HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is It Possible to Have HIPAA Compliant Gmail?

With around 1.5 million users, Gmail is the most popular email service but can Gmail be used by healthcare organizations to send protected health information? Is it possible to make Gmail HIPAA compliant?

Is Gmail HIPAA Compliant?

In order for Gmail to be HIPAA compliant, Google would have to ensure that the email platform is secure and meets the minimum standards for security laid down in the HIPAA Security Rule. A covered entity would also need to enter into a business associate agreement with Google covering Gmail, as Google would be classed as a business associate under HIPAA. While encryption for email is not mandatory under HIPAA, it is a requirement if emails containing protected health information are to be sent externally beyond the protection of a firewall. If emails are sent externally, they would need to be secured with end-to-end encryption.

Google has implemented excellent security and its email service meets the requirements of the HIPAA Security Rule. Google is willing to enter into business associate agreements with HIPAA-covered entities that cover its email service, so provided a BAA is obtained, that HIPAA compliance box is also checked. Encryption for email can be applied, so Google does offer an email services that can be made HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not compliant by default.

Google offers Gmail for free and this email service is not HIPAA compliant. The standard free email service, which includes an @gmail.com email address, is only intended for personal use.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

To be compliant with HIPAA you need to use Google’s G Suite (formerly Google Apps) email service, for which a subscription must be paid. This paid email service is intended for use with a company-owned domain. @hipaajournal.com for example. Google offers a business associate agreement for G Suite, but its BAA does not cover its free @gmail.com email service.

If you pay for G Suite and obtain a BAA, your email is still not yet compliant. You must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. To send PHI via Gmail-powered G Suite, you will need to pay for an end-to-end email encryption service.

There are many encryption services that are compatible with Gmail. You can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those offered by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.

You must then ensure your employees are trained on the correct use of email, are aware of the internal and federal rules covering the transmission of PHI via email, and they must take care to ensure the emails are sent to the correct recipient. You must also obtain consent from patients to send their PHI via email.


Do you need to email medical information?

You need a HIPAA-Compliant Email

MailHippo can help!

30 60 Day Free Trial

Only for HIPAA Journal readers

Click Here for HIPAA-compliant Email

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.