9 min read
Google created several digital products for individuals and organizations, some free and some paid. Many healthcare organizations use Google’s tools to connect and communicate with employees, patients, and other healthcare providers. In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA.
A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Google offers a BAA for Workspace, which includes Gmail. Unfortunately, the BAA does not include the free version, meaning a free Gmail account is not HIPAA compliant.
A free Gmail account
Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. Included in the suite is Gmail. As of 2019, Gmail has 1.5 billion active users worldwide. Users access their email through a webmail interface or a mobile application.
Individuals, teams, and organizations use Google tools to communicate, store, and manage data and documents, and collaborate on projects. While these services are typically free to use for individuals, Google Workspace has various enterprise (paid) features for businesses.
Gmail privacy and security
Google prides itself on its cybersecurity and privacy features with both defensive and offensive tools automatically available to users. Such features, however, are not all HIPAA compliant, which is why Google created the Google Workspace and Cloud Identity HIPAA Implementation Guide. This informational handbook explains how to configure and use Workspace services to support HIPAA compliance.
Free Gmail accounts, widely used for personal and business communication, are not designed to meet HIPAA security and privacy requirements. Google scans free Gmail accounts, looks for keywords, and then uses those keywords to target advertisements. Using a free Gmail account to transmit PHI poses risks such as data breaches, unauthorized access, and noncompliance with HIPAA regulations.
Is Google a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These associates are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is a primary consideration when choosing Google services. In the case of Google Workspace (and Gmail), the service would certainly fall into the category of business associate. This, however, is only true if an organization stores, processes, or transmits PHI on the platform.
Google Workspace, Gmail, and the BAA
Google offers a BAA for Google Workspace, pointing out that the BAA covers Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault.
The BAA is only available for a paid Workspace account. Google does not sign an agreement with free Gmail users.
Is a free Gmail account HIPAA compliant?
Gmail offers HIPAA compliant email services for healthcare organizations, but only for paid accounts and only when configured properly. A paid Workspace (which includes Gmail) account provides many services covered by its BAA. This is not true for a free Gmail account.
Conclusion: A free Gmail account is not HIPAA compliant.
Guaranteeing a HIPAA compliant Gmail account
Once a healthcare organization has purchased a paid Google Workspace account and signed a BAA, it is up to the provider to secure all used tools. Here’s what to do to make sure your paid Gmail account stays HIPAA compliant:
- Use a strong password
- Enable multi-factor authentication
- Manage user permissions and restrict access as needed
- Train employees on proper email and Wi-Fi usage
- Keep software and perimeter defenses up to date
- Get consent from patients before sending or receiving PHI over email
- Utilize a third-party solution like Paubox Email Suite to ensure strong email encryption
HIPAA compliance and Gmail resource center
- Google & HIPAA compliance: The ultimate guide
- Is my Google account HIPAA compliant?
- Why Google Workspace and Microsoft 365 aren’t enough for complete HIPAA compliance
- Healthcare’s ultimate guide to Gmail: Is Gmail HIPAA compliant?
- How can I make my existing Gmail account HIPAA compliant?
- Encrypted email setup for Google Workspace
- Is Paubox compatible with Gmail Confidential Mode?
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.