflect the views of the American Psychological Association or any of its divisions or subunits. All authors have no financial interests in the apps or software discussed. APA does not recommend or endorse any practitioners, products, procedures, opinions or other information that may be mentioned in this column; those who use these applications or products do so at their own risk. Please direct updates and feedback about mental health technologies to Office of Health Care Innovation Staff.

Date created: February 2021

Let’s Get Technical

Nicole Owings-Fonner, MA A review of the latest apps and tools for practicing psychologists