How to set up HIPAA compliant emails on Google

Providers must sign a business associate agreement (BAA) with Google’s Business or Enterprise plan and use a secure email solution, like Paubox, to ensure HIPAA compliance. 

Who uses Gmail?

According to TechJury, “Gmail remains the most popular email platform, with over 1.8 billion users worldwide. As of 2023, Gmail holds 27.21% of the email client market share.”

Furthermore, TheirStack reports “Gmail is used by a diverse range of organizations across various industries, including ‘real estate’, ‘computer and network security’, ‘motor vehicle manufacturing’, ‘construction’, ‘restaurants’, ‘staffing and recruiting’, ‘consumer services’, ‘hospitals and health care’” and more. 

However, in healthcare, platforms like Gmail do not automatically comply with HIPAA regulations, so healthcare organizations must take extra precautions to secure PHI.

Who must be HIPAA compliant?

Covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates who handle protected health information (PHI) must be HIPAA compliant.

More specifically, HIPAA-covered entities must use a secure emailing platform like Paubox. These platforms offer advanced security measures, including encryption, access controls, and authentication to protect PHI during transmission and at rest. 

Furthermore, providers must use a HIPAA compliant platform to avoid potential data breaches and their associated penalties.

Go deeper: Who needs to be HIPAA compliant?

Steps to set up HIPAA compliant emails 

Choose the right Google Workspace plan

While Google Workspace offers different plans, providers must pay for either the Business or Enterprise plan and sign in to an administrator account for their organization’s Google Workspace or Cloud Identity account.

Sign a BAA with Google

Before using Google Workspace for HIPAA compliant communications, providers must sign a business associate agreement (BAA) with Google to safeguard protected health information (PHI).

Thereafter, providers should follow these steps:

• Click on Menu > Account > Account settings > Legal and Compliance.
• Find the Security and Privacy Additional Terms section and click on Google Workspace/Cloud Identity HIPAA Business Associate Amendment. 
• Click Review and Accept.

Use a HIPAA compliant platform

While Google Workspace provides some encryption, it depends on the sender's and recipient's email servers supporting transport layer security (TLS). If the recipient's server does not use TLS, the connection will not be secure, leading to a potential HIPAA violation.

Paubox offers advanced encryption, protecting PHI even if the recipient’s server does not support TLS, mitigating the risk associated with non-TLS servers, and maintaining HIPAA compliance. 

Train staff

Covered entities must offer HIPAA training to all employees handling PHI. These include healthcare providers, administrative staff, IT personnel, receptionists, medical records, and health information management staff.

Ultimately, HIPAA training can help employees safeguard PHI, recognize security threats, and prepare for data breaches.

Regularly audit and update security measures

HIPAA compliance is an ongoing process, so covered entities must conduct regular security audits to identify and address vulnerabilities. More specifically, covered entities must stay informed about updates to Google Workspace security features and HIPAA regulations, updating their security policies accordingly.

Learn more: 

• Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance
• HIPAA Compliant Email: The Definitive Guide

FAQs

How can providers make Google Workspace email HIPAA compliant?

Providers must use a Business or Enterprise plan, sign a business associate agreement (BAA) with Google, and use a HIPAA compliant platform, like Paubox, to protect patient information.

What is a business associate agreement (BAA)?

A BAA is a contract between a covered entity and a business associate that outlines the responsibilities for safeguarding protected health information (PHI) and ensures HIPAA compliance.

Can an organization be penalized for a breach of PHI?

Yes, organizations can be penalized for breaches of PHI if they fail to comply with HIPAA regulations. Penalties can range from $100 to $50,000 per violation, with a maximum annual fine of $1.5 million. 

The severity of the penalty depends on factors such as whether the breach was accidental or due to negligence, the extent of harm caused, the organization’s compliance history, and the steps taken to correct the issue.