Last updated October 1, 2016. We have been getting a lot of questions from prospective customers about whether or not Gmail is a HIPAA compliant email platform. In previous posts, we’ve covered email providers like Yahoo, GoDaddy, IPOWER and HostGator and their capabilities for HIPAA compliant email. In this article, we’ll determine if Gmail is HIPAA compliant or not, and what to do about it.
What is HIPAA compliant email?
Before we go into the unique case of Gmail, it’s first important to understand what HIPAA compliant email is. In essence, the Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data.
More specifically, the HIPAA Privacy Rule is an important component to be familiar with. This includes protecting that patient data when it’s transmitted in email. A good approach for HIPAA email security is to implement end-to-end encryption.
Unfortunately, email was designed to connect people, not with security in mind.
This means that message delivery is more important than security, which is the reason why even if email is sent encrypted, it can arrive in clear text. At its simplest, email is essentially an open book and something that is certainly not ideal for companies and individuals working with regulations like HIPAA.
In most cases, making an email HIPAA compliant means making sure that the message is encrypted from inbox to inbox and not delivered in clear text. Unencrypted email is both a security risk and HIPAA fine risk for Healthcare providers.
The Difference between G Suite (Google Apps) and Gmail for HIPAA Compliance
Did you know that G Suite (formerly Google Apps) is not the same thing as a Gmail account? G Suite is a suite of Google applications including Email, Google Docs, and Google Calendar that are hosted by Google for a unique domain (e.g., www.yourcompany.com).
Gmail on the other hand, is a free service that uses @gmail.com. The important difference here is that G Suite is meant to be used alongside a domain name you own.
Another important distinction is that G Suite is a paid service, while Gmail is free to use. In a nutshell, G Suite is meant for business use, Gmail is meant for personal use.
Google and the Business Associate Agreement for HIPAA Compliance
We’ve covered in previous posts that a Business Associate Agreement (BAA) is a written contract between a covered entity and a Business Associate. It is required by law for HIPAA compliance. Google is willing to sign a BAA for use with some, but not all, of their services.
If you are using G Suite, Google is willing to sign a BAA with your organization. If you are a Gmail user however, Google does not offer a BAA for Gmail accounts.
Even G Suite Email Needs to be Configured to be HIPAA Compliant
After you’ve gotten a BAA for G Suite, you’re not done yet.
That’s because the core Gmail client within G Suite only encrypts email at rest and in transit and not all the way to the recipient’s inbox. As we mentioned before, this means that last step may be delivered in clear text and open to be stolen. Not a good prospect if any PHI is transmitted in your email.
To make G Suite email HIPAA compliant you still need a third party vendor like Paubox to make sure all emails are encrypted from inbox to inbox.
You don’t have to take our word for it, even Google’s own stats show that not every email is secured in transit.
Automated Processing by Gmail Breaks HIPAA Compliance
Another reason for providers to be wary of using Gmail in their practice, is due to a little known practice of automated processing.
Google has admitted in court docs that Gmail users’ emails are “subject to automated processing.” In other words, Google scans Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.
How would your patients feel when they realize your use of Gmail is exposing their health data to Google?
The good news is that Google has finally decided to stop this process, though there’s still no date set for when the change will occur.
Google does not sign Business Associate Agreements for Gmail users. Therefore, Gmail is not a HIPAA compliant solution. To make matters worse, Google also scans email stored in Gmail accounts for advertising purposes.
If you work in an organization that must meet HIPAA regulations, using Gmail for work is a very bad idea, both in terms of fines you would incur from HHS and also because your patients’ PHI is being scanned by a third party without their consent or knowledge. To be sure you stay away from costly fines, keep these steps in mind:
- Pay for G Suite to eliminate ads and secure your data from automated processing
- Get a BAA from Google
- Use a third-party like Paubox to insure HIPAA compliance for sent emails
Paubox works seamlessly with G Suite to provide end-to-end HIPAA compliant email encryption. Unlike other third-party services, there’s no extra steps for senders or recipients (no portals!), which makes HIPAA compliance as simple as sending email like normal from any device.