<script type="application/ld+json">{  "@context": "https://schema.org",  "@graph": [    {      "@type": "Article",      "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#article",      "headline": "HIPAA-Compliant Email: What It Actually Means for Your Practice",      "description": "HIPAA-compliant email requires encryption, access controls, audit logging, and a signed BAA. Here's what that means for Gmail, Google Workspace, and your practice.",      "url": "https://www.practicebetter.io/blog/hipaa-compliant-email",      "datePublished": "2026-07-02T12:00:00-04:00",      "dateModified": "2026-07-02T12:00:00-04:00",      "author": {        "@type": "Organization",        "name": "Practice Better",        "url": "https://www.practicebetter.io"      },      "publisher": {        "@id": "https://www.practicebetter.io#organization"      },      "image": {        "@type": "ImageObject",        "url": "https://cdn.prod.website-files.com/6718175ada2bc9a32b0d59ca/6a4be6803461fdbf2907608d_HIPAA-Compliant%20Email%20What%20It%20Actually%20Means%20for%20Your%20Practice.jpg",        "width": 1200,        "height": 630      },      "mainEntityOfPage": {        "@type": "WebPage",        "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email"      },      "keywords": [        "hipaa compliant email",        "is gmail hipaa compliant",        "is google workspace hipaa compliant",        "hipaa compliant email service",        "how to send hipaa compliant email"      ],      "articleSection": "Compliance"    },    {      "@type": "FAQPage",      "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#faq",      "mainEntity": [        {          "@type": "Question",          "name": "Is email HIPAA compliant?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging."          }        },        {          "@type": "Question",          "name": "How do you send HIPAA-compliant email?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent."          }        },        {          "@type": "Question",          "name": "Is Google Workspace email HIPAA compliant?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements."          }        },        {          "@type": "Question",          "name": "How do you send HIPAA-compliant email in Gmail?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level."          }        },        {          "@type": "Question",          "name": "Do you need a BAA to email clients about their health?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place."          }        },        {          "@type": "Question",          "name": "What alternatives are there to email if it's not HIPAA compliant?",          "acceptedAnswer": {            "@type": "Answer",            "text": "Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws."          }        }      ]    },    {      "@type": "BreadcrumbList",      "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#breadcrumb",      "itemListElement": [        {          "@type": "ListItem",          "position": 1,          "name": "Home",          "item": "https://www.practicebetter.io"        },        {          "@type": "ListItem",          "position": 2,          "name": "Blog",          "item": "https://www.practicebetter.io/blog"        },        {          "@type": "ListItem",          "position": 3,          "name": "HIPAA-Compliant Email: What It Actually Means for Your Practice",          "item": "https://www.practicebetter.io/blog/hipaa-compliant-email"        }      ]    },    {      "@type": "Organization",      "@id": "https://www.practicebetter.io#organization",      "name": "Practice Better",      "url": "https://www.practicebetter.io",      "logo": {        "@type": "ImageObject",        "url": "https://cdn.prod.website-files.com/6718175ada2bc9a32b0d5998/6718175ada2bc9a32b0d5da5_PB-logo-primary-transLightBG.svg",        "width": 250,        "height": 60      },      "description": "All-in-one practice management and EHR platform for health and wellness professionals",      "sameAs": [        "https://www.facebook.com/practicebetter",        "https://x.com/ipracticebetter",        "https://www.linkedin.com/company/practicebetter/",        "https://www.instagram.com/practicebetter",        "https://www.youtube.com/c/PracticeBetter"      ]    }  ]}</script>

HIPAA-Compliant Email: What It Actually Means for Your Practice

Written by
Practice Better
Jake Sotir
Published on
July 6, 2026

Email wasn't built for protected health information. Most practitioners find that out the hard way — after a client hits reply on a scheduling email and mentions a diagnosis, a medication, or a symptom, and now that message sits in a standard inbox with no encryption, no access controls, and no audit trail.

Here's what HIPAA-compliant email actually requires, whether your current setup meets the bar, and why most practices eventually stop trying to make email compliant and move client communication somewhere built for it.

What is HIPAA-compliant email?

HIPAA-compliant email is email that meets the Security Rule's technical safeguards for electronic protected health information (ePHI): encryption in transit and at rest, access controls tied to individual user accounts, audit logging, and a signed Business Associate Agreement (BAA) with the email provider.

Standard email fails on nearly all of these by default. Gmail, Outlook, and most consumer email don't encrypt messages end-to-end, don't log who accessed what, and don't come with a BAA unless you're on a specific paid tier and you've signed one directly with the provider.

Is Gmail HIPAA compliant?

Gmail is not HIPAA compliant by default. Google will sign a BAA for Google Workspace customers, but only on Business, Enterprise, or Education plans — not personal Gmail accounts. Signing the BAA is necessary but not sufficient: you still have to configure Workspace correctly (S/MIME encryption or Gmail's confidential mode, admin-level access controls, retention settings) and make sure every staff member who touches client email is covered under that same BAA.

Personal Gmail accounts, free Gmail accounts, and any Workspace account without a signed BAA are not compliant, regardless of what security settings are enabled.

Is Google Workspace HIPAA compliant?

Google Workspace can be HIPAA compliant on Business Standard, Business Plus, Enterprise, and Education plans, provided your organization signs Google's BAA and configures Gmail, Drive, and Calendar according to Google's HIPAA implementation guidance. Workspace is not compliant out of the box — the BAA and configuration are both required, and coverage only extends to the specific services listed in Google's BAA (not every Workspace product automatically qualifies).

How to send a HIPAA-compliant email

  1. Confirm your email provider will sign a BAA, and get it signed before any ePHI is sent — not after.
  2. Enable encryption in transit (TLS) at minimum, and encryption at rest for stored messages.
  3. Restrict access to shared inboxes so only authorized staff can view messages containing ePHI.
  4. Turn on audit logging so you can see who accessed or forwarded a message.
  5. Train staff to strip identifying details from subject lines, since subject lines are often unencrypted even when body content is protected.
  6. Get client consent in writing before communicating ePHI by email, since HIPAA permits it but expects documented authorization.

Even done correctly, this checklist has to be maintained by someone — every new hire, every plan change, every provider update.

HIPAA-compliant email services worth considering

Paubox, Virtru, and Hushmail all offer HIPAA-compliant email with signed BAAs, and each layers encryption on top of existing email addresses rather than requiring clients to log into a separate portal. Google Workspace and Microsoft 365 can also be configured for compliance on qualifying business tiers. Pricing and setup complexity vary, and every option still requires the same ongoing discipline: BAA maintenance, access control review, and staff training as your team grows.

Why secure client messaging beats HIPAA-compliant email

Compliant email solves the transport problem. It doesn't solve the workflow problem: client messages, session notes, intake forms, and billing questions end up scattered across an inbox that was never designed to be part of a clinical record.

Secure messaging built into a practice management platform keeps client communication inside the same system as their chart, so there's one compliant record instead of a compliant inbox plus a separate EHR. Practice Better's client portal messaging is covered under the same BAA as the rest of the platform, so a message thread about a client's protocol lives next to their notes, forms, and billing history — not in a separate inbox you have to secure, audit, and retain on its own timeline.

For a solo practitioner, that's the difference between maintaining two compliant systems and maintaining one.

Frequently asked questions

Is email HIPAA compliant?

Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging.

How do you send HIPAA-compliant email?

Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent.

Is Google Workspace email HIPAA compliant?

Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements.

How do you send HIPAA-compliant email in Gmail?

Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level.

Do you need a BAA to email clients about their health?

Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place.

What alternatives are there to email if it's not HIPAA compliant?

Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws.

{{free-trial-simple-text}}

HIPAA-Compliant Email: What It Actually Means for Your Practice

Email wasn't built for protected health information. Most practitioners find that out the hard way — after a client hits reply on a scheduling email and mentions a diagnosis, a medication, or a symptom, and now that message sits in a standard inbox with no encryption, no access controls, and no audit trail.

Here's what HIPAA-compliant email actually requires, whether your current setup meets the bar, and why most practices eventually stop trying to make email compliant and move client communication somewhere built for it.

What is HIPAA-compliant email?

HIPAA-compliant email is email that meets the Security Rule's technical safeguards for electronic protected health information (ePHI): encryption in transit and at rest, access controls tied to individual user accounts, audit logging, and a signed Business Associate Agreement (BAA) with the email provider.

Standard email fails on nearly all of these by default. Gmail, Outlook, and most consumer email don't encrypt messages end-to-end, don't log who accessed what, and don't come with a BAA unless you're on a specific paid tier and you've signed one directly with the provider.

Is Gmail HIPAA compliant?

Gmail is not HIPAA compliant by default. Google will sign a BAA for Google Workspace customers, but only on Business, Enterprise, or Education plans — not personal Gmail accounts. Signing the BAA is necessary but not sufficient: you still have to configure Workspace correctly (S/MIME encryption or Gmail's confidential mode, admin-level access controls, retention settings) and make sure every staff member who touches client email is covered under that same BAA.

Personal Gmail accounts, free Gmail accounts, and any Workspace account without a signed BAA are not compliant, regardless of what security settings are enabled.

Is Google Workspace HIPAA compliant?

Google Workspace can be HIPAA compliant on Business Standard, Business Plus, Enterprise, and Education plans, provided your organization signs Google's BAA and configures Gmail, Drive, and Calendar according to Google's HIPAA implementation guidance. Workspace is not compliant out of the box — the BAA and configuration are both required, and coverage only extends to the specific services listed in Google's BAA (not every Workspace product automatically qualifies).

How to send a HIPAA-compliant email

  1. Confirm your email provider will sign a BAA, and get it signed before any ePHI is sent — not after.
  2. Enable encryption in transit (TLS) at minimum, and encryption at rest for stored messages.
  3. Restrict access to shared inboxes so only authorized staff can view messages containing ePHI.
  4. Turn on audit logging so you can see who accessed or forwarded a message.
  5. Train staff to strip identifying details from subject lines, since subject lines are often unencrypted even when body content is protected.
  6. Get client consent in writing before communicating ePHI by email, since HIPAA permits it but expects documented authorization.

Even done correctly, this checklist has to be maintained by someone — every new hire, every plan change, every provider update.

HIPAA-compliant email services worth considering

Paubox, Virtru, and Hushmail all offer HIPAA-compliant email with signed BAAs, and each layers encryption on top of existing email addresses rather than requiring clients to log into a separate portal. Google Workspace and Microsoft 365 can also be configured for compliance on qualifying business tiers. Pricing and setup complexity vary, and every option still requires the same ongoing discipline: BAA maintenance, access control review, and staff training as your team grows.

Why secure client messaging beats HIPAA-compliant email

Compliant email solves the transport problem. It doesn't solve the workflow problem: client messages, session notes, intake forms, and billing questions end up scattered across an inbox that was never designed to be part of a clinical record.

Secure messaging built into a practice management platform keeps client communication inside the same system as their chart, so there's one compliant record instead of a compliant inbox plus a separate EHR. Practice Better's client portal messaging is covered under the same BAA as the rest of the platform, so a message thread about a client's protocol lives next to their notes, forms, and billing history — not in a separate inbox you have to secure, audit, and retain on its own timeline.

For a solo practitioner, that's the difference between maintaining two compliant systems and maintaining one.

Frequently asked questions

Is email HIPAA compliant?

Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging.

How do you send HIPAA-compliant email?

Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent.

Is Google Workspace email HIPAA compliant?

Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements.

How do you send HIPAA-compliant email in Gmail?

Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level.

Do you need a BAA to email clients about their health?

Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place.

What alternatives are there to email if it's not HIPAA compliant?

Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws.

{{free-trial-simple-text}}

Try Practice Better for free
Build your dream practice with a modern, all-in-one EHR that supports the holistic health of your clients and your business.
Try Practice Better for free
Build your dream practice with a modern, all-in-one EHR that supports the holistic health of your clients and your business.
Proudly Serving

Location
Specialty
Customer Since

's Top Features

No items found.

Experience the platform that powers success for you and your clients

Try any paid plan free.