HIPAA Compliant Gmail (The Perfect How-To Guide For 2022)

You are viewing: HIPAA Compliant Gmail (The Perfect How-To Guide for 2022) At HTTLEN: Share Good Articles

Is there gmail compatible with hipaa? the answer is yes, if you configure it correctly. read on to find out how!

google’s email, calendar and productivity tools (recently renamed from g suite to “google workspace”) are absolutely fantastic. they are easy to use and very affordable.

google workspace is also very secure, but there are very specific things you need to do to make gmail hipaa compliant. here are some great…

feature download: free gmail and google workspace hipaa compliance checklist (download now)

Disclaimer: We are not attorneys. You should seek your own legal advice when interpreting regulations like HIPAA. we are sharing lessons we have learned from our work with other practices for informational purposes only.

1) become a google customer

Unfortunately, only the paid version of gmail can be used to handle phi, and only if it’s configured correctly. why? here are some reasons:

google will only sign a hipaa baa with paying customers
google’s computers scan emails for advertisements
google employees can (but usually don’t) they do) view their emails
a patient may notice that you are using an insecure email and complain

Get our checklist on how to comply with the HIPAA law.

this is what google says in their hipaa implementation guide:

if you are absolutely, completely, 100% sure that you will never have phi anywhere in google (not in gmail, not in google drive, not in video conferencing, not in any other service), then you should have no problem continuing to use your free @gmail.com account.

However, it’s easy to make a mistake when you’re busy dealing with patients and insurance companies. There’s also the possibility of an upset customer filing a complaint if they’re concerned about your use of insecure email. read on for other options.

2) sign a hipaa trade association agreement

once you’re a customer, google has a very simple process for running a hipaa baa. you can do it directly online, with no forms to fill out. It would be nice if all providers made it that simple!

here is an article explaining how to do it: https://support.google.com/a/answer/3407074

but… baa does not mean hipaa conformance

but here’s a disclaimer that many private practice “influencers” miss: signing a baa with google does not make your google workspace hipaa compliant.

seriously: google says it clearly

“customers are responsible for… ensuring that they use google services in compliance with hipaa.”

“phi is only allowed on a subset of google services.”

“these services covered by google…should be configured by your IT administrators to help ensure that phi is properly protected.”

so yes, google workspace can be hipaa compliant, but it’s not out of the box.

You need to make sure your account is secure.

our secure cloud program will make sure your google workspace account is safe and secure.

3) obtain the patient’s consent

Patient consent is strongly recommended. If you’re in a health care practice, get your patients’ written consent before communicating with them via email or text. it will save you a world of pain in the future if you get a complaint.

here is an excellent article explaining how and why.

4) use your email signature

add an automatic email signature that reminds people that email is not secure and to delete emails that are not intended for them.

here are some great examples you can edit.

Once you sign up for hipaa compliant gmail, they have a feature where your admin can automatically add a signature to all outgoing emails. it’s called “adding a footer”. here is an article describing how to do it: https://support.google.com/a/answer/2364576?hl=en

5) Plan carefully how you will use phi in email

This means you will never send an email that could link a patient to healthcare data (such as insurance numbers, social security numbers, etc.) or medical information (such as diagnoses, lab results, prescriptions, etc.) .).

If you want to email patients, insurance companies, and other providers (or if you just don’t want to have to worry about it), you have options.

We recommend an excellent secure email service to our customers. it also provides advanced security for incoming and outgoing emails.

While we were researching secure email, we also wrote an article about it called “hipaa-compliant email: 7 of the best ways to send phi email.” we tested seven different services, from free to premium, to determine which ones worked best.

6) warn your patients about insecure email

This is a way to email patients using a free account, but it will take time and a lot of attention.

In fact, even if you’re using secure email (ours or a third-party service), it’s a good idea to do so anyway.

Look at this sentence from the department. from the health and human services site:

The way many practices interpret this is that it’s okay to communicate with patients via insecure email if you know patients understand the risk. some practices have patients sign an unsecure email consent form to obtain their permission to communicate via unsecure email.

There are a couple of downsides to this approach. First, you’ll need a secure way to make sure you don’t accidentally email a patient who hasn’t signed this form. It’s a little complicated. second, this would not apply to your emails with insurance companies, partners, or other medical providers.

7) secure connection between hipaa compliant gmail and your computer

If you access gmail in your browser (using chrome, internet explorer, safari, firefox, etc), then you’ve got this covered. a secure connection is always enabled by default.

If you’re curious, here’s how you can find out. look for the green padlock and the “https“.

However, many people use other programs to check their email. for example, you could be using:

apple mail
microsoft outlook
mozilla thunderbird
windows mail
your iphone or android phone
your ipad or android tablet

You need to make sure that the connection between gmail and all the devices you own is secure.

This is not difficult to do, but you must follow the instructions carefully. try searching “how to set up secure gmail on” for instructions.

for our customers, we’ll help make sure it’s set up the right way. Even if you already have Google Workspace, we’ll go through it thoroughly and make sure everything is set up correctly.

8) train your staff

If you have employees (even one), you should have a clear policy and train them on your expectations for email and SMS usage.

Specifically, train them thoroughly on how to identify phi and your expectations for how they should handle phi in email and SMS.

You should also train them on how to identify and manage:

virus emails
emails with deceptive links
emails with unusual attachments
emails from people you don’t recognise

more about these coming.

9) phishing and hackers

ultimately, hipaa is about preventing medical data theft.

These days, you have to worry about getting hacked. hackers go after small businesses and medical records are very valuable on the black market.

Hackers use phishing messages (spoofed emails) to try to trick you. how?

They may try to trick you into giving them your email and passwords.
They may make you install a program that will lock you out of your computer and hold it for a ransom (called ransomware ).
they may install a program on your computer that allows them to see everything you do, including turning on your webcam without your knowledge.
they may install a program on your computer that completely depletes your bank account.

gmail does a good job here. in fact, it’s definitely the best free service we’ve come across (and it’s what we use for our personal email accounts).

You don’t get any additional protection between the free version and the paid google workspace client with google.

Honestly, that’s not enough.

Our service includes an additional layer of security for all our clients. we have advanced email antivirus to protect computers against ransomware, viruses and phishing.

10) Train your staff on phishing

No matter how good your email scanner is, highly targeted attacks can still get through. That’s why it’s very important to train your staff about phishing.

Here are three completely free websites that can teach users how to spot a phishing attack and test whether or not they can be duped:

excellent article on phishing, including a quiz
opendns phishing quiz
sonicwall phishing quiz

Most of the companies we meet with mean well, but quickly get too busy and forget to do these phishing trainings. That’s why we put it on autopilot as part of our service and send each user a fun monthly video and quiz to teach them about phishing and cyber safety.

11) make sure all computers and devices are secure

To be hipaa compliant, it’s not enough to just worry about email. Every computer, mobile phone, and tablet you use must also be secure.

Making it “totally safe” is a complex topic, definitely outside the scope of this short checklist.

However, to get you started, we’ve put together a couple of guides that you might find helpful.

if you are a mac user:

here are 5 tips to get you started.

here is a great review of antivirus programs for mac users (yes, mac users need antivirus too).

if you are a windows user

we also wrote an article “5 free cybersecurity tips for windows users”.

antivirus must be installed on each computer that receives emails. here is a review of windows antivirus programs.

12) make sure your hipaa compliant gmail password is completely unique

According to the Identity Theft Resource Center, almost 900 million records have been involved in security breaches. That’s nearly three times the population of the United States.

The popular breach tracking site haveibeenpwned has a list of 3.8 billion usernames and passwords that have been breached. and those are just the ones we know about.

Hackers know that most people reuse the same password over and over again. when they get a password, the first thing they do is go to other sites and try the username and password to see if they can get in.

if someone gets your email, it’s your property.

can email patients on your behalf.

you can reset the password on your emr system.

They can send an email to their bank.

make sure your email password is completely unique.

Here’s a fun trick (the “horse battery correct” method) for creating strong passwords that are easy to remember: https://xkcd.com/936/

If you find passwords confusing, do what we do: use a password manager like dashlane or lastpass to manage your passwords.

then you only need to remember one password, always.

13) always use two-factor authentication for your email

You know those codes that are sent to your phone when you try to log in to some sites?

That’s called “two-factor authentication” and it’s incredibly important to keeping your data secure and your gmail hipaa compliant.

hipaa compliant gmail makes it very easy to use and activate and is available to everyone

it is essential to activate this (do it now!). Even if a hacker steals your password, he won’t be able to access your email or phi unless he also steals your phone.

14) configure enterprise sender identity management

fair warning: this one is important, but quite technical.

It’s very easy to send an email and make it look like it’s from someone else.

don’t you believe me? try it yourself: http://deadfake.com/send.aspx

If it’s that easy for you and me, a hacker can make an email look like it came from anyone.

even from someone within your company.

This is how “whaling” attacks happen: They send emails that appear to come from their CEO. companies have lost $5.2 billion from this type of attack.

There are a few different technologies to ensure that hackers can’t “spoof” your email address. the three main technologies are called spf, dkim and dmarc. here are articles on how they work: (a) dkim support, (b) spf records, and (c) dmarc support

15) limit file sharing permissions.

You can use google drive (the document system that comes with google workspace) to store and edit files that contain phi. however, you are still very responsible for making sure that no one accesses phi that is not necessary for your job.

The other thing you need to manage is making sure your users don’t accidentally share phi with the public.

The stakes are high. here’s a practice that was fined $218,000 because they botched this:

This is the area where we most commonly see companies make big mistakes when we first help them get established.

We recommend that you set fairly strict file sharing permissions. google makes this very easy. here are instructions: https://support.google.com/a/answer/60781

16) monitor user activity.

It is incredibly important to monitor your gmail system usage for any indicators of hacking or violations.

luckily google offers some incredibly strong capabilities for this. the most useful reports they offer are:

external link file shares: any file that is publicly accessible
external applications: any externally linked application, which may pose a risk
enrollment verification in two steps: make sure users are on 2fa
full email audit trail: a full audit trail of all emails sent

If you’re a paying gmail user, log in at least once a month and check these reports for any strange or unusual behavior.

17) finally, rtfm

“rtfm” is a very technical term that means “read the damn manual”. your choice of gerund may vary.

These 17 tips should be enough to get you started, but there’s a lot more to making Gmail and Google Workspace hipaa compliant than what we’ve reviewed here.

Fortunately, Google has created a site to help paying customers use Gmail and Google Workspace fully and completely in compliance with HIPAA.

it’s called “hipaa compliance & data protection with google workspace.”

Specifically, you want to click on the link that says “Google Workspace HIPAA Implementation Guide.”

That will take you to a 19-page pdf (pictured to the right) that is packed with things you need to do to make Google Workspace HIPAA compliant.

if you’re good with computers and have 4-8 hours to go through all of your google workspace and gmail settings, then you can tackle this on your own.

if you want help, we can help you.

bonus! 18) hipaa compliant google meeting

Due to the COVID-19 response, we’ve heard from practices across the country seeking help with telemedicine options. The good news is that Google Meet can be HIPAA compliant! google meet is a great option for hipaa compliant telehealth and luckily it’s very easy to use.

there are two ways to make video calls in a google workspace account:

Within classic hangouts, you can make video calls using the chat on the left side of the gmail interface. this function does not comply with hipaa! google baa covers only the chat part of classic hangouts.
the other option is google meet. you use google meet by going to meet.google.com and starting a call. Google Meet can be used for HIPAA-compliant conferencing and telemedicine.

see our article is google meet hipaa compliant? for answers to common questions.

google workspace learning center has great tutorials and walkthroughs on how to use google meet, even if you need to stop using zoom, webex, or skype.