If you are a healthcare professional looking for a secure and user-friendly email platform, Gmail might seem like the perfect choice. With a familiar interface and integration with other Google apps, Gmail is a convenient option that many people are comfortable with.
However, using Gmail to communicate Protected Health Information (PHI) requires careful consideration, as HIPAA violations are an alarming prospect for anyone handling sensitive client data.
In this article, we explore whether Gmail is HIPAA compliant, and what measures you can take to safeguard the confidentiality and integrity of client data in email communication.
Is Gmail HIPAA Compliant?
According to the U.S. Department of Health and Human Services (HHS), the regulatory body enforcing HIPAA, free Gmail is not HIPAA compliant.
Although the HIPAA Compliance Checklist does not explicitly mention Gmail, the HHS offers general guidance on email communication under HIPAA regulations, and these guidelines apply to all email systems, including Gmail.
To comply with HIPAA standards for email, covered entities must establish access, audit, and integrity controls, as well as identity authentication and transmission security mechanisms. These measures are crucial for:
- Limiting access to Protected Health Information (PHI).
- Monitoring PHI communication.
- Maintaining the integrity of stored PHI.
- Ensuring complete message accountability.
- Safeguarding PHI against unauthorized access during transit.
Why Free Gmail Is Not HIPAA Compliant
Free Gmail is not HIPAA compliant because it does not have the necessary features to protect sensitive client information.
One of the primary concerns with free Gmail is the lack of in-transit security and end-to-end encryption. HIPAA mandates encryption for emails containing protected health information if they're transmitted outside the organization's firewall.
While Gmail does use encryption to protect email transmission between users and email servers, it does not extend this end-to-end. This advanced type of encryption ensures that only the sender and intended recipient can access the email's contents by configuring the data and assigning a unique "key" for unlocking the message.
Another issue with free Gmail is the lack of administrative and access controls to ensure that only authorized individuals can access sensitive information. Administrative controls include:
- Removing an employee's access to networks after they have left their job.
- Mandating two-factor authentication.
- Restricting the use of email on mobile devices.
- Implementing password policies.
- User activity monitoring and control.
As a healthcare provider, it's only a matter of time before you're faced with a ransomware attack. If you're interested in learning how to protect your organization, read our article on ransomware in healthcare.
Can Gmail be HIPAA Compliant?
Gmail can be HIPAA compliant, but this applies only to the paid version - Google Workspace – which can be configured to meet the requirements of HIPAA regulations.
The key features that enable Google Workspace to be HIPAA compliant include:
- End-to-end encryption for emails.
- Access and administrative controls.
- Robust data storage policies that enable safe email backup and archiving, as well as HIPAA compliance when responding to access requests and Accounting of Disclosure requests under the Privacy Rule.
- Business Associate Agreements (BAAs) that define the responsibilities of both parties.
Additionally, obtaining patient consent is critical before transmitting any PHI via email to avoid potential HIPAA violations and penalties.
When patients initiate email communication with a healthcare provider, they are implicitly giving consent. However, the reverse situation is different. Healthcare providers must alert patients to the risks and let them decide whether to continue with email communication. Healthcare providers must also document both the warning and consent to comply with the HIPAA email rules to reduce the likelihood of patient complaints.
Read our article on HIPAA cloud storage requirements to learn how to store sensitive patient data in the cloud safely and securely.
How to Make Gmail HIPAA Compliant
Setting up a Google Workspace account is a relatively straightforward process, but it's not the only aspect to consider. Proper training and risk management procedures are equally important to ensure the security of sensitive patient data and achieve HIPAA compliance.
Here is how you ensure Gmail is HIPAA compliant:
Step 1: Create a Google Workspace Account
Here's a guide on how to sign up for Google Workspace:
- Browse to the Google Workspace website and click Get started.
- Type in your business name, number of employees, and country or region.
- Enter your contact information, including your name and email address.
- Google will now ask if you have a domain for your email address. If you have one, select Yes, I have one I can use and enter it when prompted. Google will then verify that you own the domain. If you do not have a domain, select No, I need one and Google will assist you in finding one.
- Set up a username and password. Enter the email address you want to use as your username. Define a strong password to ensure your account is secure.
- After completing the previous step, you will be directed to the login screen where you log in with the username and password you just created. You can now choose the Google Workspace plan that best suits your needs. All workspace plans can be HIPAA compliant, while the higher-priced plans offer features that cater to large organizations.
- Once your account is set up, you can begin customizing your settings and inviting team members to join your organization.
Step 2: Sign a Business Associate Agreement (BAA) With Google
Before you can use Google Workspace for HIPAA-compliant communication, you need to sign a BAA with Google. This agreement outlines the responsibilities of both parties regarding HIPAA compliance. BAAs are necessary because email service providers have persistent access to ePHI even when emails are encrypted.
To sign a BAA with Google Workspace, follow these steps:
- Log in to the Google Admin console.
- Open the Account drop-down menu and select Account settings.
- Scroll to the bottom of the page and select the Legal and compliance box.
- Under Google Workspace/Cloud Identity HIPAA Business Associate Amendment, click Not accepted.
- Select Review and accept.
- Answer three questions in the pop-up with a yes or no.
- Review and accept the BAA agreement.
Step 3: Configure Your Google Workspace Account
Google Workspace provides a range of essential features. However, you need to enable them to ensure that the account is HIPAA compliant.
To enable these features in Google Workspace, follow these steps:
- Sign into your Google Workspace account.
- Click the Admin console button, located in the top right-hand corner of the screen.
- Navigate to the Security section and select Basic settings.
- Scroll down to the Encryption section, and make sure that Encrypt message text and attachments is selected.
- Next, navigate to the Mobile section and select Device management.
- Under the Device management section, enable device encryption and passcode requirements.
- Under Security settings, set up two-step verification and password policies to ensure only authorized users have access to sensitive information.
- To enable end-to-end encryption, you can use Google's Confidential mode when composing an email. This mode lets you set an expiration date for the message and prevents the recipient from forwarding or copying the message.
To be HIPAA compliant you should also set up custom policies and rules. For example, consider enabling encryption for email content stored on Google's servers, restricting access to sensitive information, and implementing strong password policies.
Are you a healthcare provider concerned about data security? Check out our latest article on Zero Trust Security, a cutting-edge strategy that verifies every user and device before granting access to the network.
Step 4: Train Employees on HIPAA Compliance
Training employees on regulations and email security best practices is crucial to achieving true HIPAA compliance.
Educate your staff on how to:
- Handle sensitive information, including the proper handling and disposal of PHI, and the importance of endpoint security.
- Identify and report potential security breaches, such as phishing attacks, and lost or stolen devices.
- Quickly report any security incidents to the appropriate person or department to minimize potential damage.
- Use Google Workspace features effectively, including how to encrypt emails.
Cyber-attacks are becoming increasingly sophisticated, and healthcare organizations need to be proactive in their defenses. To protect patient data, read our article on how to defend yourself against healthcare cybersecurity threats.
While free Gmail is not HIPAA compliant, the paid version called Google Workspace can be. Google Workspace provides essential features for HIPAA-compliant email communication, including secure email transmission, encrypted storage, and secure access controls.
Achieving HIPAA compliance is not only about selecting the right email service provider. Healthcare providers must also ensure that all their internal policies and procedures align with HIPAA so that sensitive patient information is kept safe.