Let’s guess! You’re on the hunt for a HIPAA-compliant email service.
But here’s the million-dollar question: Is Gmail HIPAA compliant?
The short answer? You can make Gmail HIPAA compliant and this article will show you how.
But be warned, just because it’s possible, doesn’t mean it’s ideal.
If this already sounds a bit scary, and you’d prefer a HIPAA-compliant email service with support that can hold your hand along the way, then check out Hushmail for Healthcare.
But if you still want to learn how to make Gmail HIPAA compliant, then let’s dive in!
These are the 4 steps you’ll need to follow. While the process isn’t easy, we’ll guide you using screenshots and simple explanations.
You’re probably used to Gmail – Google’s free version of email for personal use.
However, regular Gmail isn’t HIPAA compliant.
Instead, you’ll need to sign up and pay for Google’s business plan called Google Workspace (previously known as G Suite).
Here’s how:
1. Click here to go to Google Workspace and click “Get started” in the top corner
2. Fill in your business name and number of employees (if any)
4. Now you’ll need to choose whether you own a “domain”
What is a domain? The domain is the part of your email address after the @ symbol.
Imagine you’re a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients. So instead of matthew.watson.lcsw@gmail.com, you could be matthew@watsonsocialwork.com. The downside of having a custom domain is that you need to pay a few dollars extra for it every year. However, if you’re with Hushmail, you can use domains like @therapysecure.com, @counselingmail.com, and a few others for free. |
4a. If you do have a domain name…
Then click “Yes, I have one I can use”. Google will ask you to enter it and verify you own it later. Google provides instructions on how to link your domain to Google Workspace which you can follow here.
However:
If you know a developer, you could ask them to assist you – but it may be expensive.
Alternatively, if you decide to use Hushmail instead of Gmail, we have many walk-through videos and easy to understand guides to help. Plus, if you’re still unsure, or need us to hold your hand, our friendly team is one call away to help.
4b. If you don’t have a domain…
Then click “No, I need one” and Google will help you to search for and buy one.
Most domain names will cost you between $12-$60/year.
Put your username as the email address you want to use. Then, create a password to go with it.
To strengthen your password, we advise using a random set of memorable words. You might consider a phrase with a specific meaning to you, or about a family member, hobby, or personal belief.
For example: “chess is very hard” or “anna goes to nursery.”
After you’re done, you’ll be redirected to the login screen. Sign in using the username and password you just created, and get ready to choose a plan!
Unlike personal Gmail accounts, any of Google’s Workspace plans have the potential to be HIPAA compliant. Most of the features on the higher-priced plans are aimed at large enterprises. So if you’re a small or medium-sized private practice, you can choose the Business Starter plan.
Important to know: Some of Google’s Workspace apps, like Google Contacts, are not HIPAA compliant. But because everything is tightly integrated, data may be shared between different apps. This has been a major problem for some healthcare practitioners, as seen in some online discussions: |
As you will send and receive patient health information, you need to sign a legal document known as a Business Associate Agreement (BAA). This agreement asks your email provider to comply with HIPAA and ensure your patients’ information is held securely. The good news is:
Important to know: Most healthcare professionals must have a BAA. But strictly speaking, it depends on whether HIPAA applies to you based on your profession, and whether you bill insurance. If you’re unsure, read our article to find out if you need a BAA. This being said, getting a BAA is useful – even if you don’t fall under HIPAA. A BAA will set responsibilities on your email provider and help to satisfy your own professional responsibility to your clients. |
Here’s how you sign a BAA for Google Workspace:
1. Click here and log in to Google’s Admin Panel
2. On the menu bar, go to Account > Account settings
3. Scroll to the bottom of the page. Then click on the “Legal and compliance” box.
4. Click on "Not accepted" under "Google Workspace/Cloud Identity HIPAA Business Associate Amendment
5. Then click on "Review and accept."
6. A pop-up should appear with 3 questions. Provide a yes/no answer to each of them.
Note: If you’re unsure what a “Covered Entity” is, or if you are one, then check our BAA guide first.
5. Review and accept the BAA agreement
After clicking “I Accept”, you’ve signed the BAA!
Unfortunately, even after you’ve paid for a domain and Google Workspace, you may still need to buy one more thing… encryption.
What is encryption? Encryption is a method used to make information unreadable to anyone other than the intended recipients. Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it’s encrypted, it won’t make any sense to them. For a more technical explanation, read about how to use Hushmail encryption to support your practice. |
Strictly speaking, encryption is not required by HIPAA in all circumstances.
However, HIPAA considers it an “addressable” requirement which in layman terms means:
This is why nearly all healthcare professionals will conclude they need email encryption.
Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation.
And falling foul of HIPAA could mean:
Now here’s the problem…
Gmail doesn’t always encrypt emails while they’re on the move from your inbox to your clients’ inbox.
And it doesn’t always encrypt emails that are stored in your clients’ inbox, unless they also use Gmail.
Some email providers, like Hushmail, use a private message center to keep emails secure. (Don’t worry, we’ll explain more about what this is later).
For now, all you need to know is that without adding encryption to Gmail, your emails could fall into the wrong hands.
If you Google “Gmail encryption provider” you’ll find a few companies that offer encryption for Gmail. One of the biggest is called Virtru.
But as you may notice:
Unfortunately, there’s no way around this for most healthcare practitioners that want to make Gmail HIPAA compliant.
Once you have encryption, you’ll need to adjust a few settings within Gmail. Handily, Google has created a guide with all the details, which you can access below:
You’ll also want to:
Important to know: Do you use any external add-ons with Gmail, such as a grammar checker or file backup service? If you do, be aware that signing a BAA with Google Workspace does not cover them. You’ll either need to disable them or check if they can be made HIPAA compliant. |
Now you know how to make Gmail HIPAA compliant, is it worth it? Or is there a better alternative for you? Let’s take a look.
Gmail has a simple interface that makes it easy to use. Better yet, most people have had a Gmail account for years which makes it less intimidating.
But remember that:
Google has some great apps like Docs, Sheets, and Meet, which is a bonus when using Gmail. Just be aware that Google Contacts is not HIPAA compliant, and it integrates closely with Gmail.
If you’re tech-savvy or run a large practice with a tech team, you should be OK. But for everyone else, it might be difficult, time-consuming, and expensive to set up.
Google provides free standard support with their Business Starter plan. But as a large tech company, their support may struggle to understand the needs of a small healthcare practice.
Here at Hushmail, we have conversations with our healthcare customers about supporting HIPAA compliance every day. Our plans include full support at no extra cost. You can speak with real people on the phone or online and have unscripted conversations.
We’ll hold your hand, help you get set up, and answer any questions for as long as you need.
Gmail was built as an email service for all companies, not just healthcare practices. While this makes it versatile, it does mean that any updates aren’t prioritized with healthcare users in mind.
What if there’s a new regulation about HIPAA-compliant email? How long might it take them to respond?
As a healthcare professional, you need to be able to email forms to your clients.
Google does have an app for creating forms. But unlike Hushmail, it:
If you don’t have a website domain but want an email address that’s more professional than @gmail.com, then you’ll need to pay for it. Via Google, this is normally an extra $12-$60 per year.
Hushmail includes some professional domains for free like @therapysecure.com, @therapyemail.com, @counselingmail.com, @counselingsecure.com, or yourname@yourpractice.hush.com.
Gmail can encrypt emails stored in your inbox. However, they can’t control whether your recipient also encrypts the messages they receive in their inbox. This creates a potential security issue.
To get around it, most healthcare professionals buy a separate encryption service for Gmail. But these services are quite expensive, and can be a bit technical.
That’s why Hushmail developed a better solution to this problem: our Private Message Center.
What is a Private Message Center? A private message center is a secure web page where recipients who don’t have a Hushmail account can read and reply to your emails. The first time they receive a secure email from you, they'll be asked to sign in with an account they already use, such as Google, Microsoft, or Apple. Or they can create a unique password. From then on, they can access your emails on a secure webpage. This prevents the email from getting into the wrong hands! For more information, read about how the Private Message Center works. |
|
For all these reasons, Hushmail is the perfect alternative to Gmail if you need HIPAA-compliant email.
Hushmail | Gmail | |
Included domains | @therapysecure.com @therapyemail.com @counselingmail.com @counselingsecure.com @yourname@yourpractice.hush.com @hush.com @hushmail.com |
❌ No |
Healthcare form templates | ✅ Yes | ❌ No |
Electronic form signatures | ✅ Optional | ❌ No |
Personalized support | ✅ Yes (phone, email, live chat) | Standard Support |
Private message center | ✅ Yes | ❌ No¹ |
Pricing | Starts from $11.99/mo (includes a 60-day money-back guarantee) |
Google Workspace $7.20/user/mo + Encryption (Virtru) $119/mo (other providers are available) |
Where to buy | Find out more about Hushmail for Healthcare | Find out more about Google Workspace |
¹Google has a feature called “confidential mode”, but it doesn’t support secure replies from recipients unless they also have Gmail.
No! It’s still up to you to ensure you handle your emails in a compliant way.
That’s why we put together 6 quick tips to ensure your emails are truly HIPAA compliant.
Enter your name and email and we’ll send them to you right away.
We’ll answer any common questions people ask about using Gmail as a HIPAA-compliant email provider.
If we’re missing something, contact us.
Gmail’s confidential mode has some useful security features. It allows you to set a message expiration date, require a code for recipients to open messages, and remove message access.
However, it has the same downsides as Gmail. You would still need to follow our guide to sign a BAA with Google (which can only be done after paying for Google Workspace). Plus, you should still follow Google’s HIPAA implementation guide.
Gmail isn’t HIPAA compliant. But with a lot of effort, it is possible to make it HIPAA compliant.
Considering the costs, difficult setup, likely need to buy encryption, lack of healthcare forms, and other downsides, it becomes hard to justify.
For most healthcare professionals, it’s much easier and better to use a service like Hushmail instead.