Gmail is one of the most popular and convenient email tools around. It’s perfect for people like me who hate fumbling around with buggy desktop apps like Outlook. If you’re in the healthcare space, you may be wondering if you can use Gmail to send messages containing PHI. The answer to that question is Yes, but only if you configure your Google environment properly. Gmail can be a HIPAA compliant, secure tool if your Google Account meets the following conditions.

  • Google Workspace only – Free accounts won’t work for this purpose.
  • You sign a BAA – Without a Business Associate Agreement, HIPAA compliance is not possible.
  • Personal accounts must be disabled.
  • Strong password policy.
  • Two-factor authentication must be turned on.
  • Google Drive sharing must be restricted to trusted domains.
  • Audit logs must be enabled.
  • TLS enforcement where possible for outbound emails.
  • Autoforwarding must be turned off for external domains.
  • Restrict or audit third-party Gmail tools like Boomerang or SaneBox.

Ensuring your account meets these requirements will put you in good standing with HIPAA compliance only if you are using a PHI protected service. Some services and features within Google Workspace are not covered. This list is subject to change as Google does try to expand their covered services and features from time to time.

What Gmail features are NOT HIPAA safe?

As of 2026, these services and features are not considered HIPAA safe.

  • Google Photos
  • Google Keep
  • Google Assistant
  • Lock screen email previews on mobile devices like Pixel

Is Gemini HIPAA Compliant?

No, at present Gemini is not HIPAA compliant and you should refrain from entering PHI into the app. For model improvement, interactions can be cached, logged, and reviewed. The data may also be processed outside the bounds of your Google Workspace. If you need to use AI for PHI, choose an LLM you host and protect yourself.

How do I enable a HIPAA BAA in Google Workspace?

To get a BAA for your organization, log into your Admin portal as a super admin. Next, go to Account settings > Legal & Compliance. From there, scroll down to Security and Privacy Additional Terms. Finally, click the Review and Accept button shown in the screenshot below.

Review and Accept Google Workspace BAA

Once you click the Review and Accept button, you will be prompted to complete a short questionnaire.

Google Workspace HIPAA BAA Questionnaire

Once you click OK, you’ll be presented with this screen.

Google Workspace HIPAA BAA Questionnaire

On this screen, you have the option to print or save a copy of the BAA by clicking the Print HIPAA Business Associate Amendment. After accepting the BAA, you’ll see “Accepted by you@yourbusiness.com on <date of acceptance>” under the Security and Privacy Additional Terms.

BAA Accepted Google Workspace

Is a BAA from Google free?

Yes, Google provides Business Associate Agreements free of charge. The only requirement for this is that you have a Google Workspace account. Personal accounts are not eligible for a BAA.

Can I cancel a BAA from Google?

Yes, just not the same way you would a subscription service. Google does not provide a Cancel BAA button, but if you downgrade to an ineligible plan or discontinue your Google Workspace subscription, your BAA is effectively canceled.

Can you use Gmail on a Google Pixel in a HIPAA environment?

Yes, provided you harden the device as you would your laptop or PC. Here are a couple of requirements your Pixel (and other mobile devices) must meet.

  • Enable full device encryption (on by default, verify it).
  • Require a strong PIN or password (6+ digits recommended).
  • Enable biometric unlock only in addition to a PIN.
  • Disable Smart Lock or “trusted locations”.

Stay Productive in Google Workspace While Keeping Patient Data Safe

Google Workspace is one of the best tools to run your healthcare practice. With the right safeguards in place, you can ensure HIPAA compliance and security for your patients. And now that you’ve secured your data and gotten in line with compliance, why not supercharge your phone with my Mobile Productivity Workstation build. I wrote it for my Pixel, but any Android or iOS powered device can benefit from it.

You don’t have to ditch your beloved Gmail because you’re in healthcare. Gmail can be HIPAA compliant with a signed BAA, strong security controls, and selective feature usage across your devices.