Estimated reading time: 8 minutes
Summarize this article with ChatGPT
TL;DR: Gmail is not HIPAA compliant out of the box. To make it compliant, you must upgrade to a paid Google Workspace account, find and sign a Business Associate Agreement (BAA) with Google, implement third-party encryption, and follow Google's specific implementation guide.
If you prefer a simpler option, you can keep using Gmail for everyday communication and use Hushmail to send secure messages and forms.
If you already use Gmail for your practice, you might be wondering: Is it HIPAA compliant?
You like using Gmail because:
The short answer: you can make Gmail HIPAA compliant, and this article will show you how.
But be warned, just because it's possible doesn't mean it's ideal.
The good news is, if you like using Gmail, you don't need to replace it.
Many healthcare professionals keep Gmail for everyday communication and use Hushmail for secure messages or forms.
This gives you a simpler way to protect sensitive information, without changing the tools you already rely on.
But if you still want to learn how to make Gmail HIPAA-compliant, let's dive in!
These are the 4 steps you'll need to follow. While the process isn't easy, we'll guide you using screenshots and simple explanations.
You're probably used to Gmail – Google's free version of email for personal use.
However, regular Gmail isn't HIPAA compliant.
Instead, you'll need to sign up and pay for Google's business plan, Google Workspace (formerly G Suite).
Here's how:
1. Click here to go to Google Workspace and click "Get started" in the top corner
2. Fill in your business name and number of employees (if any)
3. Enter your name and current email address
4. Now you'll need to choose whether you own a "domain"
What is a domain? The domain is the part of your email address after the @ symbol.
Imagine you're a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients.
So instead of matthew.watson.lcsw@gmail.com, you could be matthew@watsonsocialwork.com.
The downside of having a custom domain is that you need to pay a few dollars extra each year.
4a. If you do have a domain name…
Then click "Yes, I have one I can use". Google will ask you to enter it and verify you own it later. Google provides instructions for linking your domain to Google Workspace; you can follow them here.
4b. If you don't have a domain…
Then click "No, I need one" and Google will help you to search for and buy one. Most domain names will cost you between $12 and $60/year.
Put your username as the email address you want to use. Then create a password for it.
To strengthen your password, we advise using a random set of memorable words. You might consider a phrase with a specific meaning to you, or about a family member, hobby, or personal belief.
For example: "chess is very hard" or "anna goes to nursery".
After you're done, you'll be redirected to the login screen. Sign in using the username and password you just created, and get ready to choose a plan!
Unlike personal Gmail accounts, any of Google's Workspace plans have the potential to be HIPAA compliant. Most of the features on the higher-priced plans are aimed at large enterprises. So if you're a small or medium-sized private practice, you can choose the Business Starter plan.
As you will send and receive Protected Health Information (PHI), you need to sign a legal document known as a Business Associate Agreement (BAA). This agreement asks your email provider to comply with HIPAA and ensure your client information is held securely. The good news is:
Important to know: Most healthcare professionals must have a BAA. But strictly speaking, it depends on whether HIPAA applies to you based on your profession and whether you bill insurance. If you're unsure, read our article to find out if you need a BAA.
This being said, getting a BAA is useful – even if you don't fall under HIPAA. A BAA will set responsibilities on your email provider and help to satisfy your own professional responsibility to your clients.
Here's how you sign a BAA for Google Workspace:
1. Click here and log in to Google’s Admin Panel
2. On the menu bar, go to Account > Account settings
3. Scroll to the bottom of the page. Then click on the “Legal and compliance” box.
4. Click on "Not accepted" under "Google Workspace/Cloud Identity HIPAA Business Associate Amendment"
5. Then click on "Review and accept."
6. A pop-up should appear with 3 questions. Provide a yes/no answer to each of them.
Note: If you're unsure what a "Covered Entity" is, or if you are one, then check our BAA guide first.
5. Review and accept the BAA agreement
After clicking "I Accept", you've signed the BAA!
Unfortunately, even after you've paid for a domain and Google Workspace, you may still need to buy one more thing… encryption. Gmail does not always protect sensitive information in a way that meets HIPAA requirements, especially once messages reach your client’s inbox.
What is encryption? Encryption is a method used to make information unreadable to anyone other than the intended recipients.
Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it's encrypted, it won't make any sense to them.
If you want to understand how messages are protected while they're sent and after delivery, you can read more in our Is sending email securely enough? blog post.
Strictly speaking, encryption is not required by HIPAA in all circumstances.
However, HIPAA considers it an "addressable" requirement, which in layperson's terms means:
This is why most healthcare professionals will conclude they need email encryption.
Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation.
And falling foul of HIPAA could mean:
Now here's the problem…
Gmail doesn't always encrypt emails while they're on the move from your inbox to your client's inbox.
Some email providers, like Hushmail, take a different approach. Instead of sending sensitive information in a regular email, the message is accessed through a secure link. (Don't worry, we'll explain more about what this is later).
This means sensitive information doesn't sit exposed in an inbox.
Without this, sensitive information may still be exposed in the recipient's inbox.
If you Google "Gmail encryption provider", you'll find a few companies that offer encryption for Gmail. One of the biggest is called Virtru.
But as you may notice:
For most healthcare practitioners, this means dealing with a more complex and expensive setup to make Gmail HIPAA compliant.
If that feels like more than you want to take on, there are simpler, more affordable ways to handle secure communication. We'll come back to that shortly. First, let's look at the final step.
Once you have encryption, you'll need to adjust a few settings within Gmail. Handily, Google has created a guide with all the details, which you can access below:
You'll also want to:
🚨 Important to know: Do you use any external add-ons with Gmail, such as a grammar checker or file backup service? If you do, be aware that signing a BAA with Google Workspace does not cover them.
You'll either need to disable them or check if they can be made HIPAA-compliant.
Now you know how to make Gmail HIPAA compliant. Is it worth it? Or is there a better alternative for you? Let's take a look.
Gmail has a simple interface that makes it easy to use. Better yet, most people have had a Gmail account for years, which makes it less intimidating.
But remember that:
Google has some great apps like Docs, Sheets, and Meet, which are a bonus when using Gmail. Just be aware that Google Contacts is not HIPAA-compliant and integrates closely with Gmail.
If you're tech-savvy or run a large practice with a tech team, you should be OK. But for everyone else, it might be difficult, time-consuming, and expensive to set up.
Google provides free standard support with its Business Starter plan. But as a large tech company, their support may struggle to understand the needs of a small healthcare practice.
Here at Hushmail, we have conversations with our healthcare customers about supporting HIPAA compliance every day. Our plans include full support at no extra cost. You can get help from a real person when you need it. We'll guide you through setup and answer your questions along the way.
Gmail was built as an email service for all companies, not just healthcare practices. While this makes it versatile, it does mean that any updates aren't prioritized with healthcare users in mind.
What if there's a new regulation about HIPAA-compliant email? How long might it take them to respond?
As a healthcare professional, you need to be able to email forms to your clients.
Google does have an app for creating forms. But unlike Hushmail, it:
To use Gmail in a HIPAA-compliant way, you'll need to sign up for Google Workspace. This means setting up a custom email address for your practice, which may involve buying and managing a domain. This adds extra steps and cost before you can start sending secure messages.
Gmail does not always protect sensitive information in a way that meets HIPAA requirements, especially once a message reaches your client's inbox. To address this, many providers add extra tools or services to help secure their emails. This can increase both the cost and the complexity of your setup.
That's why Hushmail offers a simpler way to protect sensitive communication.
How secure messages are delivered
When you send a secure message with Hushmail, the recipient receives a notification and clicks a secure link to view the message. They can read, reply, and complete forms on a secure page. They don't need a paid Hushmail account to access it.
Learn more about how secure messages work.
For secure communication, many healthcare professionals use Hushmail alongside Gmail.
| Hushmail | Gmail | |
| Healthcare form templates | ✅ Included | ❌ No |
| Electronic form signatures | ✅ Included | ❌ No |
| Message delivery | ✅ Through a secure link | ❌ Regular email¹ |
| HIPAA-ready | ✅ Yes | ❌ No |
| Best use | Secure messages and forms | Everyday email |
| Get started | Sign up | Find out more about Google Workspace |
¹ Google has a "confidential mode" feature, but it doesn't support secure replies from recipients unless they also have Gmail.
You can keep using Gmail for everyday communication, and use Hushmail when you need to send sensitive information.
No! It's still up to you to ensure you handle your emails in a compliant way. That's why we put together 6 quick tips to ensure your emails are truly HIPAA compliant. Enter your name and email, and we'll send them to you right away.
We'll answer common questions about using Gmail as a HIPAA-compliant email provider.
Gmail's confidential mode has some useful security features. It allows you to set a message expiration date, require a code for recipients to open messages, and remove message access.
However, it has the same downsides as Gmail. You would still need to follow our guide to sign a BAA with Google (which can only be done after paying for Google Workspace). Plus, you should still follow Google's HIPAA implementation guide.
Gmail isn't HIPAA compliant out of the box. But with a lot of effort, it is possible to make it HIPAA compliant.
Considering the costs, difficult setup, lack of healthcare forms, and other downsides, it becomes hard to justify.
For most healthcare professionals, it's much easier to use a service like Hushmail for secure messages and forms, while continuing to use Gmail for everyday communication.
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail