Is Gmail HIPAA Compliant for Therapists? The Honest 2026 Answer

This is one of the most-Googled HIPAA questions in private practice, and most of the answers you'll find online are either wrong, outdated, or written to sell you something. Let's just do this properly.

The short answer

Free Gmail (any email ending in @gmail.com) is not HIPAA compliant. It cannot be made HIPAA compliant. There is no configuration option, no upgrade, no checkbox that turns a free Gmail account into a HIPAA-compliant email service. If you currently use a free @gmail.com address for any communication that touches patient information — intake forms, scheduling, even a single message confirming a session — you are out of compliance, and you have been since the day you started.

Paid Google Workspace (the version where your email is you@yourpractice.com and you pay Google a monthly fee) can be HIPAA compliant, but only after you sign a specific legal agreement with Google, configure several settings correctly, and follow some ongoing rules about which Google services you can and can't use for patient information. The BAA is technically available on most paid Workspace tiers; Enterprise is the most fully-featured but also the most expensive. Most solo therapists land on Business Standard ($12/user/month) as the practical sweet spot.

The rest of this article explains why, what you actually need to do, and what most therapists get wrong.

Why free Gmail is permanently incompatible with HIPAA

HIPAA's Security Rule requires that any third party who handles protected health information on your behalf — your "business associate" — sign a Business Associate Agreement (BAA) with you. The BAA is a legally binding contract in which the vendor accepts specific responsibilities for protecting your patients' data, agrees to notify you of any breach, and promises to abide by HIPAA's safeguards.

Google does not sign Business Associate Agreements for free @gmail.com accounts. They never have. They have made this explicit in their official documentation.

That single fact resolves the entire question. Without a BAA, Google is not your business associate under HIPAA. Without a business associate relationship, any patient information you send through their free service is being handled by an unauthorised third party. That's a violation regardless of how strong Gmail's encryption is, regardless of whether you turn on two-factor authentication, regardless of how careful you are personally.

The encryption argument is the one most therapists trip on. "But Gmail uses TLS encryption" is true. It's also irrelevant. HIPAA compliance isn't about whether the data is encrypted — it's about whether you have the right legal and contractual relationships in place with everyone who touches it. You can have perfect encryption and zero compliance.

What Google Workspace actually offers

Google Workspace is the paid version of Google's productivity suite. Instead of you@gmail.com, you get you@yourpractice.com (or whatever domain you own), plus paid versions of Gmail, Drive, Docs, Sheets, Meet, Calendar, and so on. Pricing starts around $6 per user per month for Business Starter and goes up from there.

Google will sign a BAA with paid Workspace customers. The signing process is simple: a super administrator logs into the Admin Console, navigates to Account Settings → Legal & Compliance, reviews the Business Associate Addendum to the standard Workspace Terms of Service, and clicks to accept. The acceptance is electronic but legally binding — equivalent to a signed paper agreement. It takes maybe five minutes.

Once accepted, the BAA covers a specific list of services that Google designates as "Included Functionality." As of early 2026, this list includes: Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides), Google Meet, Google Chat, Google Sites, Google Vault, Keep, Google Voice, Tasks, Cloud Search, Cloud Identity Management, and Gemini for Google Workspace.

That last one matters: Google's AI features (the smart compose suggestions, the help-me-write features, the contextual replies) are now covered under the BAA, which means you can use them with patient information without violating HIPAA. This is more useful than it sounds — many AI tools that therapists are tempted to use for note-writing are not BAA-covered. Workspace's built-in Gemini features are.

What the BAA does NOT cover

This is the part most therapists miss. Signing the BAA does not make every Google product HIPAA compliant. It only covers the specific services on the Included Functionality list. Several common Google products are explicitly not covered:

YouTube — even uploading a "training video" with patient information visible is a violation
Blogger — same reason
Google Photos — uploading any image containing identifiable patient information is a violation
Third-party apps from the Workspace Marketplace — anything you add from the Marketplace is handled by a separate vendor and needs its own BAA
Google Groups (in some configurations) — depends on settings
Public Google Forms responses — only Forms inside your Workspace domain are covered, not public forms shared via link

The practical implication: if you sign the BAA, you also need to actively prevent patient information from leaking into non-covered services. Google Workspace has admin settings to disable non-covered services for users — this is a setting most solo practitioners never touch and probably should.

The four conditions for compliant Gmail use

If you want to use Gmail (the Google Workspace version) with patient information, all four of these must be true. Missing any one of them puts you out of compliance:

1. You're on a paid Google Workspace plan. Free Gmail and free legacy G Suite accounts do not qualify. Most solo therapists pick Business Standard (~$12/user/month) for the storage and Vault features.

2. You've signed the Business Associate Agreement. Going to admin.google.com → Account Settings → Legal & Compliance and clicking to accept the BAA. Five minutes of work that is the legal foundation of everything else.

3. You've configured Workspace correctly. This means: enforced two-step verification on every account, restricted external sharing on Drive, disabled non-covered Google services for users handling PHI, configured DLP (Data Loss Prevention) rules to flag or block obvious PHI patterns in outgoing emails, and properly configured DKIM, SPF, and DMARC for your domain. Some of these are checkboxes; some require thought.

4. You're confining patient information to BAA-covered services. No uploading screenshots to Google Photos. No embedding patient info in YouTube video descriptions. No third-party Marketplace add-ons that haven't signed their own BAAs with you.

If all four are true, your email is HIPAA compliant. If any one is false, it isn't.

The "patient request" exception

There's one important exception buried in the Privacy Rule that most therapists don't know about: a patient can explicitly request that you communicate with them by unencrypted email, and if you've informed them of the risks and they've acknowledged it in writing, you can do so without violating HIPAA — even from a non-compliant email service in some narrow interpretations.

In practice, this exception is much narrower than it sounds. It applies to communications between you and the patient who made the request, not to your general email use. It doesn't make your email setup compliant overall — it just creates a specific, documented exception for that one patient. And the documentation requirement is real: you need their request in writing and your acknowledgement of the risks they're accepting.

For most solo practices, this exception isn't worth relying on as a compliance strategy. It's useful for accommodating individual patients who insist on email communication despite the risks, but it doesn't replace the need for compliant email infrastructure. If 80% of your patient communication happens by email, you need compliant email — the exception only covers the edge cases.

What most therapists actually get wrong

In order of frequency:

"I'm using Gmail with two-factor authentication, so I'm fine." Two-factor authentication is good security practice but it's not HIPAA compliance. You still need the BAA. You still need the paid plan. 2FA is necessary but nowhere near sufficient.

"Encryption in transit is enough." No. Gmail's TLS encryption is good but it's only one of many requirements. HIPAA's Security Rule has dozens of requirements covering administrative, physical, and technical safeguards. Encryption is one item on a long list.

"I just won't put anything sensitive in the email itself, just the patient's name and appointment time." A patient's name combined with the fact that they are your patient (a mental health provider) is itself PHI under HIPAA. You don't need to mention diagnosis or treatment for the email to contain protected health information. The mere fact of a relationship with you is protected.

"I have a separate Gmail account just for client stuff." A separate free Gmail account is still a free Gmail account. Same rules apply. No BAA, no compliance.

"My EHR sends emails through its own system, so I don't need compliant email." This is partially true and partially dangerous. If your EHR has its own secure messaging that patients log into, that's compliant. But if you ever send an email from your personal address — even just to confirm a session — about a specific patient, that's still a violation regardless of what your EHR does.

What to do if you're currently using free Gmail for your practice

If you've read this far and realised you've been using you@gmail.com for patient communications, the immediate steps are:

Stop using the free Gmail account for any patient information immediately. Today. Move all patient communication to a temporary alternative — phone calls, your EHR's secure messaging, or just delaying non-urgent communication — until you have proper email in place.
Sign up for Google Workspace (or another HIPAA-compliant email provider — there are alternatives like Paubox, Hushmail, and others purpose-built for healthcare). Workspace is usually the path of least resistance because most therapists already know how to use Gmail. Workspace gives you the same Gmail interface but at you@yourpractice.com with the BAA available.
Sign the BAA in the Admin Console. Five minutes.
Configure the basic settings: enforce two-step verification on yourself, restrict external Drive sharing, disable non-covered services for your account.
Migrate your patient communication to the new address. Notify existing patients of the new email. Update intake forms and any place your old email was published.
Document the change in your Security Risk Analysis. The migration itself is a "significant change" that should trigger an update to your risk analysis documentation.
Delete the old free Gmail account, or at minimum stop using it for any practice purpose. Don't let it become a temptation to fall back into old habits.

Where Yundra fits in

Email is just one piece of HIPAA compliance, and getting your email setup right doesn't get you the rest of the way. You still need a documented Security Risk Analysis. You still need written policies. You still need BAAs with every other vendor that touches patient data — your EHR, your billing service, your telehealth platform, your transcription tool, your cloud backup. And you still need a way to keep all of this current as your practice evolves.

Yundra manages your entire compliance program in plain English, without consultant fees. Email is one item on a list of dozens that Yundra walks you through systematically. We never see your patient data — we manage your compliance program, not your records.

If reading this article made you realise you've been using free Gmail for patient communication, you're not alone — it's one of the most common gaps we see. Take the free assessment to check your email setup and 39 other compliance areas in 25 minutes.

For the broader picture of what HIPAA actually requires of solo practices, see our complete 2026 guide. For a deeper look at the Security Risk Analysis (the single most-fined item in OCR enforcement), see what a HIPAA Risk Assessment actually involves.