With around 1.5 million users, Gmail is the most popular email service but can Gmail be used by healthcare organizations to send protected health information? Is it possible to make Gmail HIPAA compliant?
Is Gmail HIPAA Compliant?
In order for Gmail to be HIPAA compliant, Google would have to ensure that the email platform is secure and meets the minimum standards for security laid down in the HIPAA Security Rule. A covered entity would also need to enter into a business associate agreement with Google covering Gmail, as Google would be classed as a business associate under HIPAA. While encryption for email is not mandatory under HIPAA, it is a requirement if emails containing protected health information are to be sent externally beyond the protection of a firewall. If emails are sent externally, they would need to be secured with end-to-end encryption.
Google has implemented excellent security and its email service meets the requirements of the HIPAA Security Rule. Google is willing to enter into business associate agreements with HIPAA-covered entities that cover its email service, so provided a BAA is obtained, that HIPAA compliance box is also checked. Encryption for email can be applied, so Google does offer an email services that can be made HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not compliant by default.
Google offers Gmail for free and this email service is not HIPAA compliant. The standard free email service, which includes an @gmail.com email address, is only intended for personal use.
To be compliant with HIPAA you need to use Google’s G Suite (formerly Google Apps) email service, for which a subscription must be paid. This paid email service is intended for use with a company-owned domain. @hipaajournal.com for example. Google offers a business associate agreement for G Suite, but its BAA does not cover its free @gmail.com email service.
If you pay for G Suite and obtain a BAA, your email is still not yet compliant. You must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. To send PHI via Gmail-powered G Suite, you will need to pay for an end-to-end email encryption service.
There are many encryption services that are compatible with Gmail. You can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those offered by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
You must then ensure your employees are trained on the correct use of email, are aware of the internal and federal rules covering the transmission of PHI via email, and they must take care to ensure the emails are sent to the correct recipient. You must also obtain consent from patients to send their PHI via email.