Is Gmail HIPAA compliant?

Yes, Gmail can be HIPAA compliant because it offers a Business Associate Agreement (BAA) for its G Suite products — but if you want to make a Gmail account HIPAA compliant, it must be a part of G Suite and cannot be a free, personal account.

Just so you know

Need an easier way to collect info from patients? JotForm's HIPAA-compliant forms let you safely collect medical history, e-signatures, file uploads, and payments from any device.
The free version of Gmail that most people use is not HIPAA compliant on its own, but Google’s G Suite can be HIPAA compliant. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once configured, make G Suite HIPAA compliant. Once you’ve made your G Suite account HIPAA compliant, your connected Gmail account will be HIPAA compliant as well.

Gmail is the most widely used email service around, with 1.5 billion users worldwide, an increase of 500 million users just since 2016. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.

HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-compliant emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure.Every employee must understand how HIPAA applies to their email. Your staff needs training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients.

Ongoing training is necessary as healthcare workers are often targeted by phishing and other email attacks. Recent breaches have compromised the sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of thousands of patients. Continuous training improves the chances your employees will thwart phishing scams before they cause any damage.

Your business needs a straightforward, step-by-step process to help staff comply with both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.

You need a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.

The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. HIPAA-compliant email services should have strong security features or allow third-party plugins that provide the needed security.

Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.

Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation.

Product details

Company Logo

Business Associate Agreement


HIPAA Compliant



Email Services

Product description

Gmail is an email service developed by Google that enables users to send emails to each other and securely store received emails online.


Readers should perform their own research before making the final decision. The information on the Jotform HIPAA Compliance Checker does not constitute official healthcare or legal advice. Jotform is not liable for any damage or liabilities arising out of or connected in any manner with this platform.

If you see any incorrect, incomplete or inaccurate information, please request correction by filling the form below.

Request Correction