A person holding a smartphone with the gmail logon on their homescreen.

Gmail is the biggest email provider in the world, with over a billion users signing in from across the globe. If you use Gmail as your private address—and there’s a very good chance you do—then you might consider Gmail for your work email as well.

However, when choosing an email provider for a therapist practice, there are a few extra details you have to consider. Any email service that might be used to send confidential information must be HIPAA compliant (as must teletherapy platforms)..

And while Gmail can be made HIPAA compliant, the standard service doesn’t meet the regulations. Find out more about Gmail and HIPAA compliance with this guide.

Is Gmail HIPAA Compliant?

As a basic service, Gmail is not HIPAA compliant. That means it isn’t a suitable choice for your therapist practice. Google will not sign the necessary BAA for the free Gmail service, so it doesn’t reach HIPAA standards.

The Importance Of A HIPAA Compliant Email Service

The Health Insurance Portability and Accountability Act (HIPAA) classifies certain patient information as Protected Health Information (PHI). As a therapist, you should be aware of what information you can share with others, and what has to remain confidential.

And while you might never within your knowledge share this information with a third party, you might send it to the client via a Gmail account. Information shared over Gmail isn’t encrypted, and is vulnerable to exposure. This is considered a HIPAA violation.

Failing to meet HIPAA compliance incurs a penalty, and this penalty is per incident. Every email you send that doesn’t meet HIPAA compliance is technically a separate incident, and comes with its own penalty.

As these penalties can be a fine between $100 and $50,000, it can quickly become a major problem. So, it’s worth ensuring your email provider meets the requirements.

Is Google Workspace HIPAA Compliant?

Formerly known as G Suite, Google Workspace is a paid upgrade to the Gmail service. Google Workspace can be made HIPAA compliant, although like Gmail, it isn’t HIPAA compliant in its basic form.

To ensure your Google Workspace is compliant with HIPAA regulations, you must sign a Business Associate Agreement (BAA) with Google. The BAA states that Google is agreeing to “implement physical, technical, and administrative safeguards” to keep confidential information safe.

You can sign the BAA online, and Google is responsible for drafting the legal agreement. It’s a relatively simple step, but it’s a step you must not overlook.

Signing a BAA isn’t quite the end of it. Next, you have to ensure your emails are encrypted. This isn’t a mandatory regulation by HIPAA, but it will help prevent you from accidentally violating HIPAA. Encryption essentially masks data as it travels, preventing third parties from gaining access to sensitive information.  

Additionally, you might want to add end-to-end encryption. This brings another layer of security, as the data can’t be stored or read by anyone without the encryption key.

This isn’t a HIPAA requirement, but it helps you safeguard information, and avoid violating HIPAA. Google Workspace does offer end-to-end encryption for emails, but you can also add encryption via a third party app.

Finally, you can improve security by adding two-step verification. This will require any log in to be verified by code, to prevent unauthorized access.

Beyond Gmail On Google Workspace

Google Workspace is more than just email, and while the majority of applications fall under the BAA agreement, Google Contacts does not. This might not seem like an immediate issue, but as information is frequently shared and integrated across the apps, it could cause future problems. 

If you sign up to Google Workspace for the email service, it’s worth adding HIPAA compliance to all applications, even if you don’t intend on using them. 

Continuing HIPAA Compliance With Safe Email Practices

Ensuring the Gmail service itself is HIPAA compliant is only one part of your responsibility as a therapist. HIPAA requires PHI to be kept safe and protected at all times. That means that as you compose emails, you must follow HIPAA regulations.

Never leave a computer unattended while composing, sending, or reading emails containing PHI. This is in breach of HIPAA. If you’re accessing emails outside the office, you must be even more careful to ensure that no one can view the sensitive information. 

If there is a technical issue with your email or internet access, you must contact a support network that is knowledgeable about the importance of HIPAA. Google Technical Support is not HIPAA compliant, so PHI should never be shared, even in the course of fixing a service.

It’s recommended that you ask a client to sign a form confirming they are comfortable using an email service to convey healthcare information, and that they recognize the associated risks.

Should You Use Gmail For Your Work Emails?

There are definite benefits to using Google Workspace for work emails. However, we don’t recommend using the basic Gmail service, as it won’t be covered by a BAA.

Google Workspace isn’t automatically a HIPAA compliant choice. First, you and Google must sign a BAA. Then, you must add encryption, and end-to-end encryption (either through Google, or via a third party service).

Google Workspace also offers HIPAA compliance across other core services, including Drive, Chat, and Calendar. As with Gmail, these services aren’t immediately HIPAA compliant, and you will have to adjust sharing and encryption settings to protect data

However, having all the services in one place is useful, and Google Workspace allows you to sign up for your own domain.

But while Google Workspace can be made HIPAA compliant, it requires additional effort and forethought. There are healthcare-specific alternative email providers, designed to fulfill HIPAA requirements. The major disadvantage to these services is that you lose the convenience of Google.

Final Thoughts

Gmail is not a HIPAA compliant service, but the premium Google Workspace can be made HIPAA compliant. However, there are a few steps you must take to ensure PHI sent through Google Workspace is properly protected.

While Google Workspace offers convenience for healthcare professionals, it does lack the specialized services of healthcare-focused email providers.

Scroll to Top