Can Gmail Be HIPAA Compliant?

Email is the main form of communication that is used internally and externally for almost any organization, and the same is true for healthcare providers. Employees need to communicate about their patients and work regularly but the information that they need to discuss requires a level of protection that other industries don’t need. So is it possible for protected health information to be shared in email at all? What about Gmail? We’ll talk through all of that below!

Can PHI be emailed? 

HIPAA, the Health Insurance Portability and Accountability Act, requires that protected health information (or PHI) be secured and guarded in the way that it is shared and stored. Since PHI refers to any type of personally identifiable health information about a patient, it must be carefully protected and encrypted before it is transmitted in any way. 

With email being the most common way to quickly share information between coworkers or organizations, many people have assumed that this means it is a secure way to share PHI. However, sending PHI through a regular email platform is not a protected way to transmit this type of information. Emailing protected health information without proper encryption and software could easily result in a breach of PHI which comes at a big cost for the organization at fault. Luckily, as long as business associate agreements are signed and third-party encryption software is utilized, healthcare providers can send PHI via email, in a HIPAA compliant way. 

Is Gmail HIPAA compliant? 

Google’s free email service, Gmail, is the largest email service provider in the world. Even though it is the most universally used platform, people in the healthcare industry should still take a moment to determine whether or not Gmail is HIPAA compliant. 

Gmail itself is not automatically HIPAA compliant. In order to make it HIPAA compliant, there are certain measures and encryption tools that will ensure the protection of the information sent through Gmail. Email encryption is the key to being able to send PHI through email providers, Gmail included! A third party service will be needed to encrypt your content before sending it through Gmail. 

Is Google Workspace compliant? 

Gmail is an entirely free platform but Google Workspace is the paid version of Google products, including Gmail, which makes it easier to guarantee that the platform is HIPAA compliant. Google Workspace is an assortment of the most popular Google apps for businesses. It includes Gmail but also Drive, Calendar, Meet, Docs, Slides, Forms, Chat, and more specifically for companies. By purchasing the suite of apps, there are certain security measures that you will now have access to. Included in this program are certain privacy benefits like the option to require two-factor authentication for employees or mandated limits on employee’s mobile email usage. These measures can add greater security but must be used on all employee Gmail accounts to be truly beneficial. 

Beyond these security measures, the greatest advantage to Google Workspace for HIPAA covered entities is Google’s ability to sign a Business Associate Agreement through this purchased version of Gmail. In order to make Gmail HIPAA compliant, you must sign a BAA with Google. 

How to Enter into a Business Associate Agreement with Google? 

In order to be HIPAA compliant, Gmail must sign a Business Associate Agreement (BAA) with any healthcare providers they work with. Google, like some other large companies, have created their own ways to sign business associate agreements. That is why Google Workspace is so important for Gmail and HIPAA covered entities. 

If you have Google Workspace, you will virtually enter into a BAA through your company’s administrator’s Gmail Account on the main Google Workspace profile. Under “Privacy Additional Terms” there will be a place to see and accept Google’s Business Associate Agreement. This will prompt you to answer a couple of quick questions to verify you as a HIPAA covered entity. That is all you need to do to have a Business Associate Agreement with Google, therefore Gmail. 

Now you’ve got a BAA, so is your Gmail HIPAA compliant? 

Business Associate Agreements are required under HIPAA and are very important for being compliant, however, this is not a complete solution to compliance. Beyond signing a BAA, covered entities also need to ensure that all the information sent via Gmail is encrypted. Encryption verifies that the patient’s information will be kept safe throughout the sending process. 

Google Workspace does have an option to encrypt emails but their Transport-Layer Security (TLS) is not an incredibly safe system, as around 10% of the emails sent through this encryption remain unprotected. Instead, medical providers must use a third-party encryption service. End-to-end email encryption protects the data in a way that only allows the sender and intended recipient to read the PHI and other content. This protects the PHI from being viewed by an unauthorized person even if the email is sent to the wrong address. There are many options for third-party email encryption services. 

Does having a HIPAA compliant email mean that you’re fully HIPAA compliant? 

While ensuring that your email communication is HIPAA compliant is important, it does not guarantee that your company is fully compliant with HIPAA law. Safe email encryption and practices are important and are yet another topic that new and existing employees should be carefully trained on. Employees need to know the procedures for sending properly encrypted emails but also on not leaving their computers unattended or exposed for anyone else to see. 

It may seem that there are endless steps that need to be taken to reach and maintain HIPAA compliance. That is why Accountable was created to make HIPAA compliance simple by offering a software solution that clearly outlines all of the requirements and policies needed for companies to manage their HIPAA compliance. We provide all the tools you could need to train employees, manage business associates, and identify potential risks of a breach. Don’t wait, get started on the journey to compliance today!