While free Gmail is not HIPAA compliant and should not be used in healthcare settings, Gmail with paid Google Workspace can be made HIPAA compliant by signing a BAA with Google and ensuring end-to-end encryption (learn how).
Gmail is one of the most popular email services. As of 2019, Gmail was the second most widely used email client, according to Statista. It is not only used for personal but also for professional communication. Today, even many healthcare providers also use Gmail to correspond with their patients. They are sharing sensitive patient information (often without HIPAA compliance).
When healthcare providers use Gmail without HIPAA compliance, there is a high risk of breach of patients’ privacy and sensitive information. This could lead to significant non-compliance fines and legal penalties.
Therefore, it is crucial that you ensure Gmail is HIPAA compliant, especially when you are using it for sending sensitive patient information.
In this article, we are going to discuss what HIPPA is and find out if Gmail is HIPAA Compliant. We will also be exploring what Google has done to make Gmail (under Google Workspace) HIPAA compliant. Besides that, we will also be discussing best practices for using Gmail in a compliant manner.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 to protect sensitive information in the healthcare industry. It applies to all businesses in the healthcare industry, such as healthcare providers, healthcare clearinghouses, and health plans.
HIPAA compliance is imperative for ensuring the security of sensitive patient information. Besides administrative and technical safeguards, HIPAA also decrees strict regulations on digital communication, including email.
It bounds covered entities to protect patients’ confidentiality and availability of electronic PHI (Protected Health Information) by implementing technical and administrative safeguards. In case of non-compliance, there might be civil and criminal penalties in addition to significant fines.
Email is widely used by healthcare providers and their patients, which is very convenient. However, with convenience, there is also a potential security risk if proper email security measures are not taken.
Therefore, it is crucial to determine whether Gmail is HIPAA compliant before using it for correspondence in a healthcare setting.
No! The free consumer version of Gmail is not HIPAA compliant. Gmail offers some security measures to protect the information shared via mail, but it does not meet all the security requirements outlined in the HIPAA. For instance, Gmail does not offer end-to-end encryption, which means that there is a potential risk of emails being intercepted and read by unwanted third parties.
Moreover, Gmail also does not offer technical land administrative safeguards that are important for HIPAA compliance. For instance, there is no way in Gmail to track who has accessed PHI in emails, which is a key HIPAA requirement.
Therefore, healthcare providers should not use Gmail (free consumer version) for communication and storage of sensitive patient information as it fails to meet the strict requirements of HIPAA.
Having said that, you can make Gmail HIPAA compliant by using paid Google Workspace and following secure email practices.
As discussed earlier, HIPAA comprises a set of regulations to ensure the protection of sensitive patient data, and healthcare providers and their associates must adhere to these regulations.
Neither the default free version of Gmail is HIPAA compliant, nor can it be made HIPAA compliant. Google has clearly stated that Gmail (free version) is not intended for businesses, especially those that are bound by HIPPA.
However, formerly Google’s G Suite, Workspace, which includes Gmail, can be made HIPAA compliant, making it an option for healthcare organizations to use Gmail for correspondence. Here is how Google Workspace meets HIPAA requirements:
Google Workspace offers a Business Associate Agreement (BAA) to its customers who are covered under HIPAA. By signing the BAA agreement, Google agrees to take the responsibility of protecting PHI. By signing a BAA with Google, healthcare organization takes the first step toward HIPAA compliance.
It is pertinent to mention here that Google does not offer BAA for free Gmail and that BAA is not sufficient for HIPAA compliance.
Free Gmail uses Transport Layer Security (TLS) to encrypt emails in transit. TLS is a security protocol that ensures that messages are securely transmitted from the sender to the recipient. However, your email will not be encrypted if the recipient email service does not have active TLS.
Besides this basic encryption, Google offers Secure/Multipurpose Internet Mail Extensions (S/MIME) to its paid Workspace users. With S/MIME, healthcare organizations can achieve enhanced email security.
By using Admin Console, available to Google Workspace users, organizations can ensure the security of sensitive patient information by managing users’ accounts and enforcing security policies such as setting up two-factor authentication, enabling password protection, and controlling which apps can be accessed and used by different employees.
Besides the safe and secure transfer of emails containing PHI, the secure retention of emails and other files is also crucial for HIPAA compliance. By using Google vault for storage of email and other files, organizations can ensure that information is safely retained and can be retrieved when needed.
From the above discussion, we have learned that Gmail is not HIPAA compliant, but you can make it compliant when using paid Google Workspace. Here is what you can do to ensure that your Gmail is HIPAA-compliant:
The first step to making your Gmail HIPAA compliant is to sign a BAA with Google. By signing BAA, Google is responsible for protecting PHI on your behalf. Google offers BAA to only its Workspace customers.
Google clearly states, “Customers who have not signed a BAA with Google must not use Google services in connection with PHI.”
So before you start using Gmail for correspondence in a healthcare setup, ensure that you have secured a BAA with Google.
HIPAA requires that the transmission of PHI be encrypted to protect the privacy and confidentiality of sensitive patient information. Gmail offers a basic level of encryption with its Transport layer Security (TLS), but more is needed for HIPAA compliance. While you can use S/MIME to achieve a higher level of email security, it is advised that you use third-party HIPAA-compliant email encryption services. These encryption services ensure that its content remains secure even if the email is intercepted.
Before using a third-party encryption service, remember that your BAA with Google does not cover third parties. So, only share PHI with third parties if you have also signed a separate BAA with them.
You can easily use Canary Mail’s secure send feature to automate email encryption.
Enabling two-factor authentication adds an extra security layer to your email account. With this feature, users must not only provide the password but also confirm their identity with a fingerprint or a code sent to their mobile devices. This keeps unwanted persons from logging into your Gmail, even when the password is compromised. This ensures that your account and PHI remain secure.
Accidental forwarding of emails that contain sensitive patient information can lead to a breach of patient confidentiality and privacy. Therefore, you must disable the email forwarding feature in Gmail to ensure email security.
Besides disabling email forwarding, you also need to ensure that PHI is not accidentally sent to any technical support chat.
Ensuring compliance with HIPAA does not end with setting up a HIPAA-compliant Gmail. You need to ensure that all the correspondence and email storage is done in compliance with HIPAA regulations. For that, you need to establish strict policies and procedures. Besides that, you will also have to train your employees on HIPAA regulations and secure handling of PHI.
By taking these measures, you can ensure that you use Gmail HIPAA-compliantly. But keep in mind that it is not a guarantee of HIPAA compliance.
While free Gmail is not HIPAA compliant and should not be used in healthcare settings, Gmail with paid Google Workspace can be made HIPAA compliant by signing a BAA with Google and ensuring end-to-end encryption.