How to make Gmail HIPAA compliant
by Hoala Greevy Founder CEO of Paubox
Last updated February 19, 2020. We have been getting a lot of questions from prospective customers about whether or not Gmail is a HIPAA compliant email platform.
In this article, we’ll determine if Gmail is HIPAA compliant or not, and what to do about it.
What is HIPAA compliant email?
Before we go into the unique case of Gmail, it’s first important to understand what HIPAA compliant email is.
In essence, the Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data.
More specifically, the HIPAA Privacy Rule is an important component to be familiar with.
This rule created, for the first time, a set of national standards for the safeguard of certain health information, including protecting patient data when it’s transmitted in email.
This is why a standard approach for outgoing HIPAA email security is to implement end-to-end encryption on all emails sent with protected health information (PHI).
Unfortunately, email was designed to connect people, without security in mind.
This means that message delivery is more important than security, which is the reason why even if email is sent encrypted, it can arrive in clear text.
At its simplest, email is essentially an open book which is certainly not ideal for companies and individuals working with regulations like HIPAA.
In most cases, making an email service HIPAA compliant means ensuring that the message is encrypted from inbox to inbox and not delivered in clear text. Unencrypted email is both a security risk and a HIPAA fine risk for healthcare providers.
For more specifics, you can read our complete guide to HIPAA compliant email.
The difference between Google Workspace and Gmail for HIPAA compliance
Did you know that Google Workspace is not the same thing as a Gmail account?
Gmail on the other hand, is a free service that uses @gmail.com. The important difference here is that Google Workspace is meant to be used alongside a domain name you own.
Another important distinction is that Google Workspace is a paid service, while Gmail is free. In a nutshell, Google Workspace is meant for business use, Gmail is meant for personal use.
Google and the business associate agreement
We’ve covered in previous posts that a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. Google is willing to sign a BAA which covers some, but not all, of its services.
If you are using Google Workspace, Google is willing to sign a BAA with your organization. If you are a Gmail user however, Google does not offer a BAA for free Gmail accounts.
Even Google Workspace email needs to be configured to be HIPAA compliant
After you’ve gotten a BAA for Google Workspace, you’re not done yet.
That’s because the core Gmail client within Google Workspace only encrypts email at rest and not all the way to the recipient’s inbox. As we mentioned before, this means that last step may be delivered in clear text and is open to be stolen. Not a good prospect if any protected health information (PHI) is transmitted in your email.
You don’t have to take our word for it; even Google’s own stats show that not every email is secured in transit.
Before you start using PHI with any Google service, it’s highly recommended you take a look at Google’s Google Workspace HIPAA Implementation Guide to make sure the service is HIPAA compliant and if any additional configurations are needed.
Automated processing by Gmail breaks HIPAA compliance
Another reason for providers to be wary of using free Gmail is the little known practice of automated processing.
Google has admitted in court documents that Gmail users’ emails are “subject to automated processing.” In other words, Google scans Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.
How would your patients feel if they realize your Gmail account is exposing their health data to Google?
The good news is that Google has finally decided to stop this process, though there’s still no date set for when the change will occur.
So is Gmail HIPAA compliant?
Google does not sign a business associate agreement with free Gmail users.
Therefore, Gmail is not a HIPAA compliant solution.
To make matters worse, Google also scans email stored in Gmail accounts for advertising purposes.
If you work in an organization that must meet HIPAA regulations, using Gmail for work is a very bad idea, both in terms of fines you could incur from the US Department of Human Services and also because a third party is scanning your patients’ PHI without their consent or knowledge.
In order to stay away from costly fines, keep these steps in mind:
- Pay for Google Workspace to eliminate ads and secure your data from automated processing
- Sign a BAA with Google
- Use a third-party like Paubox Email Suite to insure HIPAA compliance for sent emails
Paubox works seamlessly with Google Workspace to provide end-to-end HIPAA compliant email encryption. Unlike other third-party services, there’s no extra steps for senders or recipients (no portals!), which makes HIPAA compliance as simple as sending email as you usually would from any device.