🔑 Key Takeaways
- Gmail TLS protects the connection, not the copy sitting in your Sent folder or inbox.
- Confidential Mode blocks forwarding but Google reads the message; skip it for PHI.
- Hosted S/MIME ships only on Workspace Enterprise Plus at $30 per user per month.
- A portal service over Gmail adds a BAA and one-click delivery without cert setup.
- Green padlock means S/MIME; a red or missing padlock means the send goes plaintext.
Gmail handles more than 1.8 billion active accounts, and a large share of business email in North America runs through Workspace. Every one of those messages travels over TLS by default when the receiving server supports it. TLS is not the same as message-level encryption.
Learning how to send encrypted email in Gmail means picking the right method for the recipient and the sensitivity of the content. Gmail offers three options built in: TLS transport encryption, Confidential Mode, and S/MIME on Enterprise plans.
For healthcare organizations and any team handling regulated data, native Gmail options often fall short of HIPAA requirements. This guide walks through each method and when to use it.
Gmail Uses TLS for Every Message by Default
Every Gmail message leaves Google servers over Transport Layer Security whenever the receiving mail server supports it. TLS encrypts the connection between the two servers. Nobody sitting on the network path in between can read the message.
The padlock icon in the top-right corner of an open Gmail message shows the transport status. A gray padlock means TLS is active. A red padlock means the recipient server does not support TLS and the message will travel unencrypted.
TLS protects the connection, not the stored copy. Once the message lands in the Sent folder or the recipient inbox, TLS no longer applies. Google can read the message content on its servers, and so can the recipient mail provider.
According to Google documentation, TLS is opportunistic. If a recipient server does not accept encrypted connections, Gmail sends the message in plaintext by default. That behavior alone disqualifies TLS as a standalone compliance method for protected health information.
Confidential Mode Adds Access Controls but Not End-to-End Encryption
Gmail Confidential Mode is available on every personal Gmail account and every Workspace edition. To use it, click Compose, then click the padlock and clock icon at the bottom of the compose window. A menu appears with an expiration date and an optional SMS passcode.
Confidential Mode disables forwarding, copying, printing, and downloading for the recipient. When the expiration date passes, the message becomes unreadable. Senders can revoke access before expiration from the Sent folder.
The mode does not use end-to-end encryption. Google can read the message content. Screenshots defeat the copy and print restrictions because the recipient still sees the message on screen. SMS passcodes rely on phone carrier security, which SIM-swap attacks routinely bypass.
Confidential Mode suits casual privacy needs such as sending a temporary access code or a document link that should expire. It does not meet HIPAA transmission standards, and Google does not extend its business associate agreement to cover Confidential Mode as a compliant PHI transmission method.

S/MIME Hosted Encryption Requires Workspace Enterprise
S/MIME is the built-in Gmail option for true message-level encryption. It is available only on Google Workspace Enterprise Plus, Education Standard, and Education Plus editions. Workspace Business tiers do not include it.
Enabling S/MIME starts in the Admin console. Navigate to Apps, then Google Workspace, then Gmail, then User settings. Toggle S/MIME encryption for sending and receiving. Save the change and wait up to 24 hours for it to propagate.
Each user then uploads a personal S/MIME certificate under Gmail settings, Accounts and Import, Upload your public certificate. The certificate must come from a trusted certificate authority. Both sender and recipient need valid certificates.
When the setup is complete, the padlock icon in a compose window turns green for messages that will send with S/MIME encryption. If the recipient does not have a valid certificate installed, the padlock stays gray and the message sends over TLS only.
Confidential Mode Setup Takes Under a Minute
Open Gmail and click Compose. Fill in the recipient, subject, and body as usual. At the bottom of the compose window, find the icon that looks like a padlock with a clock overlay and click it.
Select an expiration date from the dropdown. Options range from one day to five years. Choose whether to require an SMS passcode. If SMS is selected, enter the recipient phone number in the field that appears.
Click Save. Send the message. The recipient receives an email with a link to view the message. If SMS was enabled, they receive a text with a passcode to enter before the message loads.
- External Gmail recipients see the message inline, gated by expiration.
- Non-Gmail recipients click through to a Google-hosted page.
- Sender can revoke access at any time from the Sent folder by clicking Remove Access.
A three-provider therapy practice on personal Gmail needs to send session summaries to referring physicians. Personal Gmail has no BAA and does not support S/MIME. They cannot upgrade to Workspace Enterprise Plus for hosted S/MIME at $30 per user. Instead, they migrate to Google Workspace Business Standard at $12 per user for the BAA, then layer a portal-based service at $10 per user monthly. Session summaries send from Gmail normally, and referring physicians open a one-click link without managing certificates.
S/MIME Certificates Need Renewal and User-Level Provisioning
S/MIME certificates expire, typically after one to three years depending on the issuing authority. Renewals require administrator action for every user account. Certificates issued to a departing employee should be revoked in the Admin console to prevent decryption of prior messages.
Certificate authorities include DigiCert, Sectigo, GlobalSign, and IdenTrust. Costs range from around $20 per user per year for basic identity validation to over $100 per user per year for extended validation with organization details.
For encrypted send to work, the recipient also needs a valid certificate from a trusted authority. External correspondents who do not use S/MIME cannot receive encrypted messages this way. Gmail falls back to TLS transport encryption for those recipients.
This is why S/MIME suits internal exchanges between staff at the same organization or between organizations that have coordinated certificate deployment. It does not suit sending sensitive content to patients or external vendors who do not manage their own certificates.
HIPAA Coverage in Google Workspace Has Boundaries
Google offers a business associate agreement to Workspace customers on Business Standard, Business Plus, and all Enterprise editions. The BAA covers Gmail, Calendar, Drive, Meet, and other core services. Personal Gmail accounts are not covered.
The BAA covers the transmission of PHI through Gmail when standard TLS encryption is in effect between servers. It does not cover Confidential Mode as a distinct HIPAA-safe transmission method. Practices assuming Confidential Mode is HIPAA-compliant are working from a mistaken reading of the BAA.
Because TLS is opportunistic and falls back to plaintext when the recipient server does not support it, Workspace admins cannot guarantee encrypted delivery to every recipient without additional controls. That gap is what drives many healthcare organizations to add a HIPAA-focused encrypted email service.
Additional HIPAA safeguards include audit logging of message access, secure archive retention for six years, and enforced encryption on any message flagged with PHI. Native Gmail provides some of these; complete coverage typically involves a purpose-built service.

Third-Party Services Layer HIPAA Compliance Over Gmail
Purpose-built HIPAA-compliant email services integrate with Gmail through a browser plug-in, a Gmail add-on, or SMTP relay. The sender composes and sends from Gmail without changing workflow. The service handles encryption, delivery fallback, and audit trail.
Mailhippo works this way. It sends over TLS when the recipient server supports it, falls back to a secure portal link when TLS is unavailable, includes a signed BAA in the base plan, and requires no certificate management for senders or recipients. Practices on standard Gmail or Workspace Business use it to close the HIPAA gap without switching platforms.
The recipient experience is a single click. They receive a notification email with a link, click it, authenticate with a passcode, and read the message in a browser. No account creation, no software install, no key management.
For healthcare organizations that also handle web presence and patient acquisition, coordinating email security with the broader tech stack matters. Firms offering healthcare marketing services often deploy encrypted email and HIPAA-compliant website design together.
Recipient Experience Differs Across Each Method
TLS is invisible to the recipient when it works. The message arrives in the inbox looking like any other email. No click-through, no passcode, no external portal. Nothing signals that transport encryption was applied.
Confidential Mode delivers a notification email with a View the email button. The recipient clicks and, if SMS was enabled, enters a passcode from a text message. They read the message in a Google-hosted view with copy, forward, print, and download disabled.
S/MIME delivers a locked message icon in a supported email client. Outlook, Apple Mail, and Gmail render the message inline once the recipient certificate decrypts it. In an unsupported client, the recipient sees garbled ciphertext or an attachment they cannot open.
Portal-based services deliver a notification with a link. The recipient clicks, authenticates with a one-time code, and reads in a browser. This suits patients and external contacts who do not manage certificates but expect a low-friction click.
Gmail displays a color-coded padlock in the compose window: green for S/MIME, gray for TLS, red or missing when the recipient server refuses encryption. For regulated content, never send when the padlock is red. TLS is opportunistic and drops to plaintext without warning. Layer a portal-based service that falls back to a secure browser link rather than accepting plaintext delivery for any PHI transmission.
Common Errors When Sending Encrypted Email in Gmail
The red padlock is the most frequent warning. It means the recipient mail server does not support TLS. For non-sensitive content, the message still sends. For PHI or other regulated data, do not send when the padlock is red without a portal fallback.
S/MIME send failures often trace to a missing recipient certificate. Gmail shows a gray padlock instead of green, and the message sends over TLS. To force S/MIME, both parties must have valid certificates uploaded and the Workspace admin must have enabled the feature at the domain level.
Confidential Mode messages sometimes fail to render for recipients on strict email security gateways. The notification email arrives, but the click-through link is stripped or blocked by the recipient inbound filter. Test with the specific recipient before relying on Confidential Mode for time-sensitive delivery.
According to HIPAA Journal, the most common compliance failure is sending PHI to an external address without confirming the transmission was encrypted end to end. Assume nothing about transport; verify the method for every sensitive message.
Choose the Method by Recipient and Content Sensitivity
Match the encryption method to the message. Casual internal notes to colleagues who use Gmail can rely on TLS. Time-limited access to a document link or a temporary credential fits Confidential Mode. Regulated content going to an external recipient needs message-level encryption or portal delivery.
- Internal team messages, no regulated content: TLS is sufficient.
- Temporary access codes to trusted external recipients: Confidential Mode.
- Regulated PHI, PII, or financial data to any external recipient: S/MIME or a HIPAA-compliant service.
- Recipients on unknown email systems: portal-based delivery with fallback.
For healthcare providers, portal-based services with a BAA are the most reliable path. They handle recipients across all mail providers, provide audit logs, and remove certificate management. Setup takes minutes rather than the administrator overhead S/MIME requires.
Related reading covers how to send encrypted email across platforms, how to send an encrypted email from Outlook, and how to send encrypted email using Gmail for Workspace teams. For teams building patient-facing infrastructure, resources on healthcare website security features pair well with encrypted email deployment.
Verify Encryption for Every Sensitive Message
Before hitting Send on any message with regulated content, check the padlock icon. Green means S/MIME. Gray means TLS. Red means unencrypted, and the message should not go without a portal fallback.
For Workspace administrators, the Admin console provides an Email Log Search that shows the encryption status of every outbound and inbound message. Use it to audit compliance for a defined period, especially before signing off on a HIPAA risk assessment.
According to NIST Special Publication 800-45, verified end-to-end encryption or a portal-based delivery method is required for messages carrying sensitive personally identifiable information across public networks. Assumed TLS is not the same as verified TLS.
The final rule is straightforward. Do not send regulated content over Gmail unless you have picked and verified a method that meets the transmission standard. Pick S/MIME for internal certified users, or add a HIPAA-compliant service for everyone else.
Frequently Asked Questions
Gmail encrypts messages in transit with TLS whenever both the sending and receiving mail servers support it, and the padlock icon in the message header shows when TLS is active. Messages are also encrypted at rest on Google servers. Neither of those is end-to-end encryption. Google holds the keys and can access message content for spam filtering, indexing, and legal requests. For true message-level protection, use S/MIME on Workspace Enterprise, Confidential Mode for limited controls, or a third-party encrypted service.
No. Confidential Mode does not use end-to-end encryption, Google can read the message content, and Google does not sign a business associate agreement covering Confidential Mode messages. HIPAA requires both technical safeguards and a signed BAA with any vendor that processes protected health information. Workspace Business and Enterprise editions include a BAA covering standard Gmail delivery, but the BAA does not extend Confidential Mode into a compliant transmission method for PHI. Use a HIPAA-covered encrypted email service instead.
S/MIME hosted encryption is only available on Google Workspace Enterprise Plus, Education Standard, and Education Plus editions. A Workspace administrator opens the Admin console, navigates to Apps, Google Workspace, Gmail, User settings, and enables S/MIME encryption for sending and receiving. Each user then uploads a personal certificate under Gmail settings, Accounts and Import, Upload your public certificate. Both sender and recipient need valid certificates from a trusted authority for encrypted send to work.
A personal Gmail account can use Confidential Mode for basic privacy controls, and TLS transport encryption is on by default when the recipient server supports it. Personal Gmail does not support S/MIME, and Google does not sign a BAA for personal accounts. For message-level encryption from a free Gmail account, layer a third-party encrypted email service on top, or send messages through a browser plug-in that provides PGP or S/MIME encryption client-side. Native Gmail options are limited.
TLS encrypts the connection between mail servers so nobody sitting between the two servers can read the message in transit. Once the message reaches Google server or the recipient server, TLS no longer protects it, and the mail provider can read the stored content. End-to-end encryption keeps the message unreadable to everyone except the sender and the recipient, including Google. S/MIME and PGP provide end-to-end encryption. TLS and Confidential Mode do not.
The padlock icon uses three colors. Green indicates S/MIME encryption is in use. Gray indicates TLS is protecting the connection. Red or missing indicates the recipient server does not support TLS and the message will travel unencrypted, or the S/MIME certificate check failed. If the padlock is red, Gmail warns you before sending. For regulated data, do not send when the padlock is red; use a service that falls back to a secure portal when TLS is unavailable.
A HIPAA-compliant service integrates with a Gmail or Workspace account either through a browser plug-in, a Gmail add-on, or by routing outbound mail through the service SMTP relay. The sender writes and sends from Gmail as usual. The service encrypts the message, delivers over TLS when supported, and falls back to a secure portal link when the recipient server does not support TLS. The recipient clicks the link and reads the message in a browser. No key management on either side.








