Is Gmail HIPAA Compliant for Medical Clinics?

Short answer

Gmail under Google Workspace can be used in a HIPAA-covered environment after a BAA is signed and the admin applies the required configuration. Consumer Gmail — free accounts at gmail.com — has no HIPAA coverage and must never carry PHI. The signed agreement and correct configuration reduce risk but do not eliminate it; email as a channel carries inherent exposure that clinics should evaluate.

BAA availability

Google offers a HIPAA BAA through Google Workspace. The agreement covers core services including Gmail, Google Drive, Google Docs, Google Sheets, Google Calendar, and Google Meet, among others. To execute the BAA:

1. Sign in to the Google Workspace Admin Console as a super administrator.
2. Navigate to Account > Account Settings > Legal.
3. Locate and accept the HIPAA Business Associate Amendment.

This step is required before any PHI enters the Workspace environment. Google Workspace Business Starter, Business Standard, Business Plus, and Enterprise plans all permit BAA acceptance. The BAA is not available on consumer Gmail — only on paid Workspace accounts. Google recommends reviewing the service-specific coverage list each time a new product or feature is added, as covered services can change.

Features excluded from BAA coverage

Google’s HIPAA implementation guide lists several features that fall outside BAA scope. At the time of this writing, these have included:

• Certain Gemini AI features integrated into Workspace (verify current scope with Google’s guidance)
• Third-party Marketplace add-ons that access Workspace data
• Google Sites if used for public-facing content containing PHI

The clinic’s admin is responsible for auditing which Workspace features are in use and confirming each against the current BAA coverage list.

Required admin configuration

Accepting the BAA is the first step, not the last. Google’s own HIPAA implementation guide identifies admin controls the clinic must apply:

• Disable Google Workspace features not covered by the BAA. This includes any AI features outside BAA scope.
• Enable audit logging. Admin reports and audit logs for Gmail, Drive, and other services must be configured and retained.
• Restrict external sharing. Drive sharing settings must prevent files containing PHI from being shared with accounts outside the organization without explicit control.
• Apply DLP policies. Google Workspace Enterprise tiers offer data loss prevention rules that can flag outbound messages with PHI patterns.
• Enforce 2-Step Verification. All accounts that may touch PHI must use multi-factor authentication.

Risks that remain after BAA signing

A BAA does not change how email works as a protocol. Email in transit between organizations uses TLS opportunistically — it is not guaranteed end-to-end encryption. Within Google’s systems, message content passes through spam filtering and other processing.

For patient-facing email specifically, the clinic faces additional exposure: patients may be using unencrypted personal email, forwarding messages, or accessing email on shared devices. The HIPAA requirement is not that email is forbidden — it is that the clinic conducts a risk assessment and documents its decision about acceptable transmission methods.

Many clinics use Google Workspace Gmail for internal staff communication (task assignments, care coordination) while routing patient-facing communication through a dedicated secure messaging or patient portal system.

What to keep out of Gmail even with a BAA

• Do not use email subject lines that identify patients by name or condition
• Do not forward patient records as email attachments without encrypted delivery or a secure portal link
• Do not use personal @gmail.com accounts for any patient-adjacent communication, even for quick questions between staff

When Gmail alone is not enough