Gmail is considered the most popular email service having about 1.5 million users. However, can healthcare organizations use Gmail to send protected health information (PHI)? Is Gmail HIPAA compliant?
Making Gmail HIPAA Compliant
So that Gmail can become HIPAA compliant, Google must be sure to secure the email platform and meet the minimum criteria set by the HIPAA Security Rule. A covered entity must also sign a Business Associate Agreement (BAA) with Google covering the Gmail service since Google would be classified as a business associate as per the HIPAA. Although HIPAA does not mandate the use of encryption for email, it is required for emails that contain PHI to be behind the security of a firewall. When sending emails externally, end-to-end encryption is necessary.
Google has outstanding security in place and its email service complies with the HIPAA Security Rule requirements. Google is ready to sign a BAA, including coverage for Gmail, with HIPAA-covered entities. As long as there is a BAA, both parties are complying with the HIPAA. Additionally, encryption for email can be enabled making Gmail HIPAA compliant. Take note that Gmail is not compliant by default, it must be made compliant.
Gmail as a free email service isn’t HIPAA compliant and this @gmail.com email address should be for personal use only.
If looking to use a HIPAA compliant Gmail, Google’s G Suite (earlier known as Google Apps) email service must be used. It’s available as a paid subscription. This paid email solution is designed to be used with a company-registered domain like @calhipaa.com. Google will sign a business associate agreement for G Suite and not for the free @gmail.com email service.
Paying for G Suite and entering into a BAA does not make your email HIPAA compliant. You still need to encrypt your emails. Google’s encryption only applies to emails at rest and not in transit. Before sending PHI using Gmail-powered G Suite, you have to implement a paid end-to-end email encryption service.
A number of Gmail compatible encryption services are available. Examples include Google Apps Message Encryption (GAME) and third-party email encryption solutions like those provided by Identillect, Paubox, LuxSci, RMail, Zix or Virtru.
You should then make sure to HIPAA train your employees on the proper use of email. Let them know about the internal and federal rules that cover the sending of PHI through email. Take care that emails are sent only to the right recipients. It is also necessary to get the patients’ consent before sending their PHI through email.