<script type="application/ld+json">{ "@context": "https://schema.org", "@graph": [ { "@type": "Article", "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#article", "headline": "HIPAA-Compliant Email: What It Actually Means for Your Practice", "description": "HIPAA-compliant email requires encryption, access controls, audit logging, and a signed BAA. Here's what that means for Gmail, Google Workspace, and your practice.", "url": "https://www.practicebetter.io/blog/hipaa-compliant-email", "datePublished": "2026-07-02T12:00:00-04:00", "dateModified": "2026-07-02T12:00:00-04:00", "author": { "@type": "Organization", "name": "Practice Better", "url": "https://www.practicebetter.io" }, "publisher": { "@id": "https://www.practicebetter.io#organization" }, "image": { "@type": "ImageObject", "url": "https://cdn.prod.website-files.com/6718175ada2bc9a32b0d59ca/6a4be6803461fdbf2907608d_HIPAA-Compliant%20Email%20What%20It%20Actually%20Means%20for%20Your%20Practice.jpg", "width": 1200, "height": 630 }, "mainEntityOfPage": { "@type": "WebPage", "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email" }, "keywords": [ "hipaa compliant email", "is gmail hipaa compliant", "is google workspace hipaa compliant", "hipaa compliant email service", "how to send hipaa compliant email" ], "articleSection": "Compliance" }, { "@type": "FAQPage", "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#faq", "mainEntity": [ { "@type": "Question", "name": "Is email HIPAA compliant?", "acceptedAnswer": { "@type": "Answer", "text": "Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging." } }, { "@type": "Question", "name": "How do you send HIPAA-compliant email?", "acceptedAnswer": { "@type": "Answer", "text": "Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent." } }, { "@type": "Question", "name": "Is Google Workspace email HIPAA compliant?", "acceptedAnswer": { "@type": "Answer", "text": "Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements." } }, { "@type": "Question", "name": "How do you send HIPAA-compliant email in Gmail?", "acceptedAnswer": { "@type": "Answer", "text": "Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level." } }, { "@type": "Question", "name": "Do you need a BAA to email clients about their health?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place." } }, { "@type": "Question", "name": "What alternatives are there to email if it's not HIPAA compliant?", "acceptedAnswer": { "@type": "Answer", "text": "Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws." } } ] }, { "@type": "BreadcrumbList", "@id": "https://www.practicebetter.io/blog/hipaa-compliant-email#breadcrumb", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.practicebetter.io" }, { "@type": "ListItem", "position": 2, "name": "Blog", "item": "https://www.practicebetter.io/blog" }, { "@type": "ListItem", "position": 3, "name": "HIPAA-Compliant Email: What It Actually Means for Your Practice", "item": "https://www.practicebetter.io/blog/hipaa-compliant-email" } ] }, { "@type": "Organization", "@id": "https://www.practicebetter.io#organization", "name": "Practice Better", "url": "https://www.practicebetter.io", "logo": { "@type": "ImageObject", "url": "https://cdn.prod.website-files.com/6718175ada2bc9a32b0d5998/6718175ada2bc9a32b0d5da5_PB-logo-primary-transLightBG.svg", "width": 250, "height": 60 }, "description": "All-in-one practice management and EHR platform for health and wellness professionals", "sameAs": [ "https://www.facebook.com/practicebetter", "https://x.com/ipracticebetter", "https://www.linkedin.com/company/practicebetter/", "https://www.instagram.com/practicebetter", "https://www.youtube.com/c/PracticeBetter" ] } ]}</script>

Email wasn't built for protected health information. Most practitioners find that out the hard way — after a client hits reply on a scheduling email and mentions a diagnosis, a medication, or a symptom, and now that message sits in a standard inbox with no encryption, no access controls, and no audit trail.
Here's what HIPAA-compliant email actually requires, whether your current setup meets the bar, and why most practices eventually stop trying to make email compliant and move client communication somewhere built for it.
HIPAA-compliant email is email that meets the Security Rule's technical safeguards for electronic protected health information (ePHI): encryption in transit and at rest, access controls tied to individual user accounts, audit logging, and a signed Business Associate Agreement (BAA) with the email provider.
Standard email fails on nearly all of these by default. Gmail, Outlook, and most consumer email don't encrypt messages end-to-end, don't log who accessed what, and don't come with a BAA unless you're on a specific paid tier and you've signed one directly with the provider.
Gmail is not HIPAA compliant by default. Google will sign a BAA for Google Workspace customers, but only on Business, Enterprise, or Education plans — not personal Gmail accounts. Signing the BAA is necessary but not sufficient: you still have to configure Workspace correctly (S/MIME encryption or Gmail's confidential mode, admin-level access controls, retention settings) and make sure every staff member who touches client email is covered under that same BAA.
Personal Gmail accounts, free Gmail accounts, and any Workspace account without a signed BAA are not compliant, regardless of what security settings are enabled.
Google Workspace can be HIPAA compliant on Business Standard, Business Plus, Enterprise, and Education plans, provided your organization signs Google's BAA and configures Gmail, Drive, and Calendar according to Google's HIPAA implementation guidance. Workspace is not compliant out of the box — the BAA and configuration are both required, and coverage only extends to the specific services listed in Google's BAA (not every Workspace product automatically qualifies).
Even done correctly, this checklist has to be maintained by someone — every new hire, every plan change, every provider update.
Paubox, Virtru, and Hushmail all offer HIPAA-compliant email with signed BAAs, and each layers encryption on top of existing email addresses rather than requiring clients to log into a separate portal. Google Workspace and Microsoft 365 can also be configured for compliance on qualifying business tiers. Pricing and setup complexity vary, and every option still requires the same ongoing discipline: BAA maintenance, access control review, and staff training as your team grows.
Compliant email solves the transport problem. It doesn't solve the workflow problem: client messages, session notes, intake forms, and billing questions end up scattered across an inbox that was never designed to be part of a clinical record.
Secure messaging built into a practice management platform keeps client communication inside the same system as their chart, so there's one compliant record instead of a compliant inbox plus a separate EHR. Practice Better's client portal messaging is covered under the same BAA as the rest of the platform, so a message thread about a client's protocol lives next to their notes, forms, and billing history — not in a separate inbox you have to secure, audit, and retain on its own timeline.
For a solo practitioner, that's the difference between maintaining two compliant systems and maintaining one.
Is email HIPAA compliant?
Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging.
How do you send HIPAA-compliant email?
Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent.
Is Google Workspace email HIPAA compliant?
Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements.
How do you send HIPAA-compliant email in Gmail?
Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level.
Do you need a BAA to email clients about their health?
Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place.
What alternatives are there to email if it's not HIPAA compliant?
Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws.
{{free-trial-simple-text}}

Email wasn't built for protected health information. Most practitioners find that out the hard way — after a client hits reply on a scheduling email and mentions a diagnosis, a medication, or a symptom, and now that message sits in a standard inbox with no encryption, no access controls, and no audit trail.
Here's what HIPAA-compliant email actually requires, whether your current setup meets the bar, and why most practices eventually stop trying to make email compliant and move client communication somewhere built for it.
HIPAA-compliant email is email that meets the Security Rule's technical safeguards for electronic protected health information (ePHI): encryption in transit and at rest, access controls tied to individual user accounts, audit logging, and a signed Business Associate Agreement (BAA) with the email provider.
Standard email fails on nearly all of these by default. Gmail, Outlook, and most consumer email don't encrypt messages end-to-end, don't log who accessed what, and don't come with a BAA unless you're on a specific paid tier and you've signed one directly with the provider.
Gmail is not HIPAA compliant by default. Google will sign a BAA for Google Workspace customers, but only on Business, Enterprise, or Education plans — not personal Gmail accounts. Signing the BAA is necessary but not sufficient: you still have to configure Workspace correctly (S/MIME encryption or Gmail's confidential mode, admin-level access controls, retention settings) and make sure every staff member who touches client email is covered under that same BAA.
Personal Gmail accounts, free Gmail accounts, and any Workspace account without a signed BAA are not compliant, regardless of what security settings are enabled.
Google Workspace can be HIPAA compliant on Business Standard, Business Plus, Enterprise, and Education plans, provided your organization signs Google's BAA and configures Gmail, Drive, and Calendar according to Google's HIPAA implementation guidance. Workspace is not compliant out of the box — the BAA and configuration are both required, and coverage only extends to the specific services listed in Google's BAA (not every Workspace product automatically qualifies).
Even done correctly, this checklist has to be maintained by someone — every new hire, every plan change, every provider update.
Paubox, Virtru, and Hushmail all offer HIPAA-compliant email with signed BAAs, and each layers encryption on top of existing email addresses rather than requiring clients to log into a separate portal. Google Workspace and Microsoft 365 can also be configured for compliance on qualifying business tiers. Pricing and setup complexity vary, and every option still requires the same ongoing discipline: BAA maintenance, access control review, and staff training as your team grows.
Compliant email solves the transport problem. It doesn't solve the workflow problem: client messages, session notes, intake forms, and billing questions end up scattered across an inbox that was never designed to be part of a clinical record.
Secure messaging built into a practice management platform keeps client communication inside the same system as their chart, so there's one compliant record instead of a compliant inbox plus a separate EHR. Practice Better's client portal messaging is covered under the same BAA as the rest of the platform, so a message thread about a client's protocol lives next to their notes, forms, and billing history — not in a separate inbox you have to secure, audit, and retain on its own timeline.
For a solo practitioner, that's the difference between maintaining two compliant systems and maintaining one.
Is email HIPAA compliant?
Email is not HIPAA compliant by default. It becomes compliant only when the provider signs a BAA and the account is configured with encryption, access controls, and audit logging.
How do you send HIPAA-compliant email?
Send HIPAA-compliant email through a provider with a signed BAA, using encryption in transit and at rest, restricted access, audit logging, and documented client consent.
Is Google Workspace email HIPAA compliant?
Google Workspace email is HIPAA compliant on Business Standard, Business Plus, Enterprise, or Education plans when the organization signs Google's BAA and follows Google's configuration requirements.
How do you send HIPAA-compliant email in Gmail?
Sending HIPAA-compliant email in Gmail requires a Google Workspace plan eligible for a BAA, a signed BAA with Google, and encryption settings such as S/MIME or confidential mode enabled at the admin level.
Do you need a BAA to email clients about their health?
Yes. Any email provider handling protected health information needs a signed Business Associate Agreement before ePHI is sent, regardless of what encryption is in place.
What alternatives are there to email if it's not HIPAA compliant?
Secure messaging within your EHR is the top choice for practitioners who are serious about remaining compliant when sending and receiving communications with clients. EHRs like Practice Better have compliance built in, so you never have to worry about violating privacy laws.
{{free-trial-simple-text}}

Try any paid plan free.