Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Is GMass HIPAA compliant?

Is GMass HIPAA compliant?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the  HIPAA industry is vast and that it is important to properly communicate about your organization while remaining HIPAA compliant.

SEE ALSO:  HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if GMass is HIPAA compliant or not.


About GMass


GMass is a plugin for Gmail and Google Chrome that allows users to send email marketing and automated campaigns directly from an existing Google account. It was founded by Ajay Goel in 2014 and is now owned by Google.

RELATEDGoogle & HIPAA compliance: the ultimate guide

People can send personalized or cold emails immediately or scheduled for a later time. Moreover, GMass merges with Google Sheets to make it easier to send, automate, and track personalized mass emails all from a simple-to-use spreadsheet.

RELATED: Is Google Sheets HIPAA compliant?

GMass also allows users to track opens, clicks, and replies. Today, GMass is one of the most popular mass email tools for Gmail, becoming an official add-on in 2018.


GMass and the business associate agreement


A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. In this instance, GMass is a business associate of a healthcare organization if it accesses any electronic PHI (ePHI).

RELATED: Is a name PHI?

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. While Google will sign a BAA for some of its products, GMass is not an official Google product. Furthermore, there is no reference to a GMass BAA on the GMass website.


GMass, data security, and HIPAA marketing


The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

RELATEDHIPAA definition of marketing explained

HIPAA compliance for marketing concerns both stored and transmitted information. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary. Essentially, GMass transfers data (e.g., PHI) to and from a Gmail account through SSL (Secure Socket Layer) protocol for data security. Transport Layer Security (TLS) is the successor of SSL and is considered a safer, improved protocol.

SEE ALSO: Paubox eliminates obsolete TLS protocols, follows NSA guidance

According to its Privacy Policy, GMass stores email addresses (not email content) in a database that utilizes two layers of firewalls. There is no information if the database is physical or on the cloud. GMass does not share information with third parties though it keeps track of sending and access records.


Is GMass HIPAA compliant?


The BAA is a key component of HIPAA compliance and GMass does not appear to sign a BAA. Moreover, GMass uses SSL rather than TLS protocol and does not provide much information about its data storage facilities. If a breach or  HIPAA violation occurs and any PHI is visible, the covered entity is liable.

RELATED: Your cybersecurity strategy is probably lacking

Conclusion: GMass does not appear to be HIPAA compliant.


Paubox Marketing for guaranteed HIPAA compliance


While there are many ways that healthcare providers can market or communicate to patients or potential patients, one of the best methods today is healthcare email marketing using HIPAA compliant email. Paubox Marketing allows recipients to view marketing emails like regular emails but with strong TLS encryption and email security at all times. Our HITRUST certification also includes Paubox Marketing.

RELATEDWhy Paubox Marketing is the best HIPAA email marketing solution available

Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients safe. No extra steps for the sender or the receiver and no worry about leaked PHI. Use  HIPAA compliant email marketing not only to create personalized marketing campaigns but also to maintain PHI security.


Try Paubox Marketing for free today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.