Is Gmail HIPAA Compliant?

The short answer: free Gmail is never HIPAA compliant. Google Workspace (paid) can be — but only with a signed BAA and the right configuration. Here's exactly what your practice needs to do.

It Depends on Which Gmail You Mean

Free Gmail (@gmail.com) is never HIPAA compliant. Google will not sign a BAA for consumer accounts. Google Workspace (paid) can be HIPAA compliant — but only with a signed BAA and correct configuration.

Google Workspace + BAA

HIPAA-eligible

Free Gmail (@gmail.com)

Never HIPAA compliant

$7.20/user/mo — starting price for Google Workspace Business Starter (BAA-eligible)

What Google Workspace Provides for HIPAA

HIPAA doesn't certify email platforms. Compliance depends on three things: the vendor's technical safeguards, a signed Business Associate Agreement, and your organization's configuration and training.

Google Workspace Plan

Business Starter, Standard, Plus, or Enterprise. All paid plans are BAA-eligible. Free @gmail.com accounts are not.

Signed BAA

Accept Google's Business Associate Amendment in Admin Console → Account → Legal and compliance. This is a contract — not a setting toggle.

Your Configuration

DLP rules, sharing restrictions, S/MIME or third-party encryption, and staff training are YOUR responsibility — Google doesn't do them for you.

“A BAA without the right configuration is a false sense of security. Google provides the infrastructure — you provide the policies and enforcement.”

45 CFR §164.312(a)(1) — Covered entities must implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to authorized persons. Who must comply?

What Google's BAA Does — and Doesn't — Cover

Google's Business Associate Amendment covers specific Workspace services. It does not blanket-cover everything with a Google logo. Know the boundaries before your team sends the first email containing PHI.

Covered Under Google Workspace BAA

Gmail in Google Workspace
TLS 1.2+ in transit, AES-256 at rest — covered under BAA
Google Drive attachments
AES-256 at rest, TLS in transit — covered under BAA
Google Meet (video)
DTLS-SRTP encryption — covered under BAA
Google Chat (within Workspace)
TLS in transit, at-rest encryption — covered under BAA
Google Calendar (appointment details)
Encrypted at rest and in transit — covered under BAA

Not Covered by the BAA

Free Gmail (@gmail.com)
No BAA available — Google explicitly excludes consumer accounts
Gmail ads / content scanning
Google no longer scans Gmail for ads, but free accounts lack BAA
Third-party add-ons
Extensions not covered by Google's BAA — each needs separate vetting
Google Voice (legacy free)
Not included in the Workspace BAA — use Google Voice for Workspace

For full encryption specifications, see our HIPAA encryption requirements guide. The Security Rule requires encryption for ePHI in transit (addressable) but treats it as near-mandatory in practice.

6 Settings You Must Configure in Google Workspace

Signing the BAA is step one. These six configurations are what actually protect PHI in Gmail. Document each one in your risk assessment.

Enable S/MIME encryption

Admin Console → Apps → Google Workspace → Gmail → User settings

Upload S/MIME certificates and enable hosted S/MIME

Encrypts email content end-to-end when both sender and recipient have certificates

Set up DLP rules for PHI

Admin Console → Security → Data protection → Rules

Create rules to detect SSNs, MRNs, and health data in outbound email

Prevents accidental PHI exposure in emails to non-covered recipients

Restrict external sharing in Drive

Admin Console → Apps → Google Workspace → Drive → Sharing settings

Set to 'Only people in your organization' as default

Prevents attachments and shared files containing PHI from leaking externally

Enforce 2-step verification

Admin Console → Security → Authentication → 2-step verification

Set to 'Enforced' for all organizational units

HIPAA requires access controls — passwords alone are insufficient

Disable POP/IMAP forwarding

Admin Console → Apps → Google Workspace → Gmail → End User Access

Uncheck POP and IMAP access for healthcare OUs

Prevents PHI from being downloaded to unmanaged personal email clients

Enable audit logging

Admin Console → Reporting → Audit and investigation → Gmail log events

Verify email audit logs are active and retained 6+ years

HIPAA requires logging of access to ePHI — logs prove compliance during audits

S/MIME isn't the only encryption option

If managing S/MIME certificates is too complex, third-party encryption add-ons like Virtru or Paubox integrate directly with Gmail and handle encryption automatically. See HIPAA encryption requirements for the full technical standard.

Is Google Forms HIPAA Compliant?

Yes — Google Forms is HIPAA compliant when used through Google Workspace with a signed BAA. It's part of the same Workspace suite covered by Google's Business Associate Amendment, which means form responses stored in Drive and Sheets inherit the same encryption and access controls.

Using Google Forms for Patient Intake

Use through a Google Workspace account with an active BAA
Set form visibility to 'Private to your organization'
Restrict sharing permissions so only authorized staff access responses
Train staff to never share form links on personal or non-compliant channels

Don't

Use a free @gmail.com account to collect PHI via Google Forms
Allow form responses to be accessible to anyone with the link
Use Google Forms as a replacement for a certified EHR intake system
Skip the BAA — even if you're collecting 'just' appointment requests

Google Forms vs. purpose-built intake platforms

While Google Forms is technically compliant under Workspace, it lacks audit trails, e-signatures, and EHR integration that dedicated patient intake forms provide. For high-volume practices, consider purpose-built solutions.

5 Gmail Mistakes That Violate HIPAA

Most Gmail-related HIPAA violations aren't caused by Google — they're caused by how practices use the platform. These are the failures that show up most often in risk assessments.

Using a free @gmail.com account for patient communication

Google will not sign a BAA for consumer Gmail. Any PHI sent from a @gmail.com address is an immediate HIPAA violation, regardless of email content.

Fix: Migrate to Google Workspace and set up a branded domain (@yourpractice.com).

Signing the BAA but skipping DLP and encryption setup

A BAA is a legal agreement, not a security toggle. Without DLP rules and encryption, staff can accidentally send PHI to personal accounts or wrong recipients.

Fix: Configure all 6 settings in the checklist above before sending any PHI.

Emailing PHI in the subject line

Subject lines are often displayed in preview text and notifications on unlocked devices. Even with S/MIME, subject lines may not be encrypted.

Fix: Train staff to use generic subjects like 'Follow-up on your visit' and put PHI in the body only.

Auto-forwarding email to a personal account

If a clinician auto-forwards Workspace email to their personal @gmail.com, PHI leaves the BAA-covered environment entirely.

Fix: Disable auto-forwarding in Admin Console for all healthcare organizational units.

Not revoking access when staff leave

Former employees with active accounts can still access email containing PHI. This is both a HIPAA violation and a data breach risk.

Fix: Include Workspace account suspension in your offboarding checklist. Document it in your risk assessment.

Need a comprehensive violation reference? Common HIPAA violations covers the full spectrum, and our compliance checklist catches these issues before an auditor does.

Gmail Alternatives for HIPAA Email

If managing Google Workspace configuration feels too complex, or you want encryption that works automatically without S/MIME certificates, these purpose-built HIPAA email solutions may be a better fit.

Paubox

From $29/user/mo

Seamless encryption

Encrypts all outbound email automatically — no extra steps for sender or recipient. Integrates directly with Google Workspace. HITRUST CSF certified.

Best for: Practices that want zero-friction encryption without managing certificates

Hushmail for Healthcare

From $11.99/user/mo

Standalone HIPAA email

Purpose-built HIPAA email with built-in encryption, secure forms, and e-signatures. Includes BAA. No Google Workspace needed.

Best for: Solo practitioners or small practices not already on Google Workspace

Virtru

From $87/user/yr

Gmail add-on encryption

Browser extension and Gmail add-on that adds end-to-end encryption, message expiration, and revocation to existing Gmail. Works with Workspace.

Best for: Practices that want to keep Gmail but add granular encryption controls

Compare all HIPAA-compliant email services

Quick Reference: Gmail HIPAA Compliance

Free Gmail = No

Consumer @gmail.com accounts are never HIPAA compliant. Google will not sign a BAA for free accounts.

Google Workspace = Yes (with BAA)

Business Starter ($7.20/user/mo) and above are BAA-eligible. Accept the BAA in Admin Console → Legal.

Google Forms = Yes (with BAA)

Covered under the same Workspace BAA. Set sharing to private, restrict access to authorized staff.

6 settings to configure

S/MIME encryption, DLP rules, Drive sharing restrictions, 2-step verification, disable POP/IMAP, audit logging.

Staff training required

Train all users on PHI handling in email — no PHI in subject lines, no auto-forwarding, no personal account use.

Run full compliance checklist Generate BAA template Compare HIPAA email services

Related Tools & Guides

Best HIPAA-Compliant Email Services

Side-by-side comparison of Paubox, Hushmail, Virtru, and more.

HIPAA Encryption Requirements

Technical standards for encrypting ePHI in transit and at rest.

BAA Template Generator

Generate a customized Business Associate Agreement in minutes.

Is Google Drive HIPAA Compliant?

Drive compliance rules, sharing settings, and configuration guide.

HIPAA Compliance Checklist

Step-by-step checklist for Privacy, Security, and Breach rules.