Healthcare’s Ultimate Guide to Gmail answers the question: Is Gmail HIPAA compliant?

Is Gmail HIPAA Compliant? - Paubox

Healthcare’s Ultimate Guide to Gmail [2023]

Healthcare’s Ultimate Guide to Gmail is a step-by-step tutorial on setting up your Google Workspace account to easily send your patients HIPAA compliant email. Because Paubox is the market leader in HIPAA compliant email, healthcare providers frequently ask us about HIPAA compliance and Gmail. All the information you need to get started is here.

As a bonus, we’ve added helpful tips, such as how to delete a sent Gmail email, how to check if TLS encryption is being used and how to encrypt an email in Gmail’s free version.

Read on to find out all you need to know to get up and running with HIPAA compliant Gmail for your practice or healthcare organization. It’s easier than you think!

What is HIPAA compliant email?

Before we go into Gmail and HIPAA compliance, it’s important to understand HIPAA compliant email.

The Health Insurance Portability and Accountability Act (HIPAA) set the standard for protecting sensitive patient data. More specifically, the HIPAA Privacy Rule is a critical component that healthcare professionals need to know.

The HIPAA Privacy Rule is a set of national standards that safeguards certain health information, including protecting patient data when transmitted by email.

A standard approach for outgoing HIPAA email security and compliance is implementing end-to-end encryption on all emails sent that include protected health information (PHI).

For more specifics, you can read our complete guide to HIPAA compliant email.

Is Gmail HIPAA compliant?

Is Gmail HIPAA compliant? The short answer is yes if you use the paid version. However, there are a few steps that providers need to take to ensure they remain HIPAA compliant to avoid costly HIPAA violation fines and data breaches when using Gmail. Read on to learn how simple the process can be for healthcare providers to send HIPAA compliant Gmail.

What do I need to know about HIPAA, PHI and Gmail?

To recap, HIPAA refers to the laws and regulations created to protect patients and give them rights to their medical records. If a business associate – such as a software vendor used by a covered entity like a healthcare provider – violates HIPAA, or if unauthorized disclosure of PHI harms a patient, criminal penalties can be imposed. Penalties include heavy fines and possible jail time. 

Penalties are easily avoidable by following simple procedures and working with third-party secure email providers, like Paubox, who will follow the necessary steps to secure your Gmail.

Although this process may sound overwhelming, it is surprisingly simple. As a matter of fact, you can be up and running in under an hour with Paubox Email Suite for Gmail.

Google and the BAA

BAA stands for business associate agreement, a written contract between a covered entity and a business associate. A BAA is a necessary step required by law for HIPAA compliance. 

To simplify, anytime you use software to enter or send health information, HIPAA requires you to have a business associate agreement with that software provider. For example, you would need to enter a BAA contract with Google to be HIPAA compliant.

SEE MORE: Google Workspace with a BAA vs. Paubox

HIPAA compliance issues with free Gmail

If you work in an organization that must meet HIPAA regulations, using the free version of Gmail would not be a safe option. You may incur penalties from the U.S. Department of Health and Human Services, and with the free version, a third party is scanning your patients’ PHI without their consent or knowledge. For example, Google scans email stored in Gmail accounts for advertising purposes.

Google scans free Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.

Is free Gmail HIPAA compliant?

Google does not sign a business associate agreement with free Gmail users.

Therefore, the free version of Gmail is not a HIPAA compliant solution.

In order to stay away from costly fines, keep these steps in mind:

  1. Pay for Google Workspace to eliminate ads and secure your data from automated processing.
  2. Sign a BAA with Google.
  3. Use a third-party solution like Paubox Email Suite to ensure HIPAA compliance for all sent emails.

Paubox works seamlessly with Google Workspace to provide HIPAA compliant email encryption. Unlike other third-party services, there are no extra steps or portals for senders or recipients, making HIPAA compliance as simple as sending email the way you usually would from any device.

Is Gmail in a paid Google Workspace account HIPAA compliant? 

Yes, but you would need to follow a few steps to ensure HIPAA compliance with your Gmail account. 

The core email client within Google Workspace only encrypts email at rest and not all the way to the recipient’s inbox. This means the last step in the sending process may be delivered in clear text and is open to theft. This wouldn’t be a good prospect if any protected health information (PHI) is transmitted in your email.

To make Google Workspace Gmail HIPAA compliant, you still need a third-party solution like Paubox Email Suite to make sure all emails are encrypted from inbox to inbox.

But you don’t have to take our word for it; even Google’s own stats show that not every email is secured in transit.

9 simple steps to make Gmail HIPAA compliant for healthcare 

  1. Ensure your practice is using the paid version of Gmail through Google Workspace.
  2. Obtain a business associate agreement (BAA) from Google.
  3. Download Paubox Email Suite to run with your Gmail to ensure HIPAA compliance. Paubox runs quietly in the background and does not require extra steps or logins to secure 100% of your Gmail messages.
  4. Obtain a BAA from your third-party secure email provider, such as Paubox.
  5. Use two-factor authentication.
  6. Set up alerts to ensure you get notified if something unexpected occurs.
  7. Review your Gmail security settings.
  8. Make sure staff members use strong passwords.
  9. Turn off unused services to prevent PHI from being accidentally stored in an unsecured location.

Before you start including PHI with any Google service, it’s always a good idea to review the Google Workspace HIPAA Implementation Guide to see if any additional configurations are needed.

Helpful Gmail tips for healthcare

The following tips will help you make the most out of your Gmail account.

5 simple steps to encrypt an email in free Gmail’s Confidentiality Mode 

  1. Write the email, per usual.
  2. Click on the Confidential button, which looks like a lock icon. You can find it on the bottom rail of your email prompt.
  3. Once you click the icon, you should get a popup that allows you to set the expiry date and use the SMS passcode.
  4. Click “Save” and send the message. 
  5. Once you use an encrypted email, it can’t be copied, forwarded, printed or downloaded.
Confidential button on Gmail
The Confidential button on Gmail looks like a lock icon.
Gmail Confidential mode

How do I check if Gmail is using TLS encryption?

  1. Open the message you want to check.
  2. Click on the small, downward-pointing triangle beside “to me.”
  3. Once you click, a popup will appear.
  4. Look at the item labeled “security.” 
  5. If it shows “Standard encryption (TLS),” the message was fully encrypted between email systems. 
Gmail TLS

How do I undo a sent Gmail message?

It’s very common to send an email unintentionally. No need to worry; you have up to 30 seconds to undo it. Here’s how:

  1. Once you send an email, look to the bottom left.
  2. An Undo button stays there for five seconds by default. 
  3. Click the “Undo” button to undo the sent Gmail message.
Undo a sent Gmail

To increase the time to undo a sent email to the max of 30 seconds:

  1. Go to Settings (top right corner with a gear icon).
  2. Click “See all settings.” 
  3. Find the Undo Send option in the middle.
  4. Change the time to 30 seconds. 
  5. Scroll down at the button, and click “Save Changes.”
Setting undo sent email timer

SEE MORE: [Pictures] How to undo a sent email in Gmail

Email was designed to connect people without security in mind

At its simplest, email is essentially an open book, which is certainly not ideal for companies and individuals working with regulations like HIPAA.

In most cases, making an email service HIPAA compliant means ensuring that the message is encrypted from inbox to inbox and not delivered in clear text. Unencrypted email is both a security and a HIPAA fine risk for healthcare providers.


Once you combine Google Workspace with Paubox, it becomes seamless for healthcare providers to email patients without worrying about HIPAA violations. In addition, you no longer have to worry about staff accidentally sending a Gmail message that should be encrypted. Paubox also provides the required BAA needed for HIPAA compliance automatically. 

There is no better way to connect healthcare providers and patients than by combining Google Workspace with Paubox. So get started today and start making things easier and safer for your healthcare organization.

HIPAA compliance and Gmail resource center

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and Gmail

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and other covered entities. Our technology is HITRUST CSF-certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport