How to set up HIPAA compliant email with Google Workspace

According to World Population Review, 41.9% of the US population uses Gmail. Its familiarity, ease of use, and integration with other productivity tools make Google Workspace an attractive option for healthcare organizations. However, when email communication involves protected health information (PHI), convenience alone is not enough. Google Workspace is not HIPAA compliant by default, and healthcare organizations must take specific steps to configure it appropriately.

Can Google Workspace be HIPAA compliant?

Google Workspace can support HIPAA compliance, but only under certain conditions. Google acts as a business associate and offers a business associate agreement (BAA) for eligible Workspace editions, including Business Plus, Enterprise, and select Education plans. Free Gmail accounts and unsupported Workspace tiers cannot be used for HIPAA-regulated communication.

It is important to note that HIPAA compliance is not a single setting or feature. It is an ongoing process involving the integration of secure technology, administrative safeguards, and effective workforce training.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

Configuring Google Workspace email to adhere to HIPAA

Google Workspace Admin has published a Google Workspace and Cloud Identity HIPAA Implementation Guide detailing how Gmail can be configured to meet HIPAA requirements for sending, receiving, and storing PHI when used properly under a signed BAA. Proper configuration helps ensure the confidentiality, integrity, and security of PHI transmitted via email. The following steps should be followed:

Ensure a signed BAA is in place

Before using Gmail to handle PHI, your organization must have a signed HIPAA BAA with Google. This legally authorizes the use of Gmail under HIPAA and assigns responsibilities for protecting PHI.

Limit Gmail use to covered users and groups

According to the guide, “Gmail provides controls to help users ensure that messages and attachments are only shared with the intended recipients. When composing emails and inserting files using Google Drive that may contain PHI, end users can choose to share only with the intended recipients.” Additionally, “To manage end user access to different sets of Google services, a Google Workspace administrator can create organizational units to put end users who manage PHI and end users who do not into separate groups. Once these units are set up, the administrator can turn specific services on or off for groups of users.” This allows the administrator to enable Gmail only for users authorized to handle PHI and restrict external access where possible.

Enforce secure transmission of emails

The guide recommends that Gmail users “review the security health tool, which provides recommendations on how to improve your security posture.” 

Apply Data Loss Prevention (DLP) rules

“Administrators can also create DLP policies that inspect emails for evidence of certain PII/PHI identifiers and apply policy on how that data is shared.” Administrators can set actions such as quarantine, reject, or warn senders when PHI is detected in outgoing emails, reducing the risk of inadvertent disclosures. DLP can also monitor inbound and internal emails.

Monitor email activity and audit logs

Use the Admin Console to monitor email logs for any unusual access or forwarding activity, set up alerts to detect suspicious behaviors such as mass downloads or unauthorized login attempts, and maintain comprehensive audit trails to demonstrate compliance during reviews.

Read more: Healthcare’s Ultimate Guide to Gmail: Is Gmail HIPAA compliant?

FAQS

Who is responsible for HIPAA compliance when using Gmail—Google or the healthcare organization?

Compliance is a shared responsibility. Google secures the infrastructure and services covered under the BAA, while the healthcare organization is responsible for proper configuration, user access, training, and policy enforcement.

Read also: Who is responsible for adhering to HIPAA compliant practices?

Are email signatures and disclaimers sufficient to ensure HIPAA compliance?

Disclaimers alone do not provide technical safeguards. HIPAA compliance requires administrative, technical, and physical controls, including encryption, access management, and monitoring.

Go deeper: Why email disclaimers are not enough for HIPAA compliance