Is Gmail HIPAA compliant? Potentially…
Want to use Gmail in your private practice? Follow our 4-step guide to see how to make Gmail HIPAA compliant, and why an alternative may be better...
HIPAA-compliant email providers to keep client messages and information secure. Find the best solution for your needs and budget with our detailed guide.
The first rule of earning your client’s trust is to keep their private medical information safe.
But just how secure is it to send client information using a regular Gmail account? Or even… via fax?
The truth is most practitioners may not even be aware that they have security gaps in their client communication. Most EHR software doesn’t offer secure email, and generic email providers (we’re looking at you, Gmail and Outlook!) aren't compliant out of the box.
As a result, customer communication can be exposed, and your practice could be at risk of breaching HIPAA.
The good news is that investing in the right HIPAA-compliant email provider can make your communications secure and keep your client’s trust.
This guide will discuss which email providers offer the best features and security for small practices without blowing your budget.
Let’s get started 👇
Table of Contents
Out of all the different email providers on the market, only a select few are HIPAA-compliant out of the box.
Practitioners usually choose one of three options: a generic email service like Gmail, an add-on encryption tool, or a dedicated HIPAA-compliant email provider like Hushmail. Your choice will depend on your practice's needs, budget, and level of technical expertise.
However, deciding which option to pick is a minefield. Unless you choose a dedicated HIPAA-compliant email provider, be prepared to piece together (and pay for) different elements to stay compliant.
Many practices rely on Electronic Health Record (EHR) software to keep client information safe.
While these platforms store medical records and have secure messaging features, most can’t send a simple email. EHRs work if you are messaging an existing client, but emailing a new client or external organization can leave gaps in your security.
This means there are some huge flaws if you rely on this software as your only tool for client communication.
If a potential client fills out a form on your website or contacts you over email, these messages will happen outside the EHR software and (most likely) won’t be secure. Most EHR tools can’t securely send emails to external organizations like managed care organizations, relying on secure messaging instead. And if you switch over to email to send information externally, it can expose your client’s protected health information (PHI) if your inbox isn’t HIPAA compliant.
What is Protected Health Information (PHI)?
PHI is information that relates to:
EHR platforms have some benefits, but at the end of the day, email offers more flexibility, makes it easier to communicate with everyone, and makes it easier to start your clinician-client relationship on the right foot.
So, what are your options if you want to stay HIPAA-compliant? 🤔
Let’s dig a little deeper into generic email services, add-ons, and dedicated HIPAA-compliant email providers.
Most practitioners will think of a tool like Gmail or Outlook to get started with client email.
It’s easy to see why. Many of us already use Gmail or Outlook for personal emails, so why not for client communication as well?
There are some advantages. There's no need to learn how to use Gmail, and if you already use Google Drive or Calendar, it's easy to integrate them.
But there are also cons to trusting a generic email service like Gmail or Outlook with confidential information.
To start with, these tools are not HIPAA compliant out of the box. To make a service like Gmail HIPAA compliant, you need to upgrade to a paid plan (and jump through a lot of hoops).
Unfortunately, even after you’ve upgraded to a paid plan, you may still need to buy one more thing… encryption.
What is encryption?
Encryption is a method used to make information unreadable to anyone other than the intended recipients.
Strictly speaking, encryption is not required by HIPAA in all circumstances.
However, HIPAA considers it an “addressable” requirement which in layman's terms means:
This is why nearly all healthcare professionals conclude they need email encryption.
Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation.
Let's take a closer look at some general email options 👇
Gmail isn’t HIPAA compliant, but with some changes, you can make client communication safer.
Unfortunately, Gmail doesn't always encrypt emails while they're on the move from your inbox to your client's inbox. And once your client gets the email, there's no guarantee it's encrypted unless they also use Gmail.
Hushmail customer Dr. Karyetta Walker, LCMHC, was a Gmail user but felt uncomfortable sending sensitive information from her account.
You can make Gmail HIPAA compliant, but:
However, once it's up and running, it has some additional features to keep emails secure, like the ability to manage and restrict access to different employees. In large healthcare organizations with a lot of staff, these features can be useful, but for small practices, they are not really necessary.
Be warned—Google says third-party applications and add-ons are not covered under their Business Associate Agreement (BAA). So if you’re not confident about setting up Google Workspace yourself or you are worried about what’s involved, it’s easier to go with a dedicated HIPAA-compliant email provider.
The cheapest Google Workspace plan starts at $7.20/user/month when billed monthly (or $6/user/month when paid annually). But to ensure every email is secure, you’ll probably want to add a dedicated encryption service—this is when the monthly price skyrockets.
GoDaddy is used by millions of people to buy and manage their websites.
But it also offers HIPAA-compliant email that can be set up quickly to start communicating with clients. Thanks to their HIPAA-compliant plan, you can buy a GoDaddy and Microsoft 365 bundle that encrypts emails and also comes with a BAA.
GoDaddy offers a large discount on your first year, but even at this price, this turns out to be a very expensive option for a small healthcare practice.
Microsoft Outlook can be HIPAA compliant—if you set it up right.
It takes a lot of work, and you must upgrade to the paid version. Microsoft has created a (really technical) guide to help you with this process, but it's not for the faint-hearted.
Setting this up makes your Microsoft inbox HIPAA-compliant. However, there are some practices Microsoft recommends to stay covered by its BAA, like setting up 2-factor authentication (2FA) and email encryption.
Microsoft offers a free trial to its paid account so you can take it for a 30-day test drive and see if it’s a good fit. But for practitioners looking for a HIPAA-compliant email provider, there are other tools better suited than Microsoft 365.
Microsoft 365 has cheaper plans, like Business Basic and Business Standard, but they don’t have all the features needed to support your HIPAA compliance, such as encryption, an archive, and a BAA. To unlock these, you need to pay for the Business Premium plan, which starts at a whopping $22/user/month (with an annual commitment)!
As we explained earlier, even if your practice has invested in a paid email service like Google Workspace or Microsoft 365, you may still lack one important feature that helps support your HIPAA compliance: encryption.
Email providers don't always encrypt emails when they move from your inbox to your client's or when they are sitting in your inbox. This is why most practitioners conclude they should buy an add-on encryption service to be safe. Make sure you crunch the numbers and decide if adding one to Gmail or Outlook is the best move for your budget and if it ticks all the boxes to keep you HIPAA compliant.
Nice to know
Encryption? BAA? HIPAA? We know, it’s a lot. This guide to HIPAA-compliant email will help you learn these terms.
Here are two add-ons 👇
Virtru can turn a Google Workplace or Microsoft 365 inbox into a secure place to send emails to clients.
Thanks to encryption, Virtru fills the gaps left by Google Workspace and Microsoft 365 to help you stay HIPAA compliant. Just look at its settings to give you more control over messages with clients. If you send them private information, you can set the email to “expire” after a set time or date. There is also the option to immediately revoke access to email content, for example, if you send information to the wrong person or include certain medical details by mistake.
So, what’s the problem? It’s simple—have you seen that price tag? 😳
Although Virtru is a popular tool to protect Google Workspace and Microsoft 365 inboxes, it’s not a great choice for small practices and solo practitioners.
The cheapest plan costs $87/month for five users, and you have to pay for a year upfront. Even if you are a solo practitioner, you still have to pay for the five-user plan—there's no way to reduce the cost. Add on the extra cost of Google Workspace or Microsoft 365, and you are easily looking at $100/month just to send secure emails to clients!
Paubox is another purpose-built encryption add-on for Google Workspace and Microsoft 365.
It has many security features, including encryption, and it is HIPAA-compliant out of the box, without any tweaks. But unlike some other options on our list, you must already have a domain set up to use Paubox.
What is a domain?
The domain is the part of your email address after the @ symbol.
Imagine you’re a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients.
So instead of firstname.lastname@example.org, you could be email@example.com.
The downside of having a custom domain is that you need to pay a few dollars extra for it every year. However, if you’re with Hushmail, you can use domains like @therapysecure.com, @counselingmail.com, and a few others for free.
Paubox’s extra layer of security will cost you—a lot—and you must pay for an annual plan upfront which is a big expense for a small practice.
Like Virtru, Paubox isn’t cheap. The basic plan is $29/month for five users, but once again, you must pay this rate even if only one or two people in your practice need email.
A solo practitioner will pay at least $35/mo if they use Google Workspace + Paubox or $51/mo for Microsoft 365 + Paubox. Keep in mind that these prices are just with Paubox’s basic package.
If you don’t want the hassle of generic email inboxes and expensive add-ons, there are HIPAA-compliant email providers made specifically for healthcare practitioners to keep client communication secure 👇
Dedicated HIPAA-compliant email providers are the easiest choice to protect client communication.
These providers allow practitioners to message clients and securely send PHI to medical billers, insurers, and other practitioners. Out of all the options on our list, we believe dedicated HIPAA-compliant email providers are the simplest to set up and the easiest to use for a small healthcare practice.
Here are the best choices for a dedicated HIPAA-compliant email tool 👇
Hushmail is a purpose-built HIPAA-compliant email provider for healthcare practitioners. It's the most affordable option for practitioners who want a HIPAA-compliant email provider but don't want to pay for add-ons and piece together various tools to keep customer emails secure.
The all-in-one solution has features like encrypted email and secure forms built for healthcare practitioners. Hushmail can secure every message as well as information on your practice forms, like your intake form or your contact form in your Psychology Today profile.
It also includes HIPAA requirements like a Business Associate Agreement (BAA) and email archiving out of the box. Finally, it also offers hands-on customer support including setup, onboarding, and ongoing assistance over the phone, email, and chat!
Hushmail has kept its pricing simple.
Plans start at $11.99/mo for solo practitioners. If you need more email accounts, plans for small practices start at $24.99/mo —one of the most affordable options on our list for solo practitioners and small practices!
Aspida’s selling point is the tool “takes the headache out of HIPAA”.
It ticks all the boxes recommended for HIPAA compliance, like a BAA and encrypted email. It also integrates with many platforms practitioners may already be using, like Microsoft Outlook, Google Apps for Business, and Apple Mail.
The problem is the interface feels like it was built for a software engineer or programmer. Add in the technical jargon all over the Aspida website, and it’s not the best choice for modern practitioners who want to focus on their clients—not a software manual.
Aspida Mail starts at $10/month for the platform’s basic package. This includes one @aspidamail.net email address. The Aspida Mail + plan allows you to use your own email domain but starts at $15/month and $10 per additional address.
Choosing the right HIPAA-compliant email service is tricky.
You need to pick a tool that covers everything required by HIPAA. But it’s also important that the email provider is affordable and easy to use. Most email providers fail at least one of these tests because they're too complex or don't fully secure client data without expensive add-ons, as you can see from our breakdown 👇
|A comparison of 7 HIPAA-compliant email providers
(last updated: March 2023)
|Hushmail for Healthcare||Google Workspace||Microsoft 365||Paubox||Virtru||GoDaddy||Aspida|
|Basic email encryption||✅||✅||✅||✅||✅||✅||✅|
|Dedicated to healthcare||✅||❌||❌||✅||❌||❌||✅|
|Aimed at small practices1||✅||❌||❌||❌||❌||❌||❌|
|Monthly payment option||✅||✅||✅||❌||❌||✅||✅|
|Plan for single user||✅||✅||✅||❌||❌||✅||✅|
|Price for single user||$11.99/mo||$7.20/mo||$22/mo||$29/mo||$87/mo||$16.99/mo (renews at $25.97)||$15/mo (using your domain)|
|Price for five users||$24.99/mo||$36/mo||$110/mo||$29/mo||$87/mo||$84.95/mo (renews at $129.85)||$55/mo (using your domain)|
1 We based this on a combination of factors, including testimonials, website language, and pricing.
Make sure you really do your homework on what each email provider promises before paying for a plan. To ensure the tool ticks all the right boxes for you, ask questions like:
To make your decision easier, we’ve put together a simple checklist you can use to guide you on which email provider is the best fit for your practice. Just fill out the form below to get your hands on it 👇
[Checklist]: What to look out for when evaluating HIPAA-compliant email services for your practice
There is only one solution that ticks all the boxes for HIPAA-compliant email: Hushmail for Healthcare. It offers total security and peace of mind when you communicate with clients. Don’t take our word for it—sign up here!
Want to use Gmail in your private practice? Follow our 4-step guide to see how to make Gmail HIPAA compliant, and why an alternative may be better...
Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
We’re comparing five of the most popular HIPAA-compliant form builders so you can find the best one for your small practice.