In 1996, the Health Insurance Portability and Accountability Act (HIPAA) went into effect in the United States. This act required the then Secretary of the U.S. Department of Health and Human Services (HHS) to generate regulations to safeguard the security and privacy of specific, sensitive health data. Today, a majority of healthcare providers are mandated to abide by and adhere to HIPAA. And as an increasing number of medical professionals transmit patient records and personal information to specialists and medical centers through electronic means, it has become even more critical to ensure email communications security and send HIPAA compliant email messages.
Generally, email is undoubtedly not considered a secure form of communication. Unbeknown to most individuals, it is nearly impossible to guarantee that only an email’s intended recipient has received a given message. Moreover, enterprises that utilize IT departments to manage messaging systems typically offer employees no privacy within their network. And HIPAA was created so that patients’ personally identifiable information could be guaranteed safety from public access. With HIPAA’s intended goal in mind, it is crucial for individuals handling delicate information, such as sharing patient diagnoses and treatment plans, to understand that email generally lacks privacy protections.
Maintaining HIPAA compliance in the medical industry can be challenging but it is not impossible whether you use a gmail account or another provider thanks to third party services that offer advanced security features.
Guidelines for Emailing Protected Health Information (PHI)
Under HIPAA, Protected Health Information (PHI) must receive adequate protection throughout the entirety of an email’s lifecycle — while in transit, in storage, and at rest. Given that email generally lacks security and most email services don’t offer email encryption, it is widely considered a vulnerable platform for transmitting protected medical infromation (PHI). For this reason, it is against Google’s Terms of Service to utilize Gmail to send PHI without encryption. PHI sent via an email service lacking encryption could likely end up in the wrong hands due to a simple breach. In general, regardless of the email provider, it is important to take all necessary measures and strictly follow the guidelines to send and receive gmail HIPAA compliant email messages containing delicate information.
HIPAA requires healthcare providers to meet three requirements to maintain compliance. The first requirement is the robust security of patient information. “According to Section 164.314(a) of HIPAA, it is the responsibility of the healthcare provider to ensure that everyone involved in handling such confidential and personally identifiable information complies with the safeguards established by the HIPAA laws.” To fulfill this requirement, the bulk of providers add extra email security measures such as secure email, outbound email scanning, and strong management and control over email access. Moreover, the second requirement of HIPAA compliant email is consent. According to the March 2013 HIPAA Omnibus Final Rule, clients may permit email communications, but only if they receive adequate education on the potential risks of transmitting PHI via email beforehand. Most firms supply their clients with a consent form to be completed in its entirety before email communications can commence, thoroughly satisfying the requirement of written consent. Lastly, HIPAA requires all healthcare providers that use a third-party email platform to sign a Business Associate Agreement (BAA). By signing such an agreement, Business Associates — in this case, third-party email providers — must protect sensitive, confidential patient data with the very same, elevated standards demanded of medical professionals (all emails must be fully compliant with hipaa law).
Several health facilities have been cited by HIPAA officials for exchanging patient information on gmail (without encryption or password protection). The fines for the failure to maintain HIPAA compliance can reach several millions of dollars.
How to Make Gmail HIPAA Compliant
Not automatically HIPAA compliant,
sending encrypted emails via Gmail, Google’s email service, necessitates additional security protocols to guarantee the sufficient safeguarding of sensitive patient data sent via the platform. Make no mistake, using Gmail confidential mode will not secure the email server and will not ensure emails’ encryption, neither will it make gmail HIPAA compliant. Email encryption offers a top-class solution for protecting emailed information. By leveraging a third party encryption service, healthcare providers can rest assured that any PHI sent over free Gmail accounts will be secured. “End-to-end encryption configures the data so that only the sender and intended recipient can read the email’s content…[, assigning] a unique ‘key’ for unlocking the contents of the email that only the intended recipient gets.” This makes accidents less of a cause for concern, as emails sent to an incorrect address will remain encrypted.
Furthermore, Gmail can be made HIPAA compliant more easily by purchasing
Google Workspace (formerly known as G Suite — the paid version of Gmail) that includes most-used Google apps for businesses such as Google Drive, Calendar, Hangouts etc. On top of providing necessary features for HIPAA compliance, G Suite offers users access to various benefits like administrator controls on users. Such controls may include two-factor authentication and an ability to limit mobile device email access. And for maximum efficacy, these security measures should be applied to all employee accounts.
Enter Into a Business Associates Agreement with Google
As mentioned previously, signing Business Associates Agreements with Google is required to make Gmail HIPAA compliant. However, as such a massive corporation, entering into a BAA with Google presents quite a different process for healthcare providers and HIPAA-covered entities. Instead of receiving a signed document from Google, medical professionals will virtually enter into the agreement by setting up their administrator account on G Suite. An option to accept Google’s Business Associates Agreement will appear when the user expands the “Privacy Additional Terms” tab. Healthcare businesses who are not willing to sign a BAA must not use Google services to send and receive emails that contain PHI.
Be Constantly Mindful of Potential Breaches
Unfortunately, sending HIPAA compliant emails does not guarantee HIPAA compliance. At any moment, one straightforward mistake — like leaving a computer unlocked during a lunchbreak — can expose an organization to a catastrophic breach. Because HIPAA commands businesses to provide PHI with constant security, protection needs to go beyond safe email practices. To encourage consistent mindfulness and effort, companies need to supply their employees with adequate training to use HIPAA compliant Gmail or similar programs correctly. Moreover, best practices for Gmail HIPAA compliance must be present in organizations’ policies and procedures. And since penalties for violating HIPAA via email are equally as grave as other punishments, knowledgable administrators should be assigned to assist with every element of email security.
Furthermore, accessing Gmail from iPhones, tablets, Android devices, etc., can expose personal information to potential breaches. And all breaches must be reported, which may lead to hefty fines or liability issues. Thus, all medical providers should exhibit caution when permitting employees to access their accounts via their mobile devices, especially if emails may contain PHI.
Become 100% HIPAA Compliant on Google with Trustifi
The easiest and most comprehensive email security platform on the market with years of experience helping businesses, Trustifi offers customers groundbreaking data loss prevention features within its suite of tools. Trustifi ensures 100% compliance with HIPAA/HITECH. On top of this, Trustifi provides users 100% compliance with additional guidelines like PII, GDPR, FSA, FINRA, LGPD, CCPA, etc. And with Trustifi, healthcare providers can be notified in real-time when a HIPAA compliant email, even one containing PHI, has been received, opened, and read. Further guaranteeing that only an intended recipient will gain access to any given email, Trustifi supplies two-factor authentication on the recipient — even without them registering to make sure the clients have HIPAA compliant Gmail accounts.
Emails containing sensitive and confidential information must be encrypted with the help of a third-party service. And with Trustifi, healthcare industry businesses can take advantage of a convenient email encryption solution. Trustifi takes the pressure of encryption off companies, automatically securing all emails containing any PHI or personally identifiable information. Ensuring safe delivery, Trustifi makes sure that all correspondence is HIPAA compliant, therefore remains private, secure and extremely user-friendly to send, receive, and open at every turn.
With Trustifi, it’s easy to keep your information protected. Easily comply with the demands of HIPAA while protecting sensitive information from hackers with the convenience of our trustworthy encryption software. Encrypt your emails and documents with the click of a button before sending them to your patients.
