Is Gmail HIPAA Complaint?

September. 17, 2020

1:00-2:00AM PST

Is Gmail HIPAA Compliant?

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) went into effect in the United States. This act required the then Secretary of the U.S. Department of Health and Human Services (HHS) to generate regulations to safeguard the security and privacy of specific, sensitive health data. Today, a majority of healthcare providers are mandated to abide by and adhere to HIPAA. And as an increasing number of medical professionals transmit patient records and personal information to specialists and medical centers through electronic means, it has become even more critical to ensure email communications security and send HIPAA compliant email messages.

Generally, email is undoubtedly not considered a secure form of communication. Unbeknown to most individuals, it is nearly impossible to guarantee that only an email’s intended recipient has received a given message. Moreover, enterprises that utilize IT departments to manage messaging systems typically offer employees no privacy within their email or network. And HIPAA was created so that patients’ personally identifiable information could be guaranteed safety from public access. With HIPAA’s intended goal in mind, it is crucial for individuals handling delicate information, such as sharing patient diagnoses and treatment plans, to understand that email generally lacks privacy protections.

Guidelines for Emailing Protected Health Information (PHI)

Under HIPAA, Protected Health Information (PHI) must receive adequate protection throughout the entirety of an email’s lifecycle -- while in transit, in storage, and at rest. Given that email generally lacks security and most email services don't encrypt emails, it is widely considered a vulnerable platform for transmitting PHI. For this reason, it is against Google’s Terms of Service to utilize Gmail to send PHI without encryption. PHI sent via email lacking encryption could likely end up in the wrong hands due to a simple breach. In general, regardless of the email provider, it is important to take all necessary measures and strictly follow the guidelines to send and receive HIPAA compliant email messages containing sensitive information.

HIPAA requires healthcare providers to meet three requirements to maintain compliance. The first requirement is the robust security of patient information. “According to Section 164.314(a) of HIPAA, it is the responsibility of the healthcare provider to ensure that everyone involved in handling such confidential and personally identifiable information complies with the safeguards established by the HIPAA laws.” To fulfill this requirement, the bulk of providers add extra email security measures such as secure email, outbound email scanning, and strong management and control over email access. Moreover, the second requirement of HIPAA email compliance is consent. According to the March 2013 HIPAA Omnibus Final Rule, clients may permit email communications, but only if they receive adequate education on the potential risks of transmitting PHI via email beforehand. Most firms supply their clients with a consent form to be completed in its entirety before email communications can commence, thoroughly satisfying the requirement of consent. Lastly, HIPAA requires all healthcare providers that use a third-party email platform to sign a Business Associate Agreement (BAA). By signing such an agreement, Business Associates -- in this case, third-party email providers -- must protect sensitive, confidential patient data with the very same, elevated standards demanded of medical professionals.

How to Make Gmail HIPAA Compliant

Not automatically HIPAA compliant, sending encrypted emails via Gmail, Google's email service, necessitates additional security protocols to guarantee the sufficient safeguarding of sensitive patient data sent via the platform. Make no mistake, using Gmail confidential mode will not secure the email server and encrypt emails neither will it provide HIPAA compliance. Email encryption offers a top-class solution for protecting emailed information. By leveraging an encryption service provided by a third-party vendor, healthcare providers can rest assured that any PHI sent over free Gmail will be secured. “End-to-end email encryption configures the data so that only the sender and intended recipient can read the email’s content...[, assigning] a unique ‘key’ for unlocking the contents of the email that only the intended recipient gets.” This makes accidents less of a cause for concern, as emails sent to an incorrect email address will remain encrypted.

Furthermore, Gmail can be made compliant with HIPAA more easily by purchasing Google Workspace (formerly known as G Suite -- the paid version of Gmail) that includes most-used Google apps for businesses such as Google Drive, Calendar, Hangouts etc. On top of providing necessary features for HIPAA compliance, G Suite offers users access to various benefits like administrator controls on users. Such controls may include two-factor authentication and an ability to limit mobile device email access. And for maximum efficacy, these security measures should be applied to all employee accounts.

Enter Into a Business Associates Agreement with Google

As mentioned previously, a Business Associates Agreement with Google is required to make Gmail HIPAA compliant. However, as such a massive corporation, entering into a BAA with Google presents quite a different process for healthcare providers. Instead of receiving a signed document from Google, medical professionals will virtually enter into the agreement by setting up their administrator account on G Suite. An option to accept Google’s Business Associates Agreement will appear when the user expands the “Privacy Additional Terms” tab. Healthcare businesses who are not willing to sign a BAA must not use Google services to send and receive emails that contain PHI.

Be Constantly Mindful of Potential Breaches

Unfortunately, sending HIPAA compliant emails does not guarantee HIPAA compliance. At any moment, one straightforward mistake -- like leaving a computer unlocked during a lunchbreak -- can expose an organization to a catastrophic breach. Because HIPAA commands businesses to provide PHI with constant security, protection needs to go beyond safe email practices. To encourage consistent mindfulness and effort, companies need to supply their employees with adequate training to use Gmail or similar programs correctly. Moreover, email practices for Gmail HIPAA compliance must be present in organizations’ policies and procedures. And since penalties for violating HIPAA via email are equally as grave as other punishments, knowledgable administrators should be assigned to assist with every element of email security.

Furthermore, accessing Gmail from iPhones, tablets, Android devices, etc., can expose personal information to potential breaches. And all breaches must be reported, which may lead to hefty fines or liability issues. Thus, all medical providers should exhibit caution when permitting employees to access their email accounts via their mobile devices, especially if emails may contain PHI.

Become 100% HIPAA Compliant on Google with Trustifi

The easiest and most comprehensive email security platform on the market with years of experience helping businesses, Trustifi offers customers groundbreaking data loss prevention features within its suite of tools. Trustifi ensures 100% compliance with HIPAA/HITECH. On top of this, Trustifi provides users 100% compliance with additional guidelines like PII, GDPR, FSA, FINRA, LGPD, CCPA, etc. And with Trustifi, healthcare providers can be notified in real-time when an email, even one containing PHI, has been received, opened, and read. Further guaranteeing that only an intended recipient will gain access to any given email, Trustifi supplies two-factor authentication on the recipient -- even without them registering to make sure the clients have HIPAA compliant Gmail accounts.

Emails containing sensitive and confidential information must be encrypted. And with Trustifi, healthcare industry businesses can take advantage of a convenient encryption solution. Trustifi takes the pressure of encryption off companies, automatically securing all emails containing any PHI or personally identifiable information. Ensuring safe email delivery, Trustifi makes sure that all email correspondence remains private and secure and remains extremely user-friendly to send, receive, and open at every turn.

Try Trustifi Today

For Individuals

Our Free Trial Is Forever Free

For Business

See if Trustifi Is Right for Your Organization