Gmail is not HIPAA compliant on its own. A free @gmail.com account cannot be used to send or receive protected health information (PHI), and no amount of configuration will change that. However, Gmail as part of a paid Google Workspace plan can be used in a HIPAA-compliant way, but only after your organization signs a Business Associate Agreement (BAA) with Google and configures the account properly.
Why Free Gmail Doesn’t Qualify
HIPAA requires that any third-party service handling PHI sign a Business Associate Agreement with the healthcare organization using it. Google does not offer a BAA for free consumer Gmail accounts. Without that legal agreement in place, using a @gmail.com address to send lab results, appointment details that include diagnoses, insurance information, or any other identifiable health data is a HIPAA violation, regardless of how careful you are with the content.
This is a hard line. Google’s own compliance documentation states plainly that customers who have not signed a BAA with Google must not use PHI in any Google services. There is no workaround, no special setting, and no privacy policy checkbox that substitutes for a BAA.
Google Workspace Gmail Is Different
Paid Google Workspace plans (formerly G Suite) do allow organizations to sign a BAA with Google. Once that agreement is in place, Gmail becomes one of several “covered services” eligible for handling PHI. As of 2025, the full list of covered services under the Google BAA includes Gmail, Google Drive (with Docs, Sheets, Slides, and Forms), Google Calendar, Google Chat, Google Meet, Google Keep, Google Voice for managed users, Google Sites, Google Tasks, Google Vault, and several others including Gemini in Workspace.
Signing the BAA is something an administrator does through the Google Admin console. It’s not automatic. If your organization has a Workspace account but nobody has reviewed and accepted the BAA, you’re still not compliant.
What the BAA Does Not Cover
The BAA only applies to the specific services on Google’s included functionality list. Third-party apps, browser extensions, and add-ons installed through the Workspace Marketplace are not covered. If your staff uses a scheduling plugin or a third-party email tracking tool that touches PHI, that tool falls outside Google’s BAA entirely and needs its own compliance review.
Google also draws a clear line between Workspace services and what it calls “Additional Google Services,” which are consumer-facing Google products that Workspace users can access. The BAA and Google’s data processing terms do not extend to those additional services.
Configuration Steps Beyond the BAA
Signing the BAA is necessary but not sufficient. HIPAA’s Security Rule requires administrative, physical, and technical safeguards for electronic PHI. In practice, that means your Workspace administrator needs to configure the environment to meet those standards. Key settings include:
- Two-factor authentication: Enforce it for all users who handle PHI, not just recommend it.
- Sharing restrictions: Limit how files in Google Drive can be shared externally, so staff can’t accidentally expose patient records with a shareable link.
- Audit logging: Enable and regularly review logs that track who accessed what data and when.
- Mobile device management: Control how Workspace data is accessed on phones and tablets, including the ability to remotely wipe a lost device.
- Email routing rules: Configure transport layer encryption (TLS) to ensure emails containing PHI are encrypted in transit.
Google encrypts data at rest and in transit by default within Workspace, which covers a significant portion of the Security Rule’s encryption requirements. But encryption alone doesn’t make you compliant. Access controls, workforce training, and policies around how PHI is handled all fall on your organization, not on Google.
Emailing Patients Directly
Even with a properly configured Workspace account, emailing PHI to patients introduces additional considerations. The recipient’s email provider (their personal Gmail, Yahoo, or Outlook account) is not covered by your BAA. Once a message leaves your system, you don’t control how it’s stored or who can access it on the other end.
HHS guidance allows healthcare providers to communicate with patients by email, provided reasonable safeguards are applied. The Privacy Rule does not outright prohibit unencrypted email for treatment-related communications, but it does require you to limit the type and amount of information disclosed and take precautions like verifying the email address before sending.
Best practice is to obtain written consent from patients before communicating PHI over email. Many organizations use a specific consent form that explains the risks of unencrypted email and confirms the patient’s preferred address. If a patient initiates email communication and you respond, it’s still advisable to confirm in that first reply that they want to continue exchanging health information this way. Document that consent in their chart.
The Bottom Line on Compliance
Gmail through a paid Google Workspace account, with a signed BAA and proper configuration, can be part of a HIPAA-compliant setup. Free Gmail cannot. But it’s worth understanding that no email service is “HIPAA compliant” in isolation. Compliance is a combination of the right vendor agreement, the right technical configuration, the right organizational policies, and the right staff training. Google provides the infrastructure and the legal agreement. Everything else is your responsibility.