Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

Is a free Gmail account HIPAA compliant?

Is a free Gmail account HIPAA compliant?

Google created several digital products for individuals and organizations, some free and some paid. Many healthcare organizations use Google’s tools to connect and communicate with employees, patients, and other healthcare providers. In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA.

A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Google offers a BAA for Workspace, which includes Gmail. Unfortunately, the BAA does not include the free version, meaning a free Gmail account is not HIPAA compliant.

SEE ALSOHIPAA compliant email: The definitive guide


A free Gmail account

Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. Included in the suite is Gmail. As of 2019, Gmail has 1.5 billion active users worldwide. Users access their email through a webmail interface or a mobile application.

Individuals, teams, and organizations use Google tools to communicate, store, and manage data and documents, and collaborate on projects. While these services are typically free to use for individuals, Google Workspace has various enterprise (paid) features for businesses.


Gmail privacy and security

Google prides itself on its cybersecurity and privacy features with both defensive and offensive tools automatically available to users. Such features, however, are not all HIPAA compliant, which is why Google created the Google Workspace and Cloud Identity HIPAA Implementation Guide. This informational handbook explains how to configure and use Workspace services to support HIPAA compliance.

Free Gmail accounts, widely used for personal and business communication, are not designed to meet HIPAA security and privacy requirements. Google scans free Gmail accounts, looks for keywords, and then uses those keywords to target advertisements. Using a free Gmail account to transmit PHI poses risks such as data breaches, unauthorized access, and noncompliance with HIPAA regulations.

LEARN ABOUTHealthcare ads and HIPAA compliance: The ultimate guide


Is Google a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These associates are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is a primary consideration when choosing Google services. In the case of Google Workspace (and Gmail), the service would certainly fall into the category of business associate. This, however, is only true if an organization stores, processes, or transmits PHI on the platform.

RELATEDHow to know if you're a business associate


Google Workspace, Gmail, and the BAA

Google offers a BAA for Google Workspace, pointing out that the BAA covers Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.

The BAA is only available for a paid Workspace account. Google does not sign an agreement with free Gmail users.


Is a free Gmail account HIPAA compliant?

Gmail offers HIPAA compliant email services for healthcare organizations, but only for paid accounts and only when configured properly. A paid Workspace (which includes Gmail) account provides many services covered by its BAA. This is not true for a free Gmail account.

Conclusion: A free Gmail account is not HIPAA compliant.


Guaranteeing a HIPAA compliant Gmail account

Once a healthcare organization has purchased a paid Google Workspace account and signed a BAA, it is up to the provider to secure all used tools. Here’s what to do to make sure your paid Gmail account stays HIPAA compliant:

  1. Use a strong password
  2. Enable multi-factor authentication
  3. Manage user permissions and restrict access as needed
  4. Train employees on proper email and Wi-Fi usage
  5. Keep software and perimeter defenses up to date
  6. Get consent from patients before sending or receiving PHI over email
  7. Utilize a third-party solution like Paubox Email Suite to ensure strong email encryption

HIPAA compliance and Gmail resource center

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.