Is Gmail HIPAA Compliant? (3 Useful Points)

Though Gmail is not HIPAA compliant by default, it can be configured to meet HIPAA standards in 2025. For healthcare providers, adhering to the Health Insurance Portability and Accountability Act (HIPAA) is essential to safeguard patient privacy. While Gmail is not automatically HIPAA compliant, this article will show you how you can make it HIPAA compliant in 2025.

With the increasing reliance on electronic transmission of sensitive patient records and personal data, ensuring secure email communication is a crucial step in building trust with patients and partners. Learn whether Gmail & Google Workspace can be HIPAA compliant, the steps required for compliance, and why free Gmail accounts cannot automatically meet HIPAA standards.

Is Your Gmail HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance.

Isn’t All Email/ Gmail Secure? No way!

Email in general is not secure. Most people don’t realize there really is no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department. Oftentimes companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

What does HIPAA Say about Business Email (Gmail)?

I’m summarizing here, but generally, HIPAA requires three things when it comes to email:

1. Strong security: According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally identifying information complies with the safeguards established by HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.
2. Consent: The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.
3. Business Associate Agreement: Many healthcare providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.

How does Gmail measure up to HIPAA compliance?

In case you don’t know, Gmail is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s inexpensive, convenient, and offers some very nice security features. While most people feel secure sending and receiving personal and confidential information via their Gmail accounts, let’s see how Gmail does against our three criteria. Is Gmail HIPAA compliant?

1. Strong Security: Google arguably has some of the best security available in a hosted web service. Companies that take advantage of Google’s free two-factor authentication have strong assurance that their email accounts aren’t hacked, plus Google offers some nice user logging and other security features that are much stronger than many competitors. Also, third party services (reviewed in another article) are available to add secure email and outbound email scanning which really make Gmail’s security top-notch.
2. Consent: Since this is something that you’ll need to manage in your own office, this has no bearing on which email provider you choose.
3. Business Associate Agreement: As of September 2013, Google has stepped up and agreed to sign a Business Associates Agreement stating that they will “implement physical, technical and administrative safeguards” to hold the information secure. The company states publicly that Gmail is already HIPAA compliant in its security and privacy practices.

What our clients say

So is Gmail HIPAA Compliant?

The answer is yes!  Gmail can be used as part of a HIPAA-compliant organization.

However, only the paid version (Google Workspace Gmail, not @gmail.com email addresses) provides the features you need for HIPAA-compliant email. You also probably will need to add some extra services to be able to send and receive email safely.

Want to learn how to make Gmail HIPAA compliant? Get the free checklist.

You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you either need to sign up for an additional secure email service (we found the best one in this article), or you need to get written consent from your patients.

Are there alternatives?

• Microsoft365: Google’s competitor, Microsoft, has also stated that they would be willing to sign a Business Associates Agreement stating that their Microsoft365 program will maintain the standards of HIPAA compliance. We’ve experimented with their service and find it comparable to Google in many respects, though slightly more complex.
• Other Secure Email Providers: lots of lesser-known companies offer email services that they claim are HIPAA compliant. A simple Google search for “HIPAA email provider” will pull up lots of ads. A note of caution here — simply using an email provider that claims to be “HIPAA compliant” does not suddenly make your practice HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
• Use two email services: some companies still use Gmail for their main email service, but then use a secondary, secure email service for communicating about lab results, diagnoses, or treatments. While we wouldn’t recommend that as a long-term solution (it’s much easier to accidentally email PHI/PII when bouncing back and forth), this is something that could be implemented quickly as a short-term fix.

What About Mobile?

iPhones, Android devices, and tablets use various programs such as Google Apps to download their email messages while they are out of the office. Gmail is pre-programmed into most of those devices for the convenience of users. However, this convenience can create a breach of security according to HIPAA, and such breaches are required to be reported, causing further liability issues and potential fines for violation. Be especially careful about giving employees access to email via mobile, especially if it may contain PHI/PII.

Google Workspace subscriptions include a Mobile Device Management system which allows you to require screenlocks or passwords in addition to removing confidential data from devices as needed.

Don't miss this part: BAA does not mean HIPAA compliance

But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Gmail HIPAA compliant.

Seriously – Google CLEARLY says

“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”

“PHI is allowed only in a subset of Google services.”

“These Google-covered services … must be configured by IT administrators to help ensure that PHI is properly protected."

So yes, you CAN make Gmail HIPAA compliant, but it’s not compliant right out of the box.

You need to make sure your account is secure

What should you do next?

1. Get our Checklist to make Gmail HIPAA compliant.
2. Know someone who might like this article?  Share it!
3. Have questions or something to add?  Let us know in the comments below!

What our clients say