๐ Key Takeaways
- Free Gmail only has TLS in transit; Google still reads the stored copy in every mailbox.
- Hosted S/MIME ships on Enterprise Plus and Education tiers; Business Starter and Standard skip it.
- Confidential Mode blocks forwarding and prints but the body sits readable inside Google storage.
- Cross-provider encryption needs shared keys or a portal service that both sides can open.
- Google BAA covers storage and transport; a gateway BAA closes the recipient mailbox gap.
Gmail handles more than 1.8 billion active accounts, and a large share of small healthcare practices, therapists, and specialty clinics run their day-to-day communication through it. The default protection is TLS in transit, which is not the same as end-to-end message encryption.
To send encrypted email from Gmail in a way that satisfies HIPAA or protects sensitive content from mailbox breaches, you need to add a layer on top of the default setup. Google offers two native options, S/MIME on select Workspace tiers and Confidential Mode on all tiers, and a third-party route sits above both.
This guide walks through each option with the exact console clicks, the tier requirements, and the cases where each method fits. It also covers the cross-provider gap that catches most senders on the first try.
Gmail Uses TLS in Transit, Not Content Encryption
Standard Gmail encrypts the connection between Google and the receiving mail server using opportunistic TLS. If the receiving server accepts TLS, the message is protected on the wire. If the receiving server does not support TLS, the message drops to plaintext for that hop.
Once the message arrives at the destination mailbox, the TLS protection ends. The message body is stored in the recipient mailbox in a form the mail provider can read. The same applies to the copy in your Sent folder.
TLS in transit does not meet the HIPAA requirement for end-to-end protection of PHI. It also does not protect against a mailbox breach on either side. A stolen password or a compromised admin session exposes every message in the account.
For content-level encryption you have three native or near-native paths from Gmail. S/MIME through Workspace, Confidential Mode, or a third-party plugin or gateway. Each has a different security ceiling and a different setup cost.
S/MIME Requires a Supported Google Workspace Tier
Hosted S/MIME in Gmail is available on Google Workspace Enterprise Plus, Education Standard, and Education Plus. Business Starter, Business Standard, and Business Plus do not include it. Personal Gmail accounts do not include it either.
To enable it, an admin signs in to the Google Admin console, opens Apps, selects Google Workspace, then Gmail, then User settings. The S/MIME section allows the admin to enable the feature for specific organizational units.
Each user then needs a valid S/MIME certificate issued by a public certificate authority or a private CA integrated with the tenant. The certificate is uploaded to the user profile, either manually or through an API integration with the CA.
Once the certificate is in place, the Gmail composer shows a lock icon in the address field. The icon turns green when the recipient public certificate is known to Google. If the recipient has never sent an S/MIME message to your organization, the lock stays gray.

Confidential Mode Is Access Control, Not Encryption
Confidential Mode sits in the Gmail composer next to the send button. Click the lock and clock icon, set an expiration date, and optionally require an SMS passcode. The recipient sees the message with forwarding, printing, and copy disabled.
The message content itself is not encrypted. It sits in Google storage in a form Google can read, and the recipient views it through a Google-hosted preview page. The expiration date deletes the preview link, but the underlying copy in Sent Mail remains in your account.
Confidential Mode is useful for reducing casual forwarding and setting a self-destruct on a routine message. It is not a substitute for encryption when PHI or regulated data is involved.
The Department of Health and Human Services has been consistent that HIPAA requires content-level protection of PHI at rest and in transit. Confidential Mode does not meet that bar on its own. Reference the HHS Security Rule guidance if you need the underlying text.
Google Signs a BAA for Paid Workspace Tiers Only
Google will sign a Business Associate Agreement for Business Starter, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Standard, and Education Plus. The BAA is opt-in through the Admin console under Account, then Legal and Compliance.
The BAA does not extend to personal Gmail accounts. Sending PHI from a free Gmail address is a HIPAA violation regardless of what encryption method you layer on top. The mail provider itself has to be under a BAA.
The Google BAA covers Google storage and transport. It does not cover the recipient mailbox, the recipient mail server, or any downstream forwarding by the recipient. Once the message leaves Google, the Google BAA no longer applies.
That is why message-level encryption matters. TLS protects the wire between Google and the next hop. Message-level encryption protects the content itself all the way through to the intended reader.
PGP Requires Key Exchange with the Recipient
PGP is a public-key encryption system that predates S/MIME by several years. It works well between two technical users who have exchanged public keys, and it works poorly at scale across a healthcare organization.
On Gmail, PGP is delivered through browser extensions like FlowCrypt or through a desktop client that syncs with Gmail over IMAP. The sender private key stays on the local device. The recipient needs the same tooling and needs to import your public key before decrypting.
Key management is the friction point. Every new recipient needs a public key exchange. Every device change needs the private key transferred securely. Lost private keys mean lost access to every previously encrypted message.
PGP is not a good fit for a clinical staff workflow where messages go to dozens of external patients, insurance carriers, and referral partners per week. It fits a small circle of technical users. It does not fit a front-desk workflow.
Cross-Provider Encryption Breaks Without a Shared Method
The hard case is sending an encrypted message from Gmail to a Yahoo, Outlook.com, or AOL account. None of those recipients typically has an S/MIME certificate on file. None of them typically has PGP tooling installed. A Confidential Mode message drops to a preview link the recipient may not trust.
The workable pattern for cross-provider encryption is a portal-based encrypted email service. The service intercepts the outbound message, encrypts the payload with a key held on its servers, and sends the recipient a link to a hosted decryption page.
The recipient clicks the link, authenticates with a passcode or email verification, and reads the message in a browser session. The message never lands in the recipient mailbox in decrypted form. Only the link and the metadata do.
This is the same pattern Microsoft uses with Purview Message Encryption for Outlook. It is provider-agnostic on the recipient side, which is why it works for cross-provider sending.

Third-Party Services Work with Existing Gmail Accounts
A HIPAA-compliant encrypted email service usually plugs into Gmail one of two ways. The first is a Chrome extension that adds an encrypt button to the composer. The second is a routing configuration in Google Admin that sends outbound mail through the service gateway.
The extension approach fits solo practitioners and small teams. The user installs the extension, signs in to the service account, and gets a new send button next to the standard Gmail send button. The clinical staff experience stays inside Gmail.
The gateway approach fits larger practices with a Workspace admin. Outbound mail from designated accounts is routed through the service SMTP relay, which applies encryption based on the recipient domain or a keyword in the subject line.
Mailhippo uses this pattern. Users keep their existing Gmail account, the recipient gets a portal link, and Mailhippo signs a BAA that covers the encrypted mail path. No S/MIME certificates and no key exchange with the recipient.
Client-Side Encryption Keeps Keys Outside Google
Google Workspace Enterprise Plus offers client-side encryption, or CSE, for Gmail. Keys are held by an external key service that the customer controls, and Google never sees the plaintext of the message or the encryption key.
CSE is designed for regulated customers who need to prove that the mail provider cannot decrypt their messages even under legal request. Government agencies, defense contractors, and some large healthcare systems fit the profile.
The setup cost is significant. The admin has to stand up or contract with a Key Access Control List Service that speaks the Google CSE API, then configure each user account to use it. External recipients need matching CSE tooling, which limits interoperability.
CSE is the right choice for a small subset of Enterprise Plus customers with an existing key management infrastructure. It is not a first-move option for a typical outpatient clinic on Business Standard.
Mobile Gmail Sends Encrypted Messages Through the Same Paths
The Gmail mobile app on iOS and Android supports Confidential Mode natively. Tap the three-dot menu in the composer and select Confidential Mode. The expiration and passcode options are the same as on desktop.
S/MIME on mobile requires a Workspace tier that supports it plus a certificate provisioned to the mobile device. iOS handles certificate installation through a configuration profile pushed by MDM. Android handles it through the enterprise container.
Third-party encryption services that offer a Chrome extension do not run on the Gmail mobile app. Their mobile support is usually a standalone iOS or Android app that composes an encrypted message and sends it through the service directly.
For a clinical staff workflow where phones and tablets are common, verify the mobile path before rolling out the desktop-first setup. A method that works on the browser but not on a phone will not survive contact with actual daily use.
Practical Setup Order for a Small Healthcare Practice
Start with the BAA. Confirm the Google Workspace tier and enable the BAA in the Admin console. A personal Gmail account is not a starting point for PHI. Move to Workspace first.
Second, decide on the encryption method based on tier. If the practice is on Enterprise Plus and has an existing PKI, S/MIME is a clean fit. If the practice is on Business Standard or Business Plus, a third-party service is the shorter path than upgrading every seat to Enterprise Plus.
Third, train the front desk on the send workflow. The most common failure mode is a staff member forgetting the encrypt button and sending PHI in cleartext. A gateway that encrypts based on recipient domain or subject keyword removes that human step.
For related work on other clients, see the send a encrypted email from outlook guide and the how to send encrypted email from yahoo account reference. For a mobile-first walkthrough, see how to send an encrypted email from phone. Practices building out the broader digital stack for patient trust often pair encrypted email with a locked-down healthcare website security posture and a HIPAA-aware healthcare website design.
Common Failure Modes and How to Avoid Them
The most common failure is treating Confidential Mode as encryption. Front-desk staff assume the lock icon means the message is safe. It reduces forwarding but leaves the body readable to Google. Document the difference in the staff handbook.
The second is sending PHI from a personal Gmail account. There is no BAA, so any PHI in the message is a breach the moment it is sent. Migrate every clinical account to Workspace and disable personal Gmail forwarding.
The third is assuming S/MIME works when the recipient public certificate is not on file. The lock icon stays gray and the message goes out with TLS only. Set the tenant policy to block outbound send on the gray-lock state for accounts that handle PHI.
See the NIST SP 800-177 Rev 1 guidance on trustworthy email for the underlying reasoning on why TLS alone is not sufficient. The HIPAA Journal encryption requirements page summarizes the practical bar for covered entities.
- Confirm your Workspace tier before assuming S/MIME is available.
- Sign the Google BAA in the Admin console under Account, Legal and Compliance.
- Never send PHI from a personal Gmail account.
- Use Confidential Mode as a policy control, not as encryption.
- Verify the mobile path before rolling out the desktop workflow.
- Test S/MIME by exchanging a signed message with the recipient first, then encrypt.
- Set a tenant policy that blocks unencrypted send for accounts that handle PHI.
- Route outbound PHI mail through a gateway with a recipient-domain rule.
- Keep the encrypt button visible in the composer to reduce human error.
- Audit sent-folder contents monthly for accidental unencrypted PHI.