Call Us Today to learn more: 888-646-1616

Is Gmail HIPAA Compliant?

Many health care providers are required to adhere to the Health Insurance Portability and Accountability Act (HIPAA), but is Gmail HIPAA-compliant? This article talks about how you can send HIPAA compliant email. This act was designed to protect a patient’s personally-identifying information from being accessible to the general public. As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that emails are secure.

Isn’t Email Secure? No way!

Email in general is not secure. Most people don’t realize there really is no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department. Oftentimes companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.

What does HIPAA Say about Email?

I’m summarizing here, but generally HIPAA requires three things when it comes to email:

  • Strong security: According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.
  • Consent: The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.
  • Business Associate Agreement: Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.

is-gmail-hipaa-compliantHow does Gmail measure up with HIPAA compliance?

In case you don’t know, Gmail is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s inexpensive, convenient, and offers some very nice security features. While most people feel secure sending and receiving personal and confidential information via their Gmail accounts, let’s see how Gmail does against our three criteria:

    • Strong Security: Google arguably has some of the best security available in a hosted web service. Companies that take advantage of Google’s free two factor authentication have strong assurance that their email accounts aren’t hacked, plus Google offers some nice user logging and other security features that are much stronger than many competitors. Also, third party services (reviewed in another article) are available to add secure email and outbound email scanning which really make Gmail’s security top notch.
    • Consent: Since this is something that you’ll need to manage in your own office, this has no bearing on which email provider you choose.
    • Business Associate Agreement: As of September 2013, Google has stepped up and will agree to sign a Business Associates Agreement stating that they will “implement physical, technical and administrative safeguards” to hold the information secure. The company states publicly that Gmail is already HIPAA compliant in its security and privacy practices.

So is Gmail HIPAA Compliant?

As of September 2013, the answer is that, yes, Gmail can be used as part of a HIPAA-compliant organization!

However, only the paid version provides the features you need for HIPAA compliant email. You also probably will need to add some extra services to be able to send and receive email safely.

Want to learn how to make Gmail HIPAA compliant? Get the free guide.

You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you either need to sign up for an additional secure email service, or you need to get written consent from your patients (we show you how to do this in our free “17-Step Guide on Gmail and HIPAA Compliance” to learn more about keeping your email safe).

Are there alternatives?

  • Office 365: Google’s competitor, Microsoft, has also stated that they would be willing to sign a Business Associates Agreement stating that their Office365 program will maintain the standards of HIPAA compliance. We’ve experimented with their service and find it comparable to Google in many respects, though slightly more complex.
  • Other Secure Email Providers: lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — simply using an email provider that claims to be “HIPAA compliant” does not suddenly make your practice HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
  • Use two email services: some companies still use Gmail for their main email service, but then use a secondary, secure email service for communicating about lab results, diagnoses, or treatments. While we wouldn’t recommend that as a long term solution (it’s much easier to accidentally email PHI/PII when bouncing back and forth), this is something that could be implemented quickly as a short-term fix.

What About Mobile?

iPhones, Android devices, and tablets use various programs such as Google Apps to download their email messages while they are out of the office. Gmail is pre-programmed into most of those devices for the convenience of users. However, this convenience can create a breach of security according to HIPAA, and such breaches are required to be reported, causing further liability issues and potential fines for violation. Be especially careful about giving employees access to email via mobile, especially if it may contain PHI/PII.

What should you do next?

  1. Get our free “17-Step Guide on Gmail and HIPAA Compliance” to learn more about keeping your email safe.
  2. Know someone who might like this article?  Share it!
  3. Have questions or something to add?  Let us know in the comments below!
By |2018-11-07T22:18:06+00:00October 2nd, 2018|Email Cyber Security, HIPAA|10 Comments


  1. Heather Nelson December 17, 2015 at 4:43 pm - Reply

    I searched and searched for a truly helpful security website related to HIPAA and medical offices, well, mental health practice in my case. I’m a Quality & Compliance Specialist full-time and have a private practice part-time.

    Simply, thank you for your hard and valuable work. I look forward to following your website.

    One question: Are there any particularly important articles or even products you offer for mental health practices?


    Heather Nelson MA, LPC, NCC

    • Josh Ablett January 8, 2016 at 11:13 am - Reply

      Hi Heather – great question. Mental health practices really aren’t any different from any other medical practices from a cyber security perspective, so all of the information on this site (and on others) should be equally relevant! Thanks, Josh

  2. Vijayeta February 26, 2016 at 12:57 pm - Reply

    Great Article!

    One question – in order to be HIPPA compliant don’t the patient and the provider have to be on a HIPPA Compliant system?


    • Josh Ablett April 26, 2016 at 10:28 am - Reply

      Hi Vijayeta – thanks for asking this! Unfortunately, HIPAA compliance isn’t that simple. The “system” doesn’t matter as much as the steps you take to make sure healthcare data isn’t seen by anyone else. In the case of email, you shouldn’t send any medical information via email unless you’re using a secure email system. If you limit your emails to topics like appointments and calendars, you should be fine.

  3. Hina Qureshi February 26, 2016 at 2:56 pm - Reply

    I just found this in google business user agreement. last lines says customer is solely responsible for HIPPA compliance. Please clarify this?

    2.6 Restrictions on Use. Unless Google specifically agrees in writing’ Customer will not, and will use commercially reasonable efforts to make sure a third party does not: (a) sell, resell, lease or the functional equivalent, the Services to a third party (unless expressly authorized in this Agreement); (b) attempt to reverse engineer the Services or any component; (c) attempt to create a substitute or similar service through use of, or access to, the Services; (d) use the Services for High Risk Activities; or (e) use the Services to store or transfer any Customer Data that is controlled for export under Export Control Laws. Customer is solely responsible for any applicable compliance with HIPAA.

    • Josh Ablett April 26, 2016 at 10:31 am - Reply

      Hi Hina — that’s 100% true! Google isn’t going to indemnify you against all of the things you might do to compromise HIPAA, like email diagnoses to the wrong person, have your email password compromised, or have your laptop stolen. That’s on you, not them. All they’ll do is make sure their email service is secure against attackers. HIPAA compliance is 100% your responsibility. Hope that helps, might be good to contact an attorney if you have questions about where your liability starts and ends.

  4. Aminah Fuqua February 29, 2016 at 7:52 pm - Reply

    how do we buy the paid version so our email can become secured?

  5. REBECCA THACKER April 16, 2016 at 10:58 pm - Reply

    How do I obtain a Google BAA for Gmail, Videochatting, etc….

Leave A Comment