The short version: standard email is not secure by default, but email can be made HIPAA compliant with the right configuration and agreements. Here is what is required and how to do it.
Is email allowed under HIPAA?
HIPAA does not prohibit sending PHI by email, but it does require that PHI be protected appropriately. This means email containing PHI must be safeguarded — typically through encryption and access controls — and that the email service handling it is covered by a BAA where required.
So email is allowed, but ordinary, unprotected email is not an appropriate way to transmit PHI. The requirement is to secure it, not to avoid it entirely.
Why standard email is risky
Standard email is not secure by default. Messages can traverse the internet in ways that expose their contents, be intercepted, or be sent to the wrong recipient. Sending PHI through ordinary, unencrypted email is a common cause of violations and breaches.
This is why simply using a normal email account to send patient information — without additional protections — is a genuine compliance risk.
Is Gmail HIPAA compliant?
Consumer Gmail is not HIPAA compliant for PHI, because Google does not sign a BAA for free consumer accounts. However, Google Workspace (the paid business version) can be configured to be HIPAA compliant, and Google will sign a BAA for eligible Workspace customers.
So the answer depends on which version you use: free Gmail, no; properly configured Google Workspace with a signed BAA, yes. The same logic applies to other major providers’ consumer versus business offerings.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
The role of the BAA
If an email provider will handle PHI, a BAA is required. Major business email providers offer BAAs for their eligible services, while consumer versions typically do not. Signing the BAA is a necessary step before using the service to transmit PHI.
Without a BAA, using an email service to send PHI is a violation regardless of how careful the rest of your handling is.
Encryption for email
Protecting PHI in email generally requires encryption — both in transit and, ideally, in a way that ensures only the intended recipient can read the message. Many compliant email solutions provide encryption that secures messages containing sensitive information.
Encryption is what protects the message if it is intercepted or misdirected, and it supports the breach safe harbor, making it central to compliant email.
Configuring business email compliantly
Beyond signing a BAA, business email must be configured for compliance: enabling encryption, enforcing strong authentication, restricting access, retaining messages appropriately, and applying data-loss-prevention rules where available. The BAA permits the use; configuration makes it genuinely secure.
A provider that can be compliant is not automatically compliant as deployed — correct configuration is the organization’s responsibility.
Dedicated secure email solutions
Some organizations use dedicated HIPAA-compliant email or secure messaging solutions designed specifically for healthcare. These provide encryption, access controls, and BAAs out of the box, simplifying compliant communication of PHI.
Such solutions can be especially valuable for organizations that frequently exchange PHI by email and want a purpose-built, clearly compliant option.
Patient portals as an alternative
For communicating with patients, secure patient portals are often preferable to email. They keep PHI within a controlled, authenticated environment rather than sending it across email systems, reducing the risk of exposure.
Directing sensitive patient communication to a portal, rather than email, is a common and effective way to protect PHI while still communicating conveniently.
Patient-initiated email
When a patient emails an organization using unencrypted email of their own choosing, the situation differs. Patients may communicate by ordinary email if they understand and accept the risks, though the organization should still handle the resulting PHI carefully and may encourage more secure channels. Sending PHI safely by email is a practical, daily test of HIPAA compliance.
This nuance reflects that HIPAA aims to protect patients, not to prevent them from communicating in the way they prefer, provided they are informed.
Training staff on email
Because email mistakes are so common, training staff is essential: what may be sent by email, when encryption is required, how to verify recipients, and how to avoid sending PHI through unapproved channels. Many email-related violations stem from simple human error that training can prevent.
Clear policies on email use, reinforced by training, are among the most effective defenses against the everyday risk that email poses to PHI.
Putting it together
Making email HIPAA compliant comes down to a few essentials: use a business service that will sign a BAA, configure it for encryption and access control, train staff, and prefer secure portals for patient communication where possible. Done this way, email becomes a safe channel for PHI.
The goal is not to fear email but to use it deliberately and securely — turning a frequent source of breaches into a controlled, compliant way to communicate sensitive health information.
Encryption options for email
Email encryption comes in several forms: transport encryption that protects messages in transit, and message-level or portal-based encryption that ensures only the intended recipient can read the contents. Compliant email solutions typically offer mechanisms to secure messages containing sensitive information.
Choosing an approach that protects PHI even if a message is intercepted or misdirected is central to compliant email, and supports the breach safe harbor.
Avoiding misdirected emails
Sending an email to the wrong recipient is one of the most common email-related breaches. Features like recipient verification, delayed send, and data-loss-prevention rules that catch PHI in outgoing messages help prevent these mistakes.
Combined with staff awareness, these safeguards substantially reduce the risk of the simple but damaging error of misaddressed PHI.
Retention and archiving
Emails containing PHI are records that may be subject to retention requirements, and they must be stored securely for as long as they are kept. Compliant email setups address archiving, retention, and secure disposal of messages containing sensitive information.
Managing the lifecycle of PHI-bearing email — not just its transmission — is part of handling it responsibly.
Mobile email and PHI
Staff increasingly access email on mobile devices, which extends the email risk to phones and tablets. Device management, encryption, strong authentication, and the ability to remotely wipe lost devices help ensure that PHI in email remains protected on mobile.
Including mobile in the email security strategy closes a gap that distributed, on-the-go work would otherwise open.
Email policies and approved channels
Clear policies should define what may be sent by email, which channels are approved for PHI, and what is prohibited. Specifying approved, compliant channels — and forbidding the use of personal or unapproved email for PHI — gives staff unambiguous guidance.
Well-communicated policies, reinforced by training, prevent much of the casual misuse of email that leads to violations.
Email as a manageable risk
Email need not be a liability. With a BAA-backed business service, encryption, sensible policies, staff training, and secure portals for patient communication, an organization can use email confidently for PHI. The risk is real but entirely manageable with the right approach.
Turning email from a frequent source of breaches into a controlled, compliant channel is well within reach for any organization that addresses it deliberately.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.