Is Gmail HIPAA Compliant? Here's What You Need to Know

If your business handles protected health information (PHI)—whether you're a healthcare provider, insurer, or supporting vendor—Health Insurance Portability and Accountability Act (HIPAA) compliance isn't optional. It shapes everything from how you store data to how you communicate with patients and partners.

Communication is precisely where things can get tricky. Email remains one of the most common ways organizations share updates, coordinate care, or answer patient questions. However, not every email platform is built to handle sensitive health information. That brings us to a question many organizations ask as they scale their workflows: is Gmail HIPAA compliant?

The short answer: not by default. But while Gmail’s standard version isn’t suitable for handling PHI, Google Workspace can be configured to meet HIPAA’s requirements.

In this article, we’ll break down what those steps are, explain what you can and can’t do with Gmail under HIPAA, and show you how to set up a secure, compliant email environment.

New to HIPAA? We’ve created a HIPAA compliance checklist resource to help you kick off your compliance journey. 

Download HIPAA Compliance Checklist PDF

Why Email Security Matters in Healthcare

When protected health information (PHI) is involved, email becomes a potential liability. Under the HIPAA Administrative Simplification provisions, covered entities and business associates must follow strict standards for privacy, security, and breach notifications. Violating HIPAA rules can lead to civil penalties of up to $50,000 per violation (and up to $1.5 million per year) plus investigation costs, mandatory breach reporting, and long-term reputational damage. 

To stay compliant, organizations generally have two options:

1. Prohibit PHI in email entirely, except when patients explicitly request it

2. Use an email service that meets HIPAA standards

The first option—banning PHI in email—is difficult to enforce at scale. It requires replacing email with a secure messaging platform that also integrates with your calendar, files, and collaboration tools. Even then, communication gaps can arise with external partners who don’t use the same system.

The second path is more realistic for most organizations: implementing a HIPAA-compliant email service. That means using a platform with the right security controls, oversight tools, and encryption capabilities and ensuring the vendor will sign a Business Associate Agreement (BAA).

That brings us back to the original question we posed in the introduction.

Is Gmail HIPAA Compliant?

Gmail is not HIPAA compliant by default. The standard, consumer-facing version of Gmail (e.g., @gmail.com accounts) lacks the necessary security controls and legal agreements required to meet HIPAA standards. There are three main limitations:

• No Business Associate Agreement (BAA): HIPAA requires a signed BAA between covered entities and any service provider that stores or transmits protected health information (PHI) on their behalf. Google only offers a BAA through its paid Google Workspace plans, not for free Gmail accounts.

• Insufficient encryption by default: While Gmail uses TLS (Transport Layer Security) to encrypt emails in transit, this only works if the recipient's server also supports TLS. It does not provide end-to-end encryption or guarantee encryption at rest, both of which are essential under HIPAA’s technical safeguards.

• Limited access and authentication controls: HIPAA’s Security Rule requires organizations to implement strong access controls, including role-based access, session timeouts, and multi-factor authentication. Consumer-facing Gmail lacks these administrative tools. There’s no central oversight for managing user access or enforcing security policies across an organization.

That said, Gmail can be made HIPAA compliant—but only through a paid Google Workspace subscription, proper configuration, and a signed BAA. Even then, compliance isn’t automatic. You’ll need to follow specific steps to secure your environment, limit PHI exposure, and maintain ongoing oversight.

How to Use Gmail in a HIPAA-Compliant Way

Gmail can be used in a HIPAA-compliant way, but not without preparation. To meet legal requirements, your organization must take specific steps to upgrade, configure, and secure its environment.

The process starts with Google Workspace. From there, it’s a matter of turning on the right features, restricting access, and ensuring patient data is encrypted and protected at every stage.

Here’s what that setup looks like. 

1. Buy a Google Workspace Subscription

Your first step is to switch to a paid Google Workspace plan. The Enterprise plan offers the technical capabilities necessary to align with HIPAA’s Security Rule, including:

• A Security Center with centralized dashboards for threat detection, alerts, and security analytics.

• A Vault feature for archiving, retaining, and searching emails and chats for legal or compliance purposes.

• Role-based access, audit logs, two-factor authentication (2FA) enforcement, and device management.

Google Workspace also includes a 14-day free trial, which allows you to explore these features before committing. Once your domain name is verified and users are added, you'll unlock access to the admin console, where you can configure HIPAA-aligned policies and initiate a Business Associate Agreement (BAA) with Google.

2. Sign a BAA With Google

HIPAA requires a Business Associate Agreement (BAA) between covered entities and any third-party that handles PHI on their behalf. Without a BAA, using Gmail (or any part of Google Workspace) to transmit or store PHI is a direct violation of HIPAA.

Once your Google Workspace account is active, you can request and accept a BAA directly from the Admin console:

1. Sign in at admin.google.com

2. Navigate to Account Settings > Legal & Compliance

3. Open the HIPAA Business Associate Amendment

4. Review and accept the terms

Google’s BAA covers specific Workspace services, including Gmail, Google Drive, Calendar, and Meet. Tools outside that scope, like Google Tasks or certain third-party add-ons, are not covered and should not be used to handle PHI.

3. Configure Security Settings 

The next step is to configure Google Workspace to meet HIPAA’s technical safeguard requirements. This means limiting access to PHI, securing data in transit, and monitoring account activity across your organization.

Google has created a detailed HIPAA Implementation Guide for Workspace and Cloud Identity that outlines which services are covered under the BAA and how to configure them. This guide is a must-read for any admin managing HIPAA compliance in Google’s ecosystem, but the main settings to enable include:

• Enforce TLS (Transport Layer Security): Gmail supports TLS by default, encrypting messages in transit between compatible email servers. However, TLS isn’t guaranteed end-to-end. Admins should configure routing rules to require TLS for domains known to handle PHI and monitor for fallback scenarios that could expose messages in plaintext.

• Enable Two-Factor Authentication (2FA): Enforcing 2FA significantly reduces the risk of unauthorized access. It’s also a best practice under HIPAA’s authentication standard, which requires verifying user identities before granting access to ePHI.

• Restrict third-party app access: Limit OAuth scopes and block untrusted applications from accessing Workspace data. Unauthorized third-party integrations can introduce serious risks if they access Gmail or Drive content containing PHI.

• Disable email auto-forwarding: Prevent users from automatically forwarding emails to personal accounts. This protects PHI from being routed outside of your secure, monitored environment.

• Set session timeouts and access policies: Use Context-Aware Access and device management policies to log users out of inactive sessions and restrict access to approved devices only.

4. Implement Encryption

Even with TLS enabled, Gmail alone doesn’t meet all of HIPAA’s encryption requirements. TLS only protects messages in transit—not at rest, and not end-to-end. That’s a problem if you’re emailing PHI.

HIPAA’s encryption standard calls for “reasonable and appropriate” mechanisms to guard ePHI against unauthorized access. For email, that typically means:

• End-to-end encryption: Messages should be encrypted from the sender’s device to the recipient’s inbox. TLS doesn’t provide this level of protection if the recipient’s mail server isn’t properly configured, or if the message leaves Google’s ecosystem.

• Encryption at rest: While Google encrypts data at rest across Workspace services, this alone doesn’t protect outbound messages once they’re delivered or forwarded.

To close the gap, you can use a third-party email encryption solution that integrates with Gmail. You can also offer a secure portal link instead of including PHI directly in the body or attachments. This lets users authenticate before viewing sensitive content—an approach recommended in Google’s HIPAA Implementation Guide and aligned with best practices for confidential communications.

What PHI Can (and Can’t) Be Shared Via Gmail?

Once Gmail is configured for HIPAA compliance, it still doesn’t give you a blank check to send any and all PHI through email. HIPAA’s Privacy Rule requires covered entities to disclose only the minimum necessary information for any use or communication. That standard applies just as much to email as it does to medical records systems.

For example, PHI should never be included in subject lines. Subject fields are not encrypted (even if the message body is) and could expose sensitive information if intercepted. Likewise, attachments that contain PHI should be encrypted or, ideally, shared through a secure portal. Sending lab results, diagnosis codes, or billing statements as unprotected PDFs exposes you to risk.

Many organizations underestimate how easily routine messages can cross into PHI territory. An appointment reminder with a patient’s name and the name of a specialist? That’s PHI. An insurance question that references a treatment plan? Also PHI. Even messages that feel administrative in nature can carry identifying health information when viewed in context.

The safest strategy is to treat all patient communications as sensitive, regardless of how routine they seem. Use email only as a notification channel, directing recipients to log in to a secure portal where the actual PHI is stored. That way, even if an email is misdirected or intercepted, no sensitive data is exposed.

What Happens If You Use Gmail Without These Protections?

Using Gmail to send or store PHI without proper safeguards puts your organization at serious risk legally, financially, and operationally. Under HIPAA, failing to secure electronic protected health information (ePHI) is considered a violation, and the consequences can escalate quickly.

The Office for Civil Rights (OCR), which enforces HIPAA, has the authority to issue fines ranging from $100 to $50,000 per violation, depending on the level of negligence. In more serious cases, annual penalties can reach $1.5 million, and OCR investigations often result in expensive corrective action plans that tie up legal and technical resources for years. Even a single misconfigured email account or forwarded message can trigger breach reporting requirements under the Breach Notification Rule, especially if ePHI is exposed.

Beyond the financial fallout, there’s reputational damage. Patients and partners expect healthcare organizations and vendors to safeguard sensitive data. Data breaches can erode trust, attract negative press, and jeopardize future business, especially for startups or companies looking to expand into regulated markets.

HIPAA doesn’t ban the use of Gmail. But it makes clear that if you use it, you must do it right. Without the proper controls in place, what seems like a convenient communication tool can become a major compliance liability.

Stay on the Right Side of HIPAA Compliance With Drata

Drata automates the heavy lifting of HIPAA compliance. We monitor your controls in real-time, collect evidence continuously, and identify gaps before they become risks. Instead of chasing spreadsheets and screenshots, your team can manage everything from one platform built by auditors and security experts.

Whether you’re configuring Gmail, preparing for an audit, or scaling into regulated markets, Drata helps you stay compliant without slowing down. You get faster time to value, fewer manual tasks, and complete visibility into your security posture.

Want to see how it works? Book a demo to explore how Drata helps healthcare organizations and vendors automate HIPAA compliance from end-to-end.

Gmail and HIPAA Compliance Frequently Asked Questions

Below we answer the most common questions related to Gmail, HIPAA compliance, and how to communicate securely without putting PHI at risk.

Can I Use Gmail for Patient Communications?

Yes, but only if you’re using Google Workspace, have signed a Business Associate Agreement (BAA) with Google, and have configured your account to meet HIPAA’s security requirements. 

Consumer Gmail accounts (e.g., @gmail.com) are never appropriate for handling PHI. Even with Workspace, avoid including PHI directly in the message body—use secure portals or encrypted attachments instead.

Does Gmail Offer HIPAA Encryption?

Gmail supports TLS encryption, which protects emails in transit—but only if the recipient’s email provider also supports TLS. By default, Gmail does not offer end-to-end encryption or encryption at rest for email content. To meet HIPAA’s encryption standards, organizations typically need to add a third-party encryption solution.

Is a Gmail BAA Enough to Make Me HIPAA Compliant?

No. The BAA is required, but it’s just the starting point. HIPAA compliance also depends on how you configure Gmail, manage user access, secure data, and monitor for risks. A signed BAA without the right settings in place still leaves your organization exposed to HIPAA violations.

What’s the Safest Way to Email PHI?

The safest approach is to avoid including PHI directly in emails. Instead, use email to notify recipients that information is available and then direct them to a secure, authenticated portal where they can view it. If you must send PHI by email, use a third-party tool that provides end-to-end encryption, enforces access controls, and logs message activity for audit readiness.