Is Gmail HIPAA Compliant in 2022? – Adelia Risk

is gmail hipaa compliant? Many health care providers must comply with the Health Insurance Portability and Accountability Act (HIPAA).

This article talks about how you can send hipaa compliant email. this law was designed to protect a patient’s personally identifiable information from being accessible to the general public. As more physicians electronically transmit patient records and other personal information to medical specialists and facilities, it is imperative that we ensure that emails are secure.

feature download: free gmail and google workspace hipaa compliance checklist (download now)

isn’t all email secure? no way!

email in general is not secure. Most people don’t realize that there’s really no way to know that the person receiving the email you sent is who you intended. this is especially true in companies whose messaging system is controlled through an IT department. Companies often have an email policy that informs employees that they should not expect privacy when it comes to using the company’s email or Internet systems. therefore, those who handle sensitive information, including the discussion of diagnoses and treatments for patients, should be aware that general email does not guarantee privacy.

what does hipaa say about email?

I’m summarizing here, but generally hipaa requires three things when it comes to email:

1. Strong Security: In accordance with section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that all persons involved in handling such confidential information and of personal identification comply with the guarantees established by the HIPAA laws. Most providers meet this requirement by adding additional security around email, such as secure email, scanning outgoing email for sensitive data, and tightly controlling who can access email.
2. consent: hipaa’s general final rule published on March 18, 2013 states that customers can authorize email communications, but to do so, the customer must be informed of the risks related to the sending protected health information by email before signing the authorization. most companies have a consent form that customers must fill out before email can be used.
3. business associate agreement: many health care providers use a third party (such as gmail, microsoft, or your it company) by email. hipaa refers to these firms as “business associates.” these business associates must sign an agreement stating that they will protect a patient’s confidential information to the same high standards required of the health care provider.

How does Gmail measure up with HIPAA compliance?

In case you didn’t know, Gmail is a service used for email by hundreds of millions of people around the world. Many small businesses use it for email because it’s cheap, convenient, and offers some great security features. While most people feel safe sending and receiving personal and sensitive information through their Gmail accounts, let’s see how Gmail performs against our three criteria. Is gmail hipaa compliant?

1. Strong Security: Google arguably has some of the best security available on a hosted web service. Businesses that take advantage of Google’s free two-factor authentication have great assurance that their email accounts aren’t hacked, plus Google offers good user registration and other security features that are much stronger than many competitors. Additionally, third-party services (reviewed in another article) are available to add secure email and outgoing email scanning, which really makes Gmail’s security top notch.
2. consent: as this is something you will have to manage in your own office, this has nothing to do with the email provider you choose.
3. business associate agreement: As of September 2013, Google has stepped up and will agree to sign a Business Associate Agreement stating that they will “implement physical, technical, and managerial safeguards” to keep information safe. The company publicly states that Gmail is already HIPAA compliant in its security and privacy practices.

so, is gmail hipaa compliant?

The answer is yes! gmail can be used as part of a hipaa compliant organization.

however, only the paid version (google workspace gmail, not @gmail.com email addresses) provides the features you need for hipaa compliant email . You probably also need to add some additional services to be able to send and receive email securely.

want to know how to make gmail hipaa compliant? get the free checklist.

You should also consider how you plan to handle phi. if you want to send phi via email, you must subscribe to an additional secure email service (we found the best one in this article) or you must obtain written consent from your patients.

are there alternatives?

• Microsoft365: Google’s competitor, Microsoft, has also stated that it would be willing to sign a Business Associate Agreement stating that its Microsoft365 program will maintain standards in compliance with HIPAA. we’ve experimented with their service and found it comparable to google in many ways, if a bit more complex.
• Other Secure Email Providers: Many lesser known companies offer secure email services. emails that claim to be hipaa compliant. a simple google search for “hipaa email provider” will show many ads. A note of caution here: Simply using an email provider that claims to be “HIPAA compliant” does not make your practice suddenly HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
• Use two email services: Some businesses still use Gmail as their service primary email service, but then use a secondary, secure email service to communicate lab results, diagnoses, or treatments. while we wouldn’t recommend this as a long-term solution (it’s much easier to accidentally send a phi/pii when it bounces back and forth), this is something that could be quickly implemented as a short-term solution.

what about mobiles?

iphones, android devices, and tablets use various programs, such as google apps, to download their email messages while they’re out of the office. gmail is pre-programmed on most of these devices for the convenience of users. However, this convenience can create a security breach under HIPAA, and such breaches must be reported, leading to further liability issues and potential violation fines. take special care when giving employees access to email via mobile, especially if it may contain phi/pii.

don’t miss this part: baa does not mean hipaa conformance

but here’s a disclaimer that many private practice “influencers” overlook: signing a baa with google does not make your gmail hipaa compliant.

seriously: google says it clearly

“customers are responsible for… ensuring that they use google services in compliance with hipaa.”

“phi is only allowed on a subset of google services.”

“these services covered by google…should be configured by your IT administrators to help ensure that phi is properly protected.”

so yes, you can make gmail hipaa compliant, but it’s not supported out of the box.

You need to make sure your account is secure.

Our secure cloud program will make your gmail hipaa compliant, safe and secure.

feature download: free gmail and google workspace hipaa compliance checklist (download now)

what should you do next?

1. Get our checklist for making gmail hipaa compliant.
2. Know someone who might like this article? share it!
3. have questions or something to add? Let us know in the comments below!