Practice management
Is Gmail HIPAA compliant? Potentially…
Estimated reading time: 8 minutes
Summarize this article with ChatGPT
TL;DR: Gmail is not HIPAA compliant out of the box. To make it compliant, you must upgrade to a paid Google Workspace account, find and sign a Business Associate Agreement (BAA) with Google, implement third-party encryption, and follow Google's specific implementation guide.
If you prefer a simpler option, you can keep using Gmail for everyday communication and use Hushmail to send secure messages and forms.
If you already use Gmail for your practice, you might be wondering: Is it HIPAA compliant?
You like using Gmail because:
- You're familiar with it
- It's useful to have Google's other apps tightly integrated
- It feels simple and easy to manage
The short answer: you can make Gmail HIPAA compliant, and this article will show you how.
But be warned, just because it's possible doesn't mean it's ideal.
- You'll need to pay for Google's business plan, known as Google Workspace
- You still need third-party encryption to help you secure your emails
- Setup won't be easy, and Google's support options are limited in case you get stuck
The good news is, if you like using Gmail, you don't need to replace it.
Many healthcare professionals keep Gmail for everyday communication and use Hushmail for secure messages or forms.
This gives you a simpler way to protect sensitive information, without changing the tools you already rely on.
But if you still want to learn how to make Gmail HIPAA-compliant, let's dive in!
How to make Gmail HIPAA compliant – A step-by-step guide
These are the 4 steps you'll need to follow. While the process isn't easy, we'll guide you using screenshots and simple explanations.
Step 1: Sign up for Google Workspace
You're probably used to Gmail – Google's free version of email for personal use.
However, regular Gmail isn't HIPAA compliant.
Instead, you'll need to sign up and pay for Google's business plan, Google Workspace (formerly G Suite).
Here's how:
1. Click here to go to Google Workspace and click "Get started" in the top corner
2. Fill in your business name and number of employees (if any)
3. Enter your name and current email address
4. Now you'll need to choose whether you own a "domain"
What is a domain? The domain is the part of your email address after the @ symbol.
Imagine you're a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients.
So instead of matthew.watson.lcsw@gmail.com, you could be matthew@watsonsocialwork.com.
The downside of having a custom domain is that you need to pay a few dollars extra each year.
4a. If you do have a domain name…
Then click "Yes, I have one I can use". Google will ask you to enter it and verify you own it later. Google provides instructions for linking your domain to Google Workspace; you can follow them here.
4b. If you don't have a domain…
Then click "No, I need one" and Google will help you to search for and buy one. Most domain names will cost you between $12 and $60/year.
Put your username as the email address you want to use. Then create a password for it.
To strengthen your password, we advise using a random set of memorable words. You might consider a phrase with a specific meaning to you, or about a family member, hobby, or personal belief.
For example: "chess is very hard" or "anna goes to nursery".
After you're done, you'll be redirected to the login screen. Sign in using the username and password you just created, and get ready to choose a plan!
Which Google Workspace plan is HIPAA compliant?
Unlike personal Gmail accounts, any of Google's Workspace plans have the potential to be HIPAA compliant. Most of the features on the higher-priced plans are aimed at large enterprises. So if you're a small or medium-sized private practice, you can choose the Business Starter plan.
Step 2: Sign a BAA with Google for Gmail
As you will send and receive Protected Health Information (PHI), you need to sign a legal document known as a Business Associate Agreement (BAA). This agreement asks your email provider to comply with HIPAA and ensure your client information is held securely. The good news is:
- These agreements can usually be signed electronically in a few clicks
- The email provider should draft the agreement for you, so there are no lawyer fees
Important to know: Most healthcare professionals must have a BAA. But strictly speaking, it depends on whether HIPAA applies to you based on your profession and whether you bill insurance. If you're unsure, read our article to find out if you need a BAA.
This being said, getting a BAA is useful – even if you don't fall under HIPAA. A BAA will set responsibilities on your email provider and help to satisfy your own professional responsibility to your clients.
Here's how you sign a BAA for Google Workspace:
1. Click here and log in to Google’s Admin Panel
2. On the menu bar, go to Account > Account settings
3. Scroll to the bottom of the page. Then click on the “Legal and compliance” box.
4. Click on "Not accepted" under "Google Workspace/Cloud Identity HIPAA Business Associate Amendment"
5. Then click on "Review and accept."
6. A pop-up should appear with 3 questions. Provide a yes/no answer to each of them.
Note: If you're unsure what a "Covered Entity" is, or if you are one, then check our BAA guide first.
5. Review and accept the BAA agreement
After clicking "I Accept", you've signed the BAA!
Step 3: Add third-party encryption to Gmail
Unfortunately, even after you've paid for a domain and Google Workspace, you may still need to buy one more thing… encryption. Gmail does not always protect sensitive information in a way that meets HIPAA requirements, especially once messages reach your client’s inbox.
What is encryption? Encryption is a method used to make information unreadable to anyone other than the intended recipients.
Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it's encrypted, it won't make any sense to them.
If you want to understand how messages are protected while they're sent and after delivery, you can read more in our Is sending email securely enough? blog post.
Strictly speaking, encryption is not required by HIPAA in all circumstances.
However, HIPAA considers it an "addressable" requirement, which in layperson's terms means:
- If it's reasonable to use encryption, you should do so or carefully document why you haven't
- You should consider the risks of not using encryption and how you would otherwise balance those risks
This is why most healthcare professionals will conclude they need email encryption.
Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation.
And falling foul of HIPAA could mean:
- Facing a HIPAA complaint with potential fines of up to $70,000 per violation
- Triggering a lengthy HIPAA audit
- Having your practice become subject to oversight from Health & Human Services
- Losing your reputation and struggling to attract new clients
Now here's the problem…
Gmail doesn't always encrypt emails while they're on the move from your inbox to your client's inbox.
Some email providers, like Hushmail, take a different approach. Instead of sending sensitive information in a regular email, the message is accessed through a secure link. (Don't worry, we'll explain more about what this is later).
This means sensitive information doesn't sit exposed in an inbox.
Without this, sensitive information may still be exposed in the recipient's inbox.
How do you buy encryption for Gmail?
If you Google "Gmail encryption provider", you'll find a few companies that offer encryption for Gmail. One of the biggest is called Virtru.
But as you may notice:
- Most encryption providers aim their services at large companies, not small to medium-sized practices
- Their websites are technical and full of acronyms (HSM, DLP, SIEM, CJAS, ITAR – any idea what these are?)
- Even if you're familiar with Gmail, you still have to learn how to use encryption software with it
- Pricing for Virtru starts at $119/mo – and that's when it's paid yearly!
- Their default support is online assistance only
For most healthcare practitioners, this means dealing with a more complex and expensive setup to make Gmail HIPAA compliant.
If that feels like more than you want to take on, there are simpler, more affordable ways to handle secure communication. We'll come back to that shortly. First, let's look at the final step.
Step 4: Follow Google's HIPAA implementation guide
Once you have encryption, you'll need to adjust a few settings within Gmail. Handily, Google has created a guide with all the details, which you can access below:
You'll also want to:
- Set strong passwords: Remember when we said it's important to create a strong password? Well, you can check if your colleagues in your practice are using strong passwords from within the password management section of Google's admin panel. If Google thinks their passwords are weak, then ask them to change them.
- Use two-step verification: Gmail and most email providers can send you a code by text or email to verify it's you every time you log in. Learn why you should turn on two-step verification.
🚨 Important to know: Do you use any external add-ons with Gmail, such as a grammar checker or file backup service? If you do, be aware that signing a BAA with Google Workspace does not cover them.
You'll either need to disable them or check if they can be made HIPAA-compliant.
What are the advantages and disadvantages of using Gmail as a HIPAA-compliant email service?
Now you know how to make Gmail HIPAA compliant. Is it worth it? Or is there a better alternative for you? Let's take a look.
Advantages of using Gmail as a HIPAA-compliant email service
You're familiar with it
Gmail has a simple interface that makes it easy to use. Better yet, most people have had a Gmail account for years, which makes it less intimidating.
But remember that:
- It's very important to keep your personal email separate from your healthcare email
- Adding an encryption add-on (like Virtru) might make your Gmail inbox feel unfamiliar
Other Google Workspace apps are nearby
Google has some great apps like Docs, Sheets, and Meet, which are a bonus when using Gmail. Just be aware that Google Contacts is not HIPAA-compliant and integrates closely with Gmail.
Disadvantages of using Gmail as a HIPAA-compliant email service
It's difficult to set up
If you're tech-savvy or run a large practice with a tech team, you should be OK. But for everyone else, it might be difficult, time-consuming, and expensive to set up.
Lack of personalized support
Google provides free standard support with its Business Starter plan. But as a large tech company, their support may struggle to understand the needs of a small healthcare practice.
Here at Hushmail, we have conversations with our healthcare customers about supporting HIPAA compliance every day. Our plans include full support at no extra cost. You can get help from a real person when you need it. We'll guide you through setup and answer your questions along the way.
Not built for healthcare users
Gmail was built as an email service for all companies, not just healthcare practices. While this makes it versatile, it does mean that any updates aren't prioritized with healthcare users in mind.
What if there's a new regulation about HIPAA-compliant email? How long might it take them to respond?
No forms with healthcare templates
As a healthcare professional, you need to be able to email forms to your clients.
Google does have an app for creating forms. But unlike Hushmail, it:
- Doesn't include pre-made healthcare templates such as client intake forms, diagnosis forms, health screenings, etc.
- Doesn't include specialist features like body charts (used by patients to indicate points of pain)
- Doesn't give you the ability to electronically sign forms
Need to set up a professional email address
To use Gmail in a HIPAA-compliant way, you'll need to sign up for Google Workspace. This means setting up a custom email address for your practice, which may involve buying and managing a domain. This adds extra steps and cost before you can start sending secure messages.
Need to add extra protection for sensitive emails
Gmail does not always protect sensitive information in a way that meets HIPAA requirements, especially once a message reaches your client's inbox. To address this, many providers add extra tools or services to help secure their emails. This can increase both the cost and the complexity of your setup.
That's why Hushmail offers a simpler way to protect sensitive communication.
How secure messages are delivered
When you send a secure message with Hushmail, the recipient receives a notification and clicks a secure link to view the message. They can read, reply, and complete forms on a secure page. They don't need a paid Hushmail account to access it.
Learn more about how secure messages work.
How to send HIPAA-compliant messages without configuring Gmail
For secure communication, many healthcare professionals use Hushmail alongside Gmail.
| Hushmail | Gmail | |
| Healthcare form templates | ✅ Included | ❌ No |
| Electronic form signatures | ✅ Included | ❌ No |
| Message delivery | ✅ Through a secure link | ❌ Regular email¹ |
| HIPAA-ready | ✅ Yes | ❌ No |
| Best use | Secure messages and forms | Everyday email |
| Get started | Sign up | Find out more about Google Workspace |
¹ Google has a "confidential mode" feature, but it doesn't support secure replies from recipients unless they also have Gmail.
You can keep using Gmail for everyday communication, and use Hushmail when you need to send sensitive information.
Does using a HIPAA-compliant email service mean that you're fully HIPAA compliant?
No! It's still up to you to ensure you handle your emails in a compliant way. That's why we put together 6 quick tips to ensure your emails are truly HIPAA compliant. Enter your name and email, and we'll send them to you right away.
FAQ about using Gmail for HIPAA-compliant email
We'll answer common questions about using Gmail as a HIPAA-compliant email provider.
Is Gmail's confidential mode HIPAA compliant?
Gmail's confidential mode has some useful security features. It allows you to set a message expiration date, require a code for recipients to open messages, and remove message access.
However, it has the same downsides as Gmail. You would still need to follow our guide to sign a BAA with Google (which can only be done after paying for Google Workspace). Plus, you should still follow Google's HIPAA implementation guide.
Conclusion: Is Gmail HIPAA-compliant in 2026?
Gmail isn't HIPAA compliant out of the box. But with a lot of effort, it is possible to make it HIPAA compliant.
Considering the costs, difficult setup, lack of healthcare forms, and other downsides, it becomes hard to justify.
For most healthcare professionals, it's much easier to use a service like Hushmail for secure messages and forms, while continuing to use Gmail for everyday communication.
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail
