It might be okay to check a compliance box for a business, but not for anything you want to keep secure from governments or possible bad guys. You have to place a lot of trust in their service.
They advertise encrypted email, but it's their encryption. Users have no control of keys or encryption. Uses question / answer to send encrypted email to non-Hushmail users.
And then there's this: Encrypted E-Mail Company Hushmail Spills to Feds
Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.
That was 2007, but it should still be a concern for obvious reasons:
No PGP, They keep the keys and they're in 5 Eyes Country - No, no and no thanks.