andrew kroninger, director of customer success for total hipaa, recently interviewed gil vidal, founder and CEO of vm racks, a hipaa compliant cloud management solution. The two discussed the potential of Gmail for hipaa compliant email messages. You can listen to this episode of our podcast hipaa talk! here or on your mobile device through apple podcasts. or read our summary.
can I email phi?
hipaa requires you to protect phi (protected health information) in transit, in storage, and at rest . There is a common misconception that email is a secure way to send and receive phi. By itself, emailis not a safe platform for transmitting phi. in fact, using google’s email service, gmail, to send unencrypted phi is against google’s terms of service.1
Sending phi via unencrypted email could easily lead to a breach if the email ended up in the hands of the wrong party.
is gmail hipaa compliant? what about g suite?
gmail is not automatically hipaa compliant; however, you can implement security measures to ensure the safety of sensitive information you send through gmail. When it comes to protecting information sent via email, email encryption is the name of the game. You need to use a third party email encryption service to protect any phi you send through gmail.
end-to-end email encryption configures data so that only the sender and recipient can read the content of the email electronic. assigns a unique “key” to unlock email content that only the recipient receives. This way, if you send the email to the wrong address, your information will still be safe.2 There are several services you can use to make gmail hipaa compliant, including , among others, limited to: virtru, rmail, luxsci, identillect and zix. you can learn more about them here.
g suite is the paid version of gmail. you can make gmail hipaa compliant without buying g suite but it is more difficult.
There are several security benefits to purchasing this program, such as administrator controls on users. for example, administrators can require the use of two-factor authentication for all employees. Additionally, administrators can limit employee email usage on mobile devices. in particular, to be effective, you must implement these security measures on all employee accounts.
do i need a business associate agreement with google for gmail to be hipaa compliant?
For Gmail to be HIPAA compliant, it must enter into a Business Associate Agreement with Google.
Because Google is such a large company, the process of signing a business associate agreement is different. Unlike its other business partners, Google will not send you a signed document. instead, you’ll virtually enter the agreement when you set up the admin account in your company’s g suite profile. When you click on the “additional privacy terms” tab there is an option to accept the google business associate agreement.
Does sending hipaa compliant emails mean I am fully hipaa compliant?
then you have made gmail hipaa compliant with email encryption and secure email practices.
Does this mean your business is now fully HIPAA compliant?
no. Sending HIPAA-compliant email does not guarantee HIPAA compliance.
For example, imagine an employee is composing an encrypted email containing phi, and gets up to go to lunch, leaving her computer unlocked. now, the phi is exposed to everyone who passes by, putting your business at risk of non-compliance.
hipaa requires organizations to protect the fi information they come into contact with at all times. secure email practices are just one piece of the puzzle. therefore, making gmail hipaa compliant requires constant attention and effort.
As with all security measures under HIPAA, organizations must train their employees on how to properly use programs like Gmail. Employers must include email practices to make Gmail HIPAA compliant in their policies and procedures.
In addition, entities must assign an administrator who is knowledgeable and available to assist with all matters related to email security. The penalties for violating the HIPAA law by email are as severe as any other punishment, with fines ranging from $100 to $50,000 per violation (with an annual limit of $1 .5 million per incident). Your company can make Gmail hipaa compliant with a little focused effort.
If you have any questions about our business or anything you’ve read on the blog, please email [email protected] or contact us on twitter @totalhipaa.
- https://www.vmracks.com/resources/es-gmail-hipaa-compatible/
- https://blog.mailfence.com/end-to-end-email -encryption/
sharing is caring!