HIPAA is a federal law that protects the privacy of health information. It applies to all PHI, including individually identifiable health and mental health information. The privacy rule states that any person may only disclose PHI after he or she has given their consent. Authorizations must include specific information required by the Privacy Rules. In addition, covered entities must give individuals access to their own PHI and keep a record of disclosures.
In order to comply with HIPAA requirements, covered entities must ensure that any vendor that handles patient information is compliant with the law. Compliance is often assured through clauses in the contract. For example, a company needs to determine if a vendor outsources data handling functions to other vendors. Then, the company must monitor the control measures in place by enforcing these controls. It is important to monitor a vendor's contract for compliance, and to review its controls for compliance.
Another option is Gmail, but that does not meet HIPAA requirements. In order to stay HIPAA compliant, users of Gmail must make sure that their emails are encrypted. Luckily, Google provides a service that encrypts emails both during transit and at rest. But, Gmail's free version isn't HIPAA-compliant. For this, they recommend Google's G Suite, which combines Gmail with security features.