If your SaaS handles healthcare data, HIPAA compliance isn't optional for your email tool. Any platform that processes, stores, or transmits Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement (BAA) and meet HIPAA's security and privacy requirements.

The problem: most email marketing tools don't support HIPAA. They weren't designed for healthcare data. Sending an email with patient information through a non-compliant platform is a HIPAA violation, regardless of how the patient signed up.

Important note: Sequenzy is not HIPAA compliant today and does not offer a BAA. Do not use Sequenzy for emails that contain PHI, patient identifiers, or patient-specific segmentation.

Here's which email platforms actually support HIPAA compliance and what that means practically.

What HIPAA Compliance Requires From Your Email Tool

Business Associate Agreement (BAA): A legal contract between you (the covered entity or business associate) and the email platform (the subcontractor). This is non-negotiable. Without a BAA, you cannot legally use the platform for any communication that involves PHI.
PHI safeguards: Technical, physical, and administrative safeguards for any PHI the platform processes. This includes everything from server security to employee training at the email vendor.
Encryption: Data encrypted in transit (TLS) and at rest. This means emails containing PHI are encrypted while being sent and while stored on the platform's servers.
Access controls: Role-based access, authentication, and audit logging. Only authorized team members should be able to access subscriber data, and every access should be logged.
Breach notification: The platform must notify you within 60 days of discovering a breach involving PHI. This is a legal obligation under the BAA.
Minimum necessary: The platform should only access the minimum PHI necessary for its function. Your email tool doesn't need access to full medical records to send an appointment reminder.

Important: HIPAA compliance is about the overall system, not just one tool. A HIPAA-compliant email platform doesn't make your entire email program compliant. You also need compliant processes, training, and documentation.

The Cost of Getting It Wrong

HIPAA violations aren't theoretical. The Office for Civil Rights (OCR) actively investigates breaches, and penalties are steep. Fines range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for violations of the same provision. Willful neglect with no correction can result in criminal penalties including imprisonment.

Beyond fines, a HIPAA breach damages patient trust and your reputation in the healthcare industry. News of healthcare data breaches travels fast, and the OCR publishes a "Wall of Shame" listing breaches affecting 500 or more individuals.

The 5 Best HIPAA-Compliant Options

1. Amazon SES

Best for: HIPAA-eligible infrastructure for technical teams

Amazon SES is HIPAA-eligible, meaning AWS will sign a BAA that covers SES. AWS has extensive HIPAA compliance documentation and a well-established BAA process. For technical teams building healthcare applications on AWS, SES is the natural choice for email.

The trade-off: SES is pure infrastructure. You get sending APIs, but no marketing features, templates, or automations. Your application handles everything else. For healthcare companies that need email sending infrastructure within a HIPAA-compliant AWS environment, this is the most straightforward path.

AWS's HIPAA compliance extends beyond SES. If your healthcare application runs on EC2, uses RDS for databases, and S3 for storage, you can cover the entire infrastructure under a single AWS BAA. This unified approach simplifies compliance management significantly.

The setup requires engineering work. You'll need to build your own email template system, manage sending reputation, handle bounces and complaints, and build any marketing automation from scratch. For teams that already have developer-friendly email infrastructure, this may be acceptable. For teams wanting a ready-to-use marketing platform, SES alone isn't enough.

BAA: Available (AWS BAA covers SES) Encryption: TLS in transit, encryption at rest (AWS KMS) Audit logging: Via CloudTrail Pricing: $0.10 per 1,000 emails Pros: AWS BAA, well-documented compliance, scales, part of broader HIPAA AWS infrastructure, unified compliance management Cons: No marketing features, pure infrastructure, requires significant development work, no templates or automation

2. Mailgun

Best for: Email infrastructure with BAA for healthcare applications

Mailgun offers HIPAA-compliant email infrastructure with BAA availability on enterprise plans. The platform provides email sending, receiving, and routing with the security controls HIPAA requires. Mailgun's parent company (Sinch) has experience with healthcare communications.

Like SES, Mailgun is primarily email infrastructure rather than a marketing platform. You get APIs for sending, inbound processing, and email validation. Marketing automation and campaign management would need to be built on top or handled by a separate compliant tool.

Mailgun's advantage over SES is slightly more built-in functionality. Email validation helps maintain list hygiene (important for healthcare where bounced emails may indicate outdated patient contact information). Inbound email processing can be useful for healthcare applications that need to receive and route patient communications.

The enterprise pricing for HIPAA compliance is a consideration. You'll need to contact Mailgun directly for pricing, and it will be significantly more than their standard plans. Factor this into your build vs. buy decision for healthcare email.

BAA: Available on enterprise plans Encryption: TLS in transit, encryption at rest Audit logging: Via API logs and webhooks Pricing: Custom for HIPAA (enterprise plan) Pros: BAA available, email infrastructure, inbound processing, email validation, Sinch healthcare experience Cons: Enterprise pricing for HIPAA, no marketing features, requires custom development

3. SendGrid

Best for: HIPAA-eligible email with both transactional and marketing capabilities

SendGrid (owned by Twilio) is HIPAA-eligible, and Twilio will sign a BAA that covers SendGrid. This gives you both transactional email and marketing campaigns within a HIPAA-compliant framework. SendGrid is one of the few platforms that offers marketing email features with BAA coverage.

For healthcare companies that need to send both operational emails (appointment confirmations, test results, billing) and marketing emails (health tips, wellness campaigns, service announcements), SendGrid can handle both under one BAA. This is significant because most HIPAA-compliant email tools are infrastructure-only with no marketing capabilities.

SendGrid's marketing features include a template builder, contact management, and basic automation. While not as sophisticated as dedicated marketing platforms, having marketing capabilities under a BAA removes the need for a second email vendor and a second compliance review.

The deliverability is reliable, which matters for healthcare. An appointment reminder that lands in spam is a missed appointment. A prescription notification that doesn't arrive can affect patient care.

BAA: Available (Twilio BAA covers SendGrid) Encryption: TLS in transit, encryption at rest Audit logging: Activity feed, event webhooks Pricing: Custom for HIPAA (Pro plan and above) Pros: BAA available, transactional + marketing, broad features, reliable infrastructure, Twilio compliance ecosystem Cons: HIPAA features on higher-priced plans, marketing features less polished than dedicated platforms

4. Postmark

Best for: HIPAA-compliant transactional email with best deliverability

Postmark offers a BAA for customers who need HIPAA compliance. Given Postmark's focus on transactional email (appointment confirmations, prescription notifications, test result alerts), the HIPAA compatibility is a natural fit. These are exactly the kinds of emails healthcare applications need to send reliably.

Postmark's deliverability advantage matters for healthcare. An appointment reminder that lands in spam is a missed appointment. A test result notification that doesn't arrive causes patient anxiety. Postmark's consistent inbox placement reduces these risks. Their dedicated IP pools and strict sending policies keep deliverability high across all customers.

The trade-off is clear: Postmark is for transactional email only. You won't build marketing campaigns, newsletters, or promotional sequences in Postmark. If you need marketing email alongside transactional, you'll need a second platform (and potentially a second BAA). For teams that separate transactional and marketing email by design, this specialization is a strength.

BAA: Available Encryption: TLS in transit, encryption at rest Audit logging: Activity logs, webhooks Pricing: Standard pricing with BAA Pros: BAA available, best deliverability, transactional email focus, reliable, transparent pricing Cons: Limited marketing features, primarily transactional, need separate tool for marketing

5. Paubox

Best for: Healthcare-specific email encryption and compliance

Paubox is built specifically for healthcare email. The platform provides HIPAA-compliant email encryption that works seamlessly with standard email clients (recipients don't need to use a portal or special software to read encrypted emails). Paubox signs a BAA and includes features specifically designed for healthcare compliance.

Unlike the other options on this list, Paubox is not a marketing email platform. It's an email encryption and compliance layer that ensures all email sent by your organization meets HIPAA requirements. For healthcare organizations whose primary concern is securing email communication (not marketing), Paubox is purpose-built.

The seamless encryption is Paubox's key differentiator. Traditional healthcare email encryption requires recipients to log into a portal, create an account, and read messages in a web interface. Patients hate this. Paubox encrypts email transparently, so recipients read it in their normal email client. This dramatically improves patient communication since people actually read the emails.

Paubox also offers a compliance dashboard that shows encryption status, delivery tracking, and audit trails. For healthcare compliance officers who need to demonstrate email security during audits, this centralized visibility is valuable.

BAA: Included (healthcare-first platform) Encryption: Zero-step encryption (transparent to recipients), TLS with fallback Audit logging: Comprehensive audit trails, compliance dashboard Pricing: From $29/month per user Pros: Healthcare-specific, seamless encryption, no portal for recipients, BAA included, compliance dashboard Cons: Not a marketing platform, per-user pricing, limited automation, not suitable for SaaS marketing use cases

Where Sequenzy Fits

Sequenzy is not a HIPAA-compliant email tool. It does not offer a BAA, and it should not be used to store patient data, segment on health conditions, or send any email that contains or implies PHI.

If you are a health tech company, Sequenzy can only be used as a separate non-PHI marketing layer. That means provider onboarding, product education, billing notices that contain no health information, and general newsletters are fine. Appointment reminders, patient-specific campaigns, condition-based segmentation, and any workflow that touches PHI are not.

For teams that want lifecycle email automation for non-clinical communication, Sequenzy can sit beside a HIPAA-compliant delivery tool. Keep the boundary strict: your HIPAA system handles PHI, and Sequenzy handles only non-PHI marketing.

HIPAA status: Not HIPAA compliant BAA: Not available Safe use case: Non-PHI marketing only Unsafe use case: Any email, event, profile field, or segment that contains or reveals PHI

Comparison Table

Feature	Amazon SES	Mailgun	SendGrid	Postmark	Paubox
BAA availability	Yes	Enterprise	Pro+	Yes	Included
Marketing features	None	None	Basic	None	None
Automation	None	None	Basic	None	None
Encryption at rest	AWS KMS	Yes	Yes	Yes	Yes
TLS enforcement	Yes	Yes	Yes	Yes	Yes (with fallback)
Audit logging	CloudTrail	API logs	Activity feed	Yes	Dashboard
Transactional email	Yes	Yes	Yes	Yes	Yes
Starting price	$0.10/1K	Custom	Custom	$15/mo	$29/user/mo

HIPAA Email Best Practices

Minimize PHI in Email

The safest approach is to avoid including PHI in email content altogether:

Instead of: "Your blood test results show elevated glucose levels"
Send: "Your test results are available. Log in to view them: [link]"

This approach means the email itself doesn't contain PHI, reducing compliance risk. The PHI stays in your HIPAA-compliant application. Even with HIPAA-compliant email infrastructure, minimizing PHI in email content reduces the blast radius of any potential breach.

Consider the email subject line too. "Your diabetes medication is ready" in a subject line is PHI. "You have a new message from [Provider Name]" is not. Subject lines are often displayed in notification previews on phones and smartwatches, making them particularly risky for PHI exposure.

Encryption Is Non-Negotiable

All email containing or potentially containing PHI must be encrypted in transit (TLS) and at rest. Most modern email platforms support TLS by default, but verify that your platform enforces it (doesn't fall back to unencrypted if TLS negotiation fails).

Ask your email vendor specifically: "What happens if the recipient's email server doesn't support TLS?" Some platforms fall back to unencrypted delivery. Others hold the email and notify you. For PHI, you want the latter behavior.

Separate Marketing and Clinical Email

Use different sending infrastructure for:

Clinical/operational: Appointment reminders, test results, prescriptions (PHI involved)
Marketing: Wellness tips, service promotions, newsletters (no PHI)

Marketing emails typically don't contain PHI and can use standard email platforms. Clinical emails require HIPAA-compliant infrastructure. By separating these streams, you can use a full-featured marketing platform for your wellness newsletter while keeping clinical communications on HIPAA-compliant infrastructure.

This separation also protects your sending reputation. If your marketing emails generate spam complaints (it happens), those complaints don't affect the deliverability of your clinical transactional email.

Document Everything

HIPAA compliance requires documentation of your email practices:

What PHI is transmitted via email and the justification for it
What safeguards are in place (encryption, access controls, audit logging)
Which platforms have signed BAAs and when they were last reviewed
How you handle breaches (your incident response plan)
Staff training records (who was trained, when, on what)
Risk assessments for your email program (conducted annually)

Access Controls and Audit Trails

Limit who on your team can access subscriber data in your email tool. Not everyone needs admin access. Configure role-based access so that:

Marketing team members can create and send campaigns but not export subscriber data
Compliance officers can view audit logs and run reports
Administrators can manage team access and platform settings
Developers can access APIs but not the marketing interface

Review access periodically. Remove access for employees who leave or change roles. Audit logs should capture who accessed what data and when, creating a trail you can present during compliance audits.

Choosing Between Infrastructure and Platform

The biggest decision for healthcare email is whether you need:

Infrastructure only (SES, Mailgun, Postmark): Maximum control, minimum features. You build everything on top. Best for engineering teams with the resources to build and maintain email functionality.
Platform with BAA-backed marketing features (SendGrid and similar enterprise tools): Marketing features included. Less control over the underlying infrastructure, but faster time to value. Best for teams that need to run actual email programs, not just send transactional messages.
Healthcare-specific (Paubox): Purpose-built for healthcare, but not for marketing. Best for organizations whose primary concern is securing staff-to-patient email communication.
Separate non-PHI marketing layer (Sequenzy or another standard marketing platform): Useful only if it never stores PHI and never powers patient-specific email flows.

If you're a health tech SaaS company that needs lifecycle email automation, options 1 (infrastructure-only) will require building everything from scratch. Option 2 (platform with BAA-backed marketing features) gets you marketing capabilities under a BAA, which is usually the better trade-off unless you have very specific infrastructure requirements. If you use option 4, the operational rule is simple: keep PHI out entirely.

FAQ

Can I use Mailchimp for HIPAA-compliant email? Mailchimp does not sign BAAs and is not HIPAA-compliant. Using Mailchimp to send emails containing PHI is a HIPAA violation. You can use Mailchimp for marketing emails that contain zero PHI (wellness tips, general health announcements), but be very careful about subscriber segmentation. If your audience segments reveal health conditions (e.g., "diabetes patients"), that segmentation criteria is PHI and shouldn't be in Mailchimp.

Is Sequenzy HIPAA compliant? No. Sequenzy is not HIPAA compliant and does not offer a BAA. You can use it only for non-PHI marketing that is kept completely separate from patient data and PHI-triggered workflows.

Is email inherently non-compliant with HIPAA? No, but standard email (Gmail, Outlook without encryption) is not HIPAA-compliant for PHI. Email sent through HIPAA-eligible platforms with proper encryption and BAAs can be compliant. The key requirements are encryption (in transit and at rest), a signed BAA, access controls, and audit logging.

What's the penalty for sending PHI through a non-compliant email tool? HIPAA violations range from $100 to $50,000 per violation, up to $1.5 million per year for violations of the same provision. Willful neglect with no correction can result in criminal penalties including fines up to $250,000 and imprisonment up to 10 years. The OCR has increased enforcement in recent years, making violations more likely to be caught and prosecuted.

Do patient appointment reminders require HIPAA compliance? Yes. An appointment reminder reveals that the patient has an appointment with a healthcare provider, which is PHI. The email platform sending the reminder needs to be HIPAA-compliant with a signed BAA. Even a simple "You have an appointment tomorrow" email, when sent to a specific patient, constitutes PHI.

Can I use a marketing email tool for non-PHI healthcare marketing? Yes. General health tips, wellness content, service announcements, and newsletters that contain zero PHI can be sent through standard email platforms without HIPAA requirements. The key is ensuring no PHI is included in the content, subject line, or recipient targeting criteria. If your segment is "all subscribers" or "people interested in wellness," that's fine. If your segment is "patients with condition X," that's PHI.

What about email analytics and HIPAA? Email analytics (open rates, click rates) can create PHI if they reveal health-related behavior. For example, if you track that a patient clicked a link in an email about a specific condition, that click data is PHI. Ensure your analytics platform is covered under your BAA, and be thoughtful about what tracking reveals. Platforms with built-in analytics that operate under a BAA handle this cleanly.

How do I handle HIPAA compliance when using multiple email tools? If you use separate tools for transactional and marketing email, each tool that handles PHI needs its own BAA. Tools that never touch PHI (your marketing newsletter tool) don't need BAAs but should still follow good security practices. Document which tools handle PHI and which don't, and make sure your team knows the boundaries. Consider using a platform that handles both transactional and marketing email under a single BAA to simplify compliance.

Does HIPAA apply to health and wellness apps that aren't traditional healthcare? It depends on whether you qualify as a covered entity or business associate under HIPAA. Traditional healthcare providers, health plans, and healthcare clearinghouses are covered entities. If your app processes data on behalf of a covered entity, you're a business associate. Consumer health and wellness apps that don't work with covered entities may not be subject to HIPAA, but may be subject to FTC regulations on health data. When in doubt, consult a healthcare privacy attorney.