3 min read

Is a free Gmail account HIPAA compliant?

Kapua Iao December 20, 2023

HIPAA compliant email HIPAA Compliance

Is a free Gmail account HIPAA compliant?

Google created several digital products for individuals and organizations, some free and some paid. Many healthcare organizations use Google’s tools to connect and communicate with employees, patients, and other healthcare providers. In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA.

A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Google offers a BAA for Workspace, which includes Gmail. Unfortunately, the BAA does not include the free version, meaning a free Gmail account is not HIPAA compliant.

A free Gmail account

Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. Included in the suite is Gmail. As of 2019, Gmail has 1.5 billion active users worldwide. Users access their email through a webmail interface or a mobile application.

Individuals, teams, and organizations use Google tools to communicate, store, and manage data and documents, and collaborate on projects. While these services are typically free to use for individuals, Google Workspace has various enterprise (paid) features for businesses.

Gmail privacy and security

Google prides itself on its cybersecurity and privacy features with both defensive and offensive tools automatically available to users. Such features, however, are not all HIPAA compliant, which is why Google created the Google Workspace and Cloud Identity HIPAA Implementation Guide. This informational handbook explains how to configure and use Workspace services to support HIPAA compliance.

Free Gmail accounts, widely used for personal and business communication, are not designed to meet HIPAA security and privacy requirements. Google scans free Gmail accounts, looks for keywords, and then uses those keywords to target advertisements. Using a free Gmail account to transmit PHI poses risks such as data breaches, unauthorized access, and noncompliance with HIPAA regulations.

LEARN ABOUT: Healthcare ads and HIPAA compliance: The ultimate guide

Is Google a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These associates are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is a primary consideration when choosing Google services. In the case of Google Workspace (and Gmail), the service would certainly fall into the category of business associate. This, however, is only true if an organization stores, processes, or transmits PHI on the platform.

Google Workspace, Gmail, and the BAA

Google offers a BAA for Google Workspace, pointing out that the BAA covers Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.

The BAA is only available for a paid Workspace account. Google does not sign an agreement with free Gmail users.