← Back to Blog

Is Your Business Email HIPAA Compliant?

If your business handles any kind of health information — patient records, insurance details, medical billing, even appointment reminders that include health details — you need HIPAA-compliant email. And no, regular Gmail or Outlook doesn't count.

Here's what you actually need to know, in plain English.

What HIPAA Requires for Email

HIPAA doesn't ban email. It requires that any email containing Protected Health Information (PHI) meets specific security standards:

  • Encryption in transit — The email must be encrypted while being sent (TLS encryption)
  • Encryption at rest — The email must be encrypted while stored on the server
  • Access controls — Only authorized people can read the email
  • Audit logs — You need records of who accessed what and when
  • Business Associate Agreement (BAA) — Your email provider must sign one
That last point is the one most small businesses miss. If your email provider won't sign a BAA, you can't use them for PHI. Period.

Does Your Current Email Pass the Test?

Regular Gmail (free @gmail.com)

HIPAA compliant? No. Google will not sign a BAA for free Gmail accounts.

Google Workspace (paid)

HIPAA compliant? Yes — but only if you configure it correctly AND execute Google's BAA.

Microsoft 365 Business

HIPAA compliant? Yes — Microsoft will sign a BAA for Business Premium and Enterprise plans.

Regular Outlook.com / Hotmail

HIPAA compliant? No. Free Microsoft email accounts are not covered.

Yahoo, AOL, iCloud Mail

HIPAA compliant? No. None of these providers offer BAAs.

The Easiest Path to HIPAA-Compliant Email

Option 1: Google Workspace with BAA ($7.20/user/month)

  1. Sign up for Google Workspace
  2. Go to Admin console → Account → Legal and compliance
  3. Review and accept the BAA
  4. Disable services you don't need
  5. Turn on email encryption settings

Option 2: Microsoft 365 Business Premium ($22/user/month)

  1. Sign up for Microsoft 365 Business Premium
  2. Accept Microsoft's BAA (available in the Trust Center)
  3. Enable message encryption for emails containing PHI
  4. Configure Data Loss Prevention (DLP) policies

Option 3: HIPAA-Specific Email Providers

  • Hushmail for Healthcare — $9.99/user/month, HIPAA compliant out of the box
  • Paubox — Starts at $29/month, seamless encryption
  • Virtru — Email encryption plugin for Gmail/Outlook, $5-10/user/month

Common Mistakes That Break Compliance

  1. Not training your staff — Everyone who touches email needs to understand what PHI is
  2. CC'ing the wrong people — Accidentally including non-authorized recipients
  3. Using personal email for work — If an employee sends PHI from their personal Yahoo account, you're liable
  4. Not encrypting attachments — The email might be encrypted, but an unencrypted attachment isn't
  5. Forgetting mobile devices — Emails read on personal phones need the same protections

The Penalties Are Real

HIPAA fines range from $100 to $50,000 per violation, with annual maximums up to $1.5 million. Small businesses are not exempt.

The good news: showing that you've made a good-faith effort to comply goes a long way if you're ever audited.

Need Help Getting Compliant?

AI IT Guy can walk you through the setup for your specific business — which provider to choose, how to configure it, and what policies you need in place.

Get HIPAA email setup help — starting at $29/month →

Need IT Help Right Now?

AI IT Guy gives you unlimited IT support starting at $29/month. No contracts, no jargon.

Get Started — $29/month