Webmail services like G-mail, Hotmail, Yahoo!, and those provided by your Internet Service Provider (ISP) alone are not secure enough to send Protected Health Information (PHI.) These services do not provide end-to-end e-mail security, and the vendors will not sign Business Associate Agreements.
Update: As of 01/01/2017 Gmail will sign a BAA agreement for emails stored on their server however it is not a end to end e-mail security.
A small medical practice paid a $ 100,000 fine for using webmail and an online calendar for PHI. For HIPAA compliance you need to use a secure e-mail solution provided by a secure server; a secure Cloud e-mail or encryption service from a vendor that will sign a Business Associate Agreement; or by using the secure communications tools included in your certified Electronic Health Record (EHR) system.
Faxes are OK between practices and pharmacies, unless your system converts the fax into an e-mail, which cannot be sent to a webmail account.