Gmail (through Google Workspace Business Plus or higher), Outlook (through Microsoft 365 Business with the right licenses), and several other enterprise email platforms can be made HIPAA compliant — but only with a signed Business Associate Agreement (BAA) and proper configuration. Free Gmail, free Outlook.com, and consumer email accounts of any kind are not HIPAA compliant and cannot be made so. Using a non-compliant email platform to send or receive protected health information (PHI) is a direct HIPAA violation under 45 CFR Part 164, with civil penalties that vary based on level of culpability and are adjusted periodically by HHS for inflation. Penalties can range from hundreds to tens of thousands of dollars per violation, with annual caps reaching into the millions for the most serious cases.


Not sure if your email setup is HIPAA compliant? HIPAA Vault helps healthcare organizations configure compliant email environments with signed BAAs and proper security controls.

Schedule a free consultation →


Quick Comparison: HIPAA Compliant Email Providers

🔄 Rotate your phone for a better view of the comparison table.
Provider HIPAA Compliant? BAA Available? Which Plan? Verdict
Gmail / Google Workspace Yes Business Plus or higher Use paid Workspace + BAA
Outlook / Microsoft 365 Yes Microsoft 365 Business (with Microsoft Purview Information Protection + Exchange Online Archiving) Use paid plan + BAA
ProtonMail for Business Yes Proton for Business plans Use paid plan + BAA
Hushmail for Healthcare Yes Healthcare plans Purpose-built for HIPAA
Paubox Yes All paid plans No portal pickup — inbox delivery
LuxSci Yes All paid plans Purpose-built for HIPAA
Free Gmail No No plan available Do not use for PHI
Free Outlook No No plan available Do not use for PHI
Yahoo Mail No No plan available Do not use for PHI
Apple Mail / iCloud Mail No No plan available Do not use for PHI
AOL Mail No No plan available Unknown

Stop Sending PHI Over Unsecured Email

Protect your practice from data leaks. Our email service automatically encrypts sensitive patient information.

Learn More

What Makes an Email Platform HIPAA Compliant?

Before evaluating specific providers, it’s important to understand what HIPAA actually requires of an email platform. A HIPAA compliant email platform must provide:

  1. Encryption in transit (TLS) — emails must travel through a secure encrypted tunnel between servers; TLS is server-to-server encryption and does not protect message content end-to-end
  2. Encryption at rest — stored emails must be encrypted on the server
  3. Message-level encryption — some scenarios require encrypting the message content itself (not just the transport layer), using methods such as S/MIME, portal pickup, or platform-native sensitivity labels; this is distinct from TLS and provides protection even if the transport layer is compromised
  4. Email retention policies — HIPAA requires covered entities to retain policies, procedures, and documentation for a minimum of six years. Individual email retention requirements depend on whether emails are part of the designated record set and are primarily governed by state law. Many healthcare organizations retain all clinical emails for six or more years as a best practice, but consult a compliance attorney for requirements specific to your state and organization type
  5. Multi-factor authentication (MFA) — strongly recommended by OCR, NIST, and most cyber insurers; while HIPAA does not explicitly mandate MFA, it requires “reasonable and appropriate access controls,” and MFA is the accepted standard for meeting that requirement
  6. Audit logging — records of who accessed what and when
  7. A signed Business Associate Agreement (BAA) — the legal foundation of compliance
  8. A private domain — you cannot use @gmail.com, @outlook.com, or any shared consumer domain for HIPAA-compliant email

On that last point, Gil Vidals is direct:

“You can’t use the free service. You have to buy a domain and that confuses a lot of people. Well, let’s just give an example — dr.susie@gmail.com, no go. But if you said therapist@drsuzy.com — you buy the domain drsuzy.com and then you buy a Google Workspace license — now you can enter the world of HIPAA compliant email. But don’t try to force the free one. It’s not going to happen for free.”


Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

Is Gmail HIPAA Compliant?

Gmail / Google Workspace: HIPAA Compliance Explained

Gmail can be HIPAA compliant — but only through a paid Google Workspace plan with a signed BAA. A free @gmail.com account cannot be made HIPAA compliant under any circumstances.

Google signs a BAA as part of Google Workspace Business and Enterprise plans. Gmail is explicitly listed among Google’s HIPAA-eligible services for paid Workspace subscribers.

Which Google Workspace Plan Do You Need?

Google Workspace Business Standard or higher can support HIPAA compliance with a signed BAA and proper configuration. Google signs a BAA on all paid Workspace plans. However, Business Plus is strongly recommended for most healthcare organizations because it includes Google Vault for built-in email retention and e-discovery — without which you would need a separate third-party archiving solution. Business Plus includes:

  • Gmail on a private domain
  • 5 TB of storage per user
  • Google Vault (e-discovery and retention)
  • Data retention policies
  • Two-factor authentication

Gil Vidals on why Google Vault matters for HIPAA:

“Let’s say you have a condition where some patient comes back years later and has some kind of a gripe or complaint. Once you have the eDiscovery or Vault enabled, you’re able to look up the person’s name — it’s just a search bar where you type in the person’s name or email. And it’ll pull up emails that you had three years ago. That’s part of HIPAA compliance — to retain that data and be able to access it.”

What Google Workspace Requires for HIPAA Compliance

  1. Use a paid Google Workspace plan — Business Plus or higher strongly recommended for built-in Vault/retention; BAA available on all paid plans
  2. Set up email on a private domain — not @gmail.com
  3. Execute a BAA with Google — through the Google Workspace Admin console
  4. Enable Google Vault — for email retention and e-discovery
  5. Enable multi-factor authentication (MFA) — strongly recommended for all accounts; considered the standard for meeting HIPAA’s access control requirements
  6. Configure TLS enforcement — ensure emails in transit are encrypted
  7. Review Google’s HIPAA implementation guide — available in the Admin console

Is Outlook HIPAA Compliant?

Outlook / Microsoft 365: HIPAA Compliance Explained

Outlook can be HIPAA compliant — but the answer depends entirely on which Microsoft 365 plan and configuration you have. Microsoft’s licensing structure is complex, and the compliance features you need may require specific add-ons depending on your plan tier.

Microsoft signs a BAA as part of its Online Services Terms for qualifying Microsoft 365 Business and Enterprise plans. A free @outlook.com account cannot be made HIPAA compliant.

Which Microsoft 365 Licenses Do You Need?

For HIPAA compliance, Outlook requires two key add-on licenses beyond the base Microsoft 365 subscription:

1. Microsoft Purview Information Protection (formerly Azure Information Protection) Handles encryption and security. Purview allows flexible encryption configuration — you can encrypt based on keywords in the subject line, protect your entire domain automatically, or encrypt all emails sent to specific recipient domains. These capabilities are now built into Microsoft 365 Business Premium rather than requiring a standalone legacy add-on.

2. Exchange Online Archiving Handles email retention and storage. Exchange Online Archiving maintains a separate archive of your inbox emails — essential for organizations that need to reproduce patient communications years later for legal proceedings, audits, or patient disputes.

What Outlook / Microsoft 365 Requires for HIPAA Compliance

  1. Use a qualifying Microsoft 365 Business or Enterprise plan — not a personal @outlook.com account
  2. Add Microsoft Purview Information Protection (formerly Azure Information Protection) — for encryption and data protection
  3. Add Exchange Online Archiving — for email retention and compliance
  4. Set up email on a private domain — not @outlook.com
  5. Confirm your BAA with Microsoft — included in Online Services Terms for eligible plans
  6. Enable multi-factor authentication (MFA) — strongly recommended for all accounts
  7. Configure audit logging and retention policies

Microsoft Purview Information Protection and Exchange Online Archiving may require add-on licensing depending on your plan.


Purpose-Built HIPAA Compliant Email Providers

For healthcare organizations that don’t want to navigate the complexity of configuring Google Workspace or Microsoft 365 for HIPAA compliance, several providers offer purpose-built HIPAA compliant email:

Hushmail for Healthcare

Designed specifically for healthcare providers. Includes a BAA, encrypted email, secure web forms, and e-signatures. Popular with therapists, counselors, and small practices. Pricing starts at approximately $9.99/user/month.

Paubox

Paubox signs a BAA on all paid plans and includes encryption at rest and in transit, audit logging, and email archiving. It integrates with Google Workspace and Microsoft 365, making it easy to add compliant encryption to an existing email environment without switching platforms entirely. 

LuxSci

A long-standing HIPAA-focused email provider with strong encryption and compliance features. Offers secure email, web hosting, and forms. Pricing varies by plan and user count.

ProtonMail for Business

Swiss-based end-to-end encrypted email. Offers a BAA for business plans and is strong on privacy. However, ProtonMail’s end-to-end encryption model can create interoperability challenges in healthcare settings — when sending to external recipients who don’t use Proton, messages may revert to portal pickup rather than seamless delivery, which can complicate clinical workflows. Best suited for organizations where most communications are internal or with other Proton users. 


Why Consumer Email Domains Cannot Support HIPAA Compliance

One of the most commonly misunderstood aspects of HIPAA email compliance is why consumer domains do not work — and the reason is practical, not a literal HIPAA rule. HIPAA does not explicitly state “you must use a private domain.” Rather, consumer domains like @gmail.com, @outlook.com, @yahoo.com, and @icloud.com cannot support HIPAA compliance because their providers do not offer BAAs, do not provide the administrative controls needed for compliance configuration, and do not include the retention, audit logging, and access management features HIPAA requires. In practice, this means you cannot use them.

This is why the path to HIPAA compliant email always runs through a purchased domain and a paid enterprise plan — not through a free consumer account.


Should You Configure It Yourself or Use a Provider?

This is one of the most practical questions in HIPAA email compliance. Gil Vidals’s answer is clear:

“Our audiences are either healthcare developers or healthcare professionals — and frankly, it’s just not worthwhile for you to try to go figure all this out. You really should pick a company and go with them because they will provide the BAA, they’ll enable all the things in the back end, they’re there for you as frontline support in case something goes wrong. For email, we’re talking about costs that are fairly minimal — unlike in the cloud hosting world. A lot of customers just have two or three email boxes for their whole practice. And it’s really better to go with a company that knows what they’re doing. It’s just peace of mind.”


Need HIPAA compliant hosting for your healthcare website or application? Your email compliance is only one piece of the puzzle. HIPAA Vault provides fully managed hosting with a signed BAA, U.S.-based private servers, AES-256 encryption, and 24/7 security monitoring — starting at $549/month.

View hosting plans →


What HIPAA Compliant Email Does Not Cover

Signing a BAA with your email provider covers the email platform — not everything else. Healthcare organizations also need to ensure that:

  • Their website and patient portal are hosted in a HIPAA-compliant environment
  • Any web forms that collect PHI (contact forms, intake forms, appointment requests) are encrypted and covered by a BAA
  • Staff are trained on proper email hygiene — including what information can and cannot be sent via email, how to verify recipient identity, and when to use a secure patient portal instead
  • Encryption is enforced — a BAA alone does not mean emails are encrypted; encryption must be actively configured

Frequently Asked Questions


This article draws on expert commentary from Gil Vidals, CTO and co-founder of HIPAA Vault, from the HIPAA Vault Show Episodes 14 (Is Gmail HIPAA Compliant?) and 15 (Is Outlook HIPAA Compliant?). HIPAA Vault provides managed HIPAA-compliant hosting and email configuration services for healthcare organizations. This content is educational and does not constitute legal advice. Consult a qualified HIPAA compliance attorney for guidance specific to your organization.