Gmail can be made HIPAA compliant only by using Gmail through a Google Workspace plan that supports HIPAA compliance, executing Google’s HIPAA business associate agreement, and configuring administrative, technical, and operational controls so electronic protected health information is accessed only by authorized users and is protected in storage and transmission consistent with the HIPAA Security Rule and the HIPAA Privacy Rule, including the HIPAA Minimum Necessary Rule.
A free consumer Gmail account is not appropriate for routine use with protected health information because it does not provide the required business associate relationship and does not provide the level of centralized administrative control typically required for regulated use. HIPAA compliance depends on the covered entity or business associate implementing safeguards and being able to administer and monitor those safeguards across the email environment.
The first control requirement is contractual. The organization must execute Google’s business associate agreement for Google Workspace before Gmail is used to create, receive, maintain, or transmit electronic protected health information. The organization must also confirm which Google Workspace services are covered by the business associate agreement and restrict protected health information to covered services and approved configurations.
The next requirement is administrative configuration of identity, access, and device security. Gmail use with protected health information requires unique user accounts, strong authentication such as multi factor authentication, and role based access management for workforce members. Administrative controls should prevent account sharing, restrict access from unmanaged or high risk devices where feasible, and support rapid deprovisioning when workforce members separate or change roles. Mobile device management controls should be used when email is accessed on phones and tablets, with screen lock, encryption on the device, and remote wipe capability where feasible.
Transmission protection must be addressed for messages sent outside the organization’s controlled environment. Gmail can use transport layer security for messages between mail systems when supported by both parties, but transport protection can fail when a recipient system does not support it or when messages are redirected. When protected health information is sent to external recipients, the organization should implement technical controls that reduce the risk of unauthorized access in transit and at rest at the recipient, such as enforced encryption methods, secure message delivery workflows, or alternative communication channels when encryption cannot be assured. When an individual requests receipt of protected health information by unencrypted email, the organization must apply reasonable safeguards, provide a brief risk warning, and document the individual’s preference in line with HIPAA Privacy Rule requirements for individual access and communications.
Operational controls are required to maintain oversight and support audit and incident response. Gmail and Google Workspace should be configured to retain and produce audit information needed to investigate inappropriate access, misdirection, or account compromise. Retention and deletion settings must align with the organization’s record management requirements, including how email containing protected health information is preserved, archived, and retrieved. Workforce policies should define when email is permitted for protected health information, what identifiers may be used, how to verify recipient addresses, and how to handle replies and forwarding.
Gmail configuration decisions must be supported by a documented HIPAA Security Rule risk analysis and risk management actions that reflect how the organization uses email, the types of protected health information involved, the recipient populations, and the controls in place. Training and enforcement are required so workforce members use the approved Gmail environment as configured and do not move protected health information into non approved accounts, personal devices, or consumer messaging tools.