Is GMass HIPAA compliant?

Featured image

Share this article

GMass logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to properly communicate about your organization while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.

Today, we will determine if GMass is HIPAA compliant or not.

About GMass

GMass is a plugin for Gmail and Google Chrome that allows users to send email marketing and automated campaigns directly from an existing Google account. It was founded by Ajay Goel in 2014 and is now owned by Google.

RELATEDGoogle & HIPAA compliance: the ultimate guide

People can send personalized or cold emails immediately or scheduled for a later time. Moreover, GMass merges with Google Sheets to make it easier to send, automate, and track personalized mass emails all from a simple-to-use spreadsheet.

RELATED: Is Google Sheets HIPAA compliant?

GMass also allows users to track opens, clicks, and replies. Today, GMass is one of the most popular mass email tools for Gmail, becoming an official add-on in 2018.

GMass and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, GMass is a business associate of a healthcare organization if it accesses any electronic PHI (ePHI).

RELATED: Is a name PHI?

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

While Google will sign a BAA for some of its products, GMass is not an official Google product. Furthermore, there is no reference to a GMass BAA on the GMass website.

GMass, data security, and HIPAA marketing

The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

RELATEDHIPAA definition of marketing explained

HIPAA compliance for marketing concerns both stored and transmitted information. Keep in mind that there is a distinction between the types of communication that HIPAA considers marketing and when this permission is necessary.

Essentially, GMass transfers data (e.g., PHI) to and from a Gmail account through SSL (Secure Socket Layer) protocol for data security. Transport Layer Security (TLS) is the successor of SSL and is considered a safer, improved protocol.

SEE ALSO: Paubox eliminates obsolete TLS protocols, follows NSA guidance

According to its Privacy Policy, GMass stores email addresses (not email content) in a database that utilizes two layers of firewalls. There is no information if the database is physical or on the cloud. GMass does not share information with third parties though it keeps track of sending and access records.

Is GMass HIPAA compliant?

The BAA is a key component of HIPAA compliance and GMass does not appear to sign a BAA. Moreover, GMass uses SSL rather than TLS protocol and does not provide much information about its data storage facilities.

If a breach or HIPAA violation occurs and any PHI is visible, the covered entity is liable.

RELATED: Your cybersecurity strategy is probably lacking


GMass does not appear to be HIPAA compliant.

Paubox Marketing for guaranteed HIPAA compliance

While there are many ways that healthcare providers can market or communicate to patients or potential patients, one of the best methods today is healthcare email marketing using HIPAA compliant email.

Paubox Marketing allows recipients to view marketing emails like regular emails but with strong TLS encryption and email security at all times. Our HITRUST certification also includes Paubox Marketing.

RELATEDWhy Paubox Marketing is the best HIPAA email marketing solution available

Paubox will not only sign a BAA but will also work tirelessly to keep you and your patients safe. No extra steps for the sender or the receiver and no worry about leaked PHI.

Use HIPAA compliant email marketing not only to create personalized marketing campaigns but also to maintain PHI security.

Try Paubox Marketing for free today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022