It is frustrating to know that we can digitally sign and encrypt messages but don't because "it's too hard for normal people".

With HIPAA, is it not possible to simply encrypt the message? The "forgot password" flow for their message center is probably email anyway.

I can upload my public key to SourceHut and all email from them becomes signed and encrypted. It's a one-time process to generate long-lived keys and another to set up with SourceHut and that's all I need to do.