Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Hushmail is the classic secure email service that provides HIPAA-friendly secure email through their Hushmail for Healthcare service. Be sure to read our 3 notes and the description for some important information about it.
# of Caveats: 0 view caveats→
# of Usage Notes: 3 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.

What Is This Product?

Hushmail LogoFull disclosure: Roy Huggins, the director of Person Centered Tech, does a small amount of paid consulting for Hushmail as of May, 2017.

Hushmail got into the business of making secured email services very early in the game, and now they have a secured email + web forms product made for HIPAA compliance, called Hushmail for Healthcare.

Hushmail for Healthcare includes secured email, Hush secure forms, and the all-important Business Associate Agreement.

Our Impressions

Hushmail’s staff and leadership have been very responsive to our inquiries, including in the years before we started doing HIPAApropriateness Reviews. Throughout those years, they have shown themselves to be interested in the security needs of healthcare providers as well as the ethical needs of mental health clinicians. We recommend Hushmail for the risk management needs of mental health professionals.

About the Forms Feature

We’ve listed Hushmail as offering “forms” for your practice because of the Hush Secure Forms feature that comes with Hushmail for Healthcare. There is a feature for helping you build forms, and most forms can be embedded in your website.

Some plans also support electronic signatures in forms. Hushmail’s method of implementing electronic signatures is robust and reliable for clinical purposes.

A Small Change

Before October of 2017, if you sent an encrypted message to someone, you had to set a password prompt and a password. This proved complicated for some folks, so Hushmail has rolled out a new system for secure sending. Now, when you send an encrypted e-mail you can set a security question, but you don’t need to. Instead, when the recipient opens the mail for the first time, they create their own password that they can then use in the future to access e-mails from you.


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.



Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Remember to check the encryption box before you send!

It’s a classic secure email blunder: you hit “send” before you hit “secure” and there goes all that shiny protected health information out into the unsecured, barbaric hinterlands of the Internet.

Like most email providers that can do secure messaging, Hushmail messages are not always secured by default. Be sure to check the box that makes your message a secured one before you send those sensitive messages!

Note: The option to encrypt is only available if you are using Hushmail’s web portal or their iPhone app. If you’re using Outlook or some other application you won’t be able to use this feature to send.

2) Make sure clients and colleagues know that your secure messages will expire after some time

In order to maximize the security of messages, Hushmail secure messages become inaccessible to their recipients after a period of time. Make sure the people you send messages to know that before-hand. Otherwise they may delay opening your message until after it has expired.

However, Hushmail for Healthcare keeps a permanent archive of all the messages you’ve sent or received. This is required for your HIPAA compliance, so they provide this feature to make sure you have that compliance piece.

3) Use your HIPAA-friendly email account if you receive alerts from Hushmail

HushMail can be configured to send an alert to another e-mail address when a new message arrives in your HushMail inbox. That e-mail contains the e-mail address of the sender, so there’s the potential to expose PHI. We recommend that you use your HIPAA-friendly email account (one with a Business Associate Agreement in place) to receive the emails.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss