A HIPAA-compliant email setup is one that protects patient health information (PHI) with encryption in transit and at rest, enforces access controls so only authorized staff can read it, keeps an audit log of who accessed what, and runs on a platform covered by a signed Business Associate Agreement (BAA) with your email provider. If your California medical practice emails patients, referring providers, billing partners, or labs, those four elements are the baseline. Email itself is allowed under HIPAA — the Security Rule does not ban it — but it has to be configured and contracted correctly before you send the first message containing PHI.
That last point trips up more practices than any other. Turning on a privacy setting is not the same as having a compliant email service. Below is a plain-English breakdown of what actually makes email compliant, the myth that gets practices in trouble, how the two major platforms compare, what to do when patients email you first, and a practical checklist you can hand to whoever manages your IT.
What actually makes email HIPAA-compliant
The HIPAA Security Rule requires "reasonable and appropriate" safeguards for electronic PHI. For email, that translates into four concrete controls:
- Encryption in transit and at rest. Messages should be encrypted while moving between servers (TLS) and while stored in the mailbox. Plain, unencrypted email crossing the open internet is the classic exposure.
- Access controls and authentication. Unique logins, strong passwords, and multi-factor authentication (MFA) so a stolen password alone does not expose a mailbox full of PHI.
- Audit logging. A record of mailbox access and administrative actions, so you can investigate and demonstrate what happened if there is ever a question.
- A signed Business Associate Agreement. Because your email provider stores and transmits PHI on your behalf, it is a business associate. HIPAA requires a written BAA with that provider before any PHI flows through the service.
The U.S. Department of Health and Human Services explains the Security Rule's encryption, access, and transmission requirements in its official guidance at hhs.gov/hipaa. None of these controls is exotic — they are standard features on enterprise email platforms — but they have to be deliberately switched on and documented.
The myth: "Gmail and Outlook are automatically compliant"
Here is the most common and most expensive misunderstanding we see in California practices: assuming that a free or consumer account is fine for PHI because "it's Google" or "it's Microsoft." A free @gmail.com address or a personal Outlook.com account is not covered by a BAA, and the vendor will not sign one for those products. Without a BAA, sending PHI through that account is a HIPAA violation regardless of how good the underlying encryption is.
The technology can be identical between a consumer account and a business account. What changes is the contract. Compliance lives in the paid, business-tier subscription that the vendor is willing to put a BAA behind — not in the email engine itself. So the practical rule is simple: if you cannot point to a signed BAA with the company hosting your mailboxes, you do not have HIPAA-compliant email yet, no matter whose logo is on the login page.
Microsoft 365 vs Google Workspace for PHI email
Both Microsoft and Google offer business plans that can be made HIPAA-compliant, and both will sign a BAA for the right subscription tiers. The differences are in administration, encryption tooling, and how naturally each fits a clinical workflow.
Microsoft 365 (Business Premium and above) pairs well with practices that want layered security — message encryption, data loss prevention, conditional access, and device management under one admin console. We walk through how we configure it for healthcare on our Microsoft 365 compliance page. Google Workspace (Business Standard and above) is a strong fit for practices already living in Gmail and Google Docs, with confidential mode, S/MIME options on higher tiers, and centralized audit logs; we cover that setup on our Google Workspace compliance page.
The honest answer to "which one" is: the one your team will actually use correctly, on a tier that includes a BAA and the encryption controls you need. A poorly configured Microsoft tenant is less safe than a well-configured Google one, and vice versa. The platform matters less than the configuration and the discipline behind it.
When the patient emails you first
One area that surprises providers: patients have the right to communicate with you by ordinary, unencrypted email if that is what they prefer. HHS guidance is explicit that a covered entity may send PHI by unencrypted email when an individual has been warned of the risk and still requests it. The Office for Civil Rights addresses this directly in its FAQ at HHS.gov on emailing patients.
The practical move is to document the patient's preference, give them a brief warning that standard email is not fully secure, and note that you offer an encrypted option. You are not required to refuse to answer a patient who emails their own question from a personal address — but you should keep your own outbound default set to the secure, BAA-covered channel, and reserve unencrypted replies for patients who have knowingly opted in. Internal emails between staff, and emails to other business partners, do not get this exception and should always run through the encrypted, compliant system.
Practical setup checklist for a California practice
Hand this to whoever runs your IT — internal staff or your MSP — and confirm each item is in place and documented:
- Signed BAA with your email provider, filed where you can produce it on request.
- MFA enforced on every mailbox, especially admin accounts. Stolen credentials are a leading cause of healthcare breaches.
- Encryption confirmed in transit (TLS) and at rest, with an easy way for staff to send an encrypted message to outside parties.
- Data loss prevention (DLP) rules that flag or block messages containing patterns like Social Security or medical record numbers leaving the organization unencrypted.
- Retention and disposal policy that matches your legal obligations — keeping records long enough, then disposing of them securely.
- Access reviews that remove departed employees promptly and limit who can see shared clinical mailboxes.
- Workforce training on phishing, when to use the encrypted send option, and how to record a patient's email preference.
- Audit logging turned on and monitored, so unusual mailbox access is caught early.
If you want the broader version that covers your whole environment, not just email, see our HIPAA compliance checklist, and our overview of how we support clinics on the healthcare IT page.
The California layer: CMIA on top of HIPAA
California practices carry an extra obligation that out-of-state guidance often skips. The Confidentiality of Medical Information Act (CMIA), codified at California Civil Code section 56 and following, sits on top of HIPAA and is in some respects stricter. It governs how medical information is disclosed and can impose its own penalties for unauthorized release — including avenues for patients to pursue claims. You can read the statute via the official California Legislative Information site at leginfo.legislature.ca.gov.
What this means in practice: a California clinic should treat HIPAA as the floor, not the ceiling. The same encrypted, BAA-backed email controls that satisfy HIPAA also help you meet CMIA's confidentiality expectations, which is why we configure email the same careful way for practices in Los Angeles, San Diego, and everywhere between. In the practices we work with, the pattern is consistent: getting the BAA, encryption, and MFA right at the start prevents the messy, expensive cleanup later.
Make sure your practice's email is genuinely compliant
If you are not certain there is a signed BAA behind your mailboxes, or whether your encryption and MFA are actually doing their job, that uncertainty is worth resolving before the next audit or breach question lands. Book a free consultation with Cobrix Solutions and we will review your current email setup against HIPAA and CMIA, then map the shortest path to a configuration you can defend.