How to make Gmail HIPAA compliant

Featured image

Share this article

Is Gmail HIPAA Compliant? - Paubox

Is Gmail HIPAA compliant?

Last updated February 19, 2020. We have been getting a lot of questions from prospective customers about whether or not Gmail is a HIPAA compliant email platform.

In previous posts, we’ve covered email providers like YahooGoDaddyIPOWER and HostGator and their capabilities for HIPAA compliant email.

In this article, we’ll determine if Gmail is HIPAA compliant or not, and what to do about it.

SEE ALSO: Google & HIPAA Compliance: The Ultimate Guide

What is HIPAA compliant email?

Before we go into the unique case of Gmail, it’s first important to understand what HIPAA compliant email is.

In essence, the Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data.

More specifically, the HIPAA Privacy Rule is an important component to be familiar with.

This rule created, for the first time, a set of national standards for the safeguard of certain health information, including protecting patient data when it’s transmitted in email.

This is why a standard approach for outgoing HIPAA email security is to implement end-to-end encryption on all emails sent with protected health information (PHI).

Email was designed to connect people without security in mind. 

This means that message delivery is more important than security, which is the reason why even if email is sent encrypted, it can arrive in clear text.

At its simplest, email is essentially an open book which is certainly not ideal for companies and individuals working with regulations like HIPAA.

In most cases, making an email service HIPAA compliant means ensuring that the message is encrypted from inbox to inbox and not delivered in clear text. Unencrypted email is both a security risk and a HIPAA fine risk for healthcare providers.

For more specifics, you can read our complete guide to HIPAA compliant email.

What is the difference between Google Workspace and Gmail ?

Did you know that Google Workspace is not the same thing as a Gmail account?

Google Workspace is a suite of Google applications including email, Google Drive, Google Docs, and Google Calendar that are hosted by Google for a unique domain (e.g.,

Gmail on the other hand, is a free service that uses The important difference here is that Google Workspace is meant to be used alongside a domain name you own.

Another important distinction is that Google Workspace is a paid service, while Gmail is free. In a nutshell, Google Workspace is meant for business use, Gmail is meant for personal use.

Google and the business associate agreement

We’ve covered in previous posts that a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. Google is willing to sign a BAA which covers some, but not all, of its services.

If you are using Google Workspace, Google is willing to sign a BAA with your organization. If you are a Gmail user however, Google does not offer a BAA for free Gmail accounts.

Even Google Workspace email needs to be configured  for HIPAA compliant email

After you’ve gotten a BAA for Google Workspace, you’re not done yet.

That’s because the core Gmail client within Google Workspace only encrypts email at rest and not all the way to the recipient’s inbox. As we mentioned before, this means that last step may be delivered in clear text and is open to be stolen. Not a good prospect if any protected health information (PHI) is transmitted in your email.

To make Google Workspace email HIPAA compliant you still need a third-party solution like Paubox Email Suite to make sure all emails are encrypted from inbox to inbox.

You don’t have to take our word for it; even Google’s own stats show that not every email is secured in transit.

Before you start using PHI with any Google service, it’s highly recommended you take a look at Google’s Google Workspace HIPAA Implementation Guide to make sure the service is HIPAA compliant and if any additional configurations are needed.

Automated processing by Gmail breaks HIPAA compliance

Another reason for providers to be wary of using free Gmail is the little known practice of automated processing.

Google has admitted in court documents that Gmail users’ emails are “subject to automated processing.” In other words, Google scans Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.

How would your patients feel if they realize your Gmail account is exposing their health data to Google?

The good news is that Google has finally decided to stop this process, though there’s still no date set for when the change will occur.

So is Gmail HIPAA compliant?

Google does not sign a business associate agreement with free Gmail users.

Therefore, Gmail is not a HIPAA compliant solution.

To make matters worse, Google also scans email stored in Gmail accounts for advertising purposes.

If you work in an organization that must meet HIPAA regulations, using Gmail for work is a very bad idea, both in terms of fines you could incur from the US Department of Human Services and also because a third party is scanning your patients’ PHI without their consent or knowledge.

In order to stay away from costly fines, keep these steps in mind:

  1. Pay for Google Workspace to eliminate ads and secure your data from automated processing
  2. Sign a BAA with Google
  3. Use a third-party like Paubox Email Suite to insure HIPAA compliance for sent emails

Paubox works seamlessly with Google Workspace to provide end-to-end HIPAA compliant email encryption. Unlike other third-party services, there’s no extra steps for senders or recipients (no portals!), which makes HIPAA compliance as simple as sending email as you usually would from any device.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022