Why Gmail and Outlook are not HIPAA compliant by default

Gmail and Outlook are not HIPAA compliant by default because they lack the necessary security features and configurations that HIPAA requires for handling protected health information (PHI). Standard consumer versions of the email platforms do not automatically encrypt emails, do not sign a business associate agreement (BAA), and don't have the strong access controls and audit logs needed for compliance. To become compliant, organizations must use paid, enterprise-level versions, like Google Workspace or Microsoft 365, and take specific steps, including signing a BAA and configuring security settings. 

However, even with these upgrades, risks remain. The Paubox, How Microsoft and Google Put PHI at Risk Report uncovered several gaps after testing the platforms’ encryption capabilities. According to the findings:

• Google Workspace still allows email delivery over obsolete and insecure TLS versions.
• Microsoft 365 may send protected information in cleartext (unencrypted) under certain conditions.
• Both Google and Microsoft appear to fall short of NSA recommendations for modern email encryption.

The report also notes that "using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not."

Risks of using non-HIPAA compliant email providers

Using email providers that are not HIPAA compliant exposes healthcare organizations to financial, legal, and operational risks. These dangers stem from weak security controls, misconfigurations, and silent encryption failures that leave PHI vulnerable. 

Financial and legal consequences

Healthcare remains the most expensive industry for data breaches, and unsecured email continues to be a major source of these incidents. According to IBM’s Cost of a Data Breach Report 2025 report the average cost of a healthcare data breach has risen to $9.8 million, reaching $11 million in the 2025 report.

Non-compliant emails often lead to regulatory investigation, legal action, and costly settlements. For example:

• OCR fines and lawsuits: Solara Medical Supplies paid a $3 million OCR settlement and a $9.76 million class-action settlement after an email breach exposed 114,000 patient records.
• Provider penalties: Mindpath Health has agreed to pay $3.5 million in a settlement after hackers accessed the business email accounts of two employees' Microsoft Office 365 and exfiltrated personally identifiable information (PII) between March 2022 and July 2022. 
• Mandatory breach notifications: When PHI is exposed due to weak or missing encryption, organizations must notify HHS, the media, and affected individuals. This may result in reputational damage and additional costs.

These financial consequences add up quickly, especially when combined with remediation, forensic investigations, and long-term trust erosion.

Encryption and security failures

Non-HIPAA compliant email systems encounter issues at the transport layer, putting PHI at risk during transmission. The problem is that these platforms prioritize delivery over security, leading to silent encryption failures.

Paubox testing revealed several concerning behaviors:

• Silent fallback to insecure protocols: Google Workspace will still deliver messages using TLS 1.0 or 1.1 protocols, even after the NSA has deprecated these protocols.
• Cleartext delivery: Microsoft 365 may refuse outdated TLS negotiations but will then send the email unencrypted, with no warning to the sender.
• No visible alerts: Neither platform notifies users that encryption has failed.

These failures often occur under default settings, not misconfigurations.

Using outdated protocols like TLS 1.0 and 1.1 is inherently unsafe: they support weak cipher suites, increase susceptibility to downgrade attacks, and lack modern cryptographic protections. The result is a false sense of security, where organizations believe they are protected because they use well-known email platforms or enable “force TLS,” but these controls can fail silently.

Weak transport encryption also invites attack, making it easier for cybercriminals to perform MITM attacks, spoof domains, steal credentials, and intercept PHI in transit.

Operational and compliance gaps

Non-compliant email systems can also lead to operational and compliance issues that undermine HIPAA’s administrative requirements.

• Lack of audit trails: HIPAA requires that regulated entities implement audit controls. However, 20% of small and midsize healthcare organizations “don’t utilize any form of email archiving or audit trail, leaving 1 in 5 unable to investigate incidents after they happen.” 
• Misconfigurations: Even enterprise-grade platforms are prone to security gaps if they are not configured correctly. Misconfigurations were present in 31.1% of healthcare organizations assessed in the high-risk category.
• Dependence on human behavior: Systems requiring staff to manually trigger encryption (e.g., adding a keyword) introduce inevitable human errors that can expose PHI.
• Disruption of care: Breaches can lead to communication breakdowns, system shutdowns, and patients losing trust, ultimately delaying care and diverting IT and administrative resources toward damage control.

What HIPAA requires from HIPAA compliant email platforms

For a platform to qualify as HIPAA compliant when handling PHI, it must meet HIPAA standards, as laid out by the HIPAA Security and Privacy Rules. These requirements ensure confidentiality, integrity, and availability of PHI when transmitted or stored electronically.

Technical safeguards

Under the Security Rule Technical Safeguards (§ 164.312), email platforms must implement technical measures to protect ePHI. Key safeguards include:

• Encryption (where appropriate): HIPAA requires a mechanism to encrypt and decrypt ePHI at rest and when transmitted over a network. 
• Transmission security: For emails containing PHI, using secure transport protocols, like TLS 1.2 or higher, or other equally strong encryption methods, is necessary to prevent unauthorized interception or access during transit. 
• Access controls and authentication: Only authorized users should be able to access ePHI. This includes requirements for secure login credentials, strong passwords, and possibly multi-factor authentication (MFA) depending on risk assessment. 
• Audit controls and logging: The system must track and log access to, modifications of, or transmissions of ePHI, enabling accountability and enabling post-incident investigations if needed. 
• Integrity controls: The platform should ensure that ePHI is not altered or destroyed improperly. This helps preserve data integrity and prevent tampering. 

Administrative and contractual safeguards

Beyond technical capabilities, HIPAA compliance also requires the implementation of administrative safeguards:

• Business associate agreement (BAA): If a covered entity uses a third-party email service to store or transmit PHI, that service provider must sign a BAA. This legal agreement obliges the provider to comply with HIPAA’s requirements for protecting PHI. 
• Risk assessment and management: Covered entities and business associates should conduct regular risk assessments to identify vulnerabilities (e.g., unencrypted transmissions, weak access controls, phishing threats) and implement measures to alleviate the identified risks. 
• Policies and procedures: Organizations must establish and enforce written policies for how PHI is handled via email, including access control policies, procedures for onboarding/offboarding staff, rules for email retention or archiving, and guidelines for breach notification. 
• Safe storage and retention: If PHI is stored in email accounts (on servers or in the cloud), the platform must support secure storage and enable audit-capable archiving so that entities can respond to access requests, disclosure accounting, or audits.

The HIPAA compliant solution: Paubox

Paubox offers a fully HIPAA compliant email solution purpose-built for healthcare, addressing the security, compliance, and usability gaps that traditional email platforms leave behind. Unlike Gmail, Outlook, Microsoft 365, or Google Workspace, which require extensive configuration, manual encryption triggers, and third-party add-ons, Paubox delivers seamless, always-on encryption that meets and exceeds HIPAA’s technical safeguard requirements.

See also: Features of Paubox Email Suite

FAQS

Can HIPAA-covered entities use free email services?

No. Free services like free Gmail or Yahoo Mail cannot sign BAAs and lack the necessary encryption, logging, and access controls required under HIPAA. Using them to send PHI is a direct violation.

Do I need a portal for HIPAA compliant email?

While many tools rely on portals, where patients must log in to read messages, Paubox allows patients to read encrypted email directly in their inbox; no passwords or portals are needed.

Read also: Do I need an email portal to be HIPAA compliant?

Do HIPAA compliant email platforms still get hacked?

Any email system can be targeted, but HIPAA compliant platforms reduce risk dramatically through enforced encryption, access controls, and threat detection. Systems that lack those safeguards (like unmodified Gmail/Outlook setups) are far more vulnerable.