Is Gmail HIPAA Compliant? | HIPAA Compliance for Medical Practices |

What is a HIPAA compliant email?


Before discussing the unique case of Gmail, we should first understand what makes an email HIPAA compliant. If you’re looking for a way to prove HIPAA compliance, read this blog post first.

The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, is a set of compliance rules in the Healthcare industry. HIPAA consists of 3 main parts; The Privacy Rule, The Security Rule and The Breach Notification Rule.

The Privacy Rule protects individually identifiable health information. The Security Rule provides standards for electronic Protected Health Information (PHI).  The Breach Notification Rule stipulates the way and timeliness individuals affected by the breach have to be contacted.

PHI should be looked at as an equation:  Identifiers + Health Information. Identifiers can include Name, SSN, and Email, whereas health Information includes attributes medications, clinical notes and insurance.

Since traditional email was merely meant to connect people, it was built with message delivery as the top priority, in some respects leaving security as an afterthought.  While this was beneficial in the early days of email, it means that the first generation of email systems were ill-equipped to protect sensitive patient information.

In most cases, making an email HIPAA compliant means making sure that the message is encrypted from one inbox to another and not delivered in clear text. Unencrypted emails is not only a security risk but, also a risk for a HIPAA violation fine for healthcare providers.


The Difference Between G Suite (Google Apps) and Gmail for HIPAA Compliance

When it comes down to compliance capabilities,  it is important to note that Google offers two separate email products: Gmail and G Suite. Gmail targets personal email addresses. G Suite (formerly Google Apps) targets business email accounts and is meant to be used alongside an owned domain. Gmail is a free service and is associated with the email addresses. G Suite is a paid service.

Another very important distinction is the ability to acquire a Business Associate Agreement (BAA) for an email account. Google is willing to sign a BAA with your organization if you are using G Suite. However, if you are using a gmail account Google does not offer BAAs.

But even if you use G Suite becoming compliant doesn’t stop at a BAA. Google is willing to sign a BAA for some, but not all of their services. Additionally, G Suite only encrypts email at rest and in transit, but not necessarily all of the way to the recipient’s inbox. This means in the last step an email may still be delivered as clear text, leaving it vulnerable to be stolen. This is certainly not ideal for any emails transmitting PHI.


Your Patients

Google, by far, is the most utilized personal email option. Because of this, it is safe to assume that the majority of your patients are using gmail for their personal emails. Google has admitted that users’ emails are “subject to automated processing.” Or in other words, Google scans your emails for keywords for advertising retargeting to you and your contacts. If you are corresponding with a patient via their gmail account, how do you think they would feel realizing Gmail is exposing their health information to Google?


To Put It Simply

Gmail is not a HIPAA compliant solution.

If your organization needs to meet HIPAA regulations, using Gmail for work is not compliant. You are leaving yourself vulnerable to fines because your patients’ PHI is being scanned by a third party without your patient's’ consent or knowledge.