Is Gmail HIPAA Compliant for Therapy Practices?

Gmail HIPAA Compliant


When therapy practices venture into the realm of email marketing, probably the number one question asked is:

Is Gmail HIPAA compliant?

Free personal email services like Gmail, Outlook, or Apple Mail were created to help people conveniently communicate with one another. Ease of use and readable text are higher priorities than security.

Because they are so easy to use there it’s tempting to use apps that you’re familiar with in your business to email prospects and patients. 

Unfortunately, email services like Gmail are not designed for healthcare practices working under HIPAA regulations. Any emails through these services are vulnerable to privacy issues and if you’re not careful a HIPAA violation.

Gmail by default is for personal use and not business use. But there may be a workaround that might allow you to use Google products to send marketing emails that are HIPAA compliant. 

As a disclaimer, I am not a HIPAA expert. I recommend that you discuss your plans for online marketing with your HIPAA compliance resource person.

The decision to use email in your practice cannot be done merely as an afterthought.

It must be based upon a documented process including a security assessment and technological safeguards.

The decision to use email in your practice cannot be done merely as an afterthought. It must be based upon a carefully documented process.Click To Tweet

If you want the Gmail compliance answer quickly scroll to the bottom of this article. Then you can come back to the top for the reasons behind the answer.


What HIPAA email compliance mean?


HIPPA compliance is a top concern for therapy practices seeking to communicate with their patients via email, and for good reason. No one wants to face the threat of large fines and other serious consequences for unknowingly violating patient privacy laws.

Most of us want to protect private patient data but we also need to be able to run a business as efficiently as possible.Email marketing can certainly make marketing much more cost-effective and easier.  

But the storage of patient email addresses and sending messages should raise concerns about HIPAA regulations. Many therapy practices are fearful of adopting an email marketing strategy for that reason.


Email Markeint Cheatsheet


Let’s look at what HIPAA email compliance means.

Essentially, “HIPAA compliant” email service providers are a set of software tools and securities that are marketed towards healthcare providers.

These email providers offer HIPAA-level encryption, privacy safeguards, and other features to bring your communications in line with HIPAA regulations.

However, merely signing on with a HIPAA compliant service provider does enable you to email patients indiscriminately.

Your practice’s legal standing is dependent on using their software in a correct manner. They are not liable for your clinic’s internal operations.

You need to have policies and procedures that ensure the security of electronic patient health information (PHI) at a minimum.


HIPAA Compliance: Policies and Procedures


As more therapists use text and email to communicate with patients, concerns and confusions about HIPAA Security Rules have increased.

HIPAA law has very few mentions of what is and is not acceptable when it comes to email messaging.

In regards to email marketing, many therapists rely on what they see their colleagues doing, for better or worse. Mostly worse because they don’t understand the safeguards and set-up behind the emails. 

In regards to email marketing, many therapists rely on what they see their colleagues doing, for better or worse. Click To Tweet

In order to be HIPAA compliant, therapy practices must have three types of policies and procedures regarding PHI.

  1. Administrative safeguards
  2. Physical safeguards
  3. Technical safeguards

I won’t go into detail but you can see how properly handling patient’s names, email addresses, and health information can come under each of these areas.

Here are a few examples of policies and safeguards:

  • Training for your employees to maintain the confidentiality of electronic patient health information (ePHI)
  • Making certain that your email service provider has HIPAA compliant safeguards established by their company
  • Password protected access to your clinic’s email list and ePHI.
  • HIPAA-level encryption for transmitted ePHI

One decision you’ll quickly face after you’ve concluded to market your practice via email is:

Which email service provider should I use?  Does my provider need to be HIPAA compliant?


Email Markeint Cheatsheet


When is it necessary to use a HIPAA compliant email service provider?


It needs repeating, HIPAA compliant email marketing involves considerably more than using HIPAA compliant software.

Any entity that stores or transmits ePHI must establish safeguards to keep patient information secure according to HIPAA standards. Knowing what those standards are and applying them to the various types of emails you might use is another thing.

That being said there are a couple of administrative standards in HIPAA regulations that will guide your decision on which email service provider to use.


Do you have a Business Associate Agreement (BAA)? 

You must have a BAA if you plan on using a 3rd party service to send emails as a function of your business.

The BAA is a contract between your business and theirs to operate in good faith following the stipulations of the business contract.

G Suite offered by Google is for business use.

If you are using G Suite you will need to sign a Business Associate Agreement (BAA), a HIPAA requirement.

Read this G Suite HIPAA Implementation Guide for directions on how to use G Suite correctly.


Do your emails contain patient’s personal health information?

Simply put, if your email contains electronic patient health information then you are required to use a 3rd party service that is HIPAA compliant to assure the safety of patient data.

A HIPAA compliant email provider will have proper safeguards in place and keep up to date on legal issues regarding protecting your patient data.

HIPAA compliant providers utilize proper access controls, encryption, and software-side audits to keep the storage and transmission of your data safe. One issue that remains to be clearly defined is what constitutes patient health information. Is a list of people(prospects, patients) and their email addresses with no individual patient data consider PHI?

One issue that remains to be clearly defined is what constitutes patient health information.

Is a list of people(prospects, patients) and their email addresses with no individual patient data consider PHI? The answer to that question along with encryption levels needs to be answered by a HIPAA expert.

That brings us to the main topic of this article.


Is Gmail HIPAA Compliant for use in Therapy Practices?


Gmail as it is designed, is not HIPAA compliant.


Using Gmail to sending ePHI is strictly prohibited by Google’s terms of service.

Google does not enter into a BAA with consumers to use their free Gmail personal account. Remember it’s not for business use.

It is totally up to you to properly configure your software to comply with HIPAA regulations to store and transmit ePHI. Therapists are solely responsible for determining if their use of Google Apps requires a BAA or any additional data security.

If your therapy services are covered entity under HIPAA you must comply with the requirements to protect client health information. You must use a HIPAA compliant email service provider if you store or transmit individual patient ePHI.

The question remains if your business communications don’t contain ePHI are you liable under HIPPA Rules? 

HIPAA law leaves many of these types of questions open to interpretation. I encourage you not to make assumptions based on what others tell you on applying the 400+ page document to your practice. Myself included. Seek the advice of a HIPAA expert. 

For customers that are HIPAA covered entities, Google has G Suite for business. Remember, Gmail is for personal use and G Suite is for business use.

You are responsible for determining which service to use an when your communication is subject to HIPAA requirements.

If you are looking for more information on Gmail I suggest looking at Gmail’s HIPAA Implementation Guide or if you want the short version HIPAA Compliance with G Suite.


Email Marketing Guide


Paul Potter PT


Paul Potter is a physical therapist and mentor who lives in Lincoln, Nebraska, with his wife, who is also a therapist. They have four daughters. For more than 35 years he successfully managed his private practice. He now shares his knowledge and experience through teaching and mentoring therapists who want to launch their own business. 

He has authored On Fire: Ignite Your Passion with a Cash Therapy Practice and the Cash Practice From Scratch Course. His website is dedicated to helping therapists achieve professional and financial freedom. Connect with Paul on his website or LinkedIn paulpotterpt. You can also get more free resources at


Please note: I reserve the right to delete comments that are offensive or off-topic.

3 thoughts on “Is Gmail HIPAA Compliant for Therapy Practices?

  1. Paul,
    Excellent tid bit that most don’t know about g suites. This makes me feel even better about my 5 buck a month investment.

Comments are closed.