Is Gmail HIPAA Compliant? – The Definitive Answer

Gmail logo“Is Gmail HIPAA compliant?” is probably the most popular question for HIPAA compliant email. It isn’t by default, but we’ll show you how it can be achieved.

You can scroll down right away, or read further if you want to learn more about the rules and regulations for HIPAA email compliance.

What is HIPAA Email Compliance?

HIPAA email compliance is a source of much misunderstanding in the world of health.

With a dozen email services boasting ‘HIPAA compliance,’ health care entities often assume that using such services to send emails is somehow equivalent to fully complying with laws for digital transmission of PHI (protected health information). This is not the case.

Even if the providers of these services are fully compliant to HIPAA standards in their own operations, the legal standing of your organization’s compliance is an entirely separate affair.

Get a Free, 14 Day Trial of Google G Suite!

At their core, ‘HIPAA compliant’ email hosting services are a set of tools and protections marketed towards health professionals. These services may offer military-grade encryption, advanced permission controls, detailed logs, audit reports, and physical security measures for server hardware.

Bringing your communications into compliance with HIPAA laws is not simply a matter of using the right tools; it is a matter of using the right tools in the right way, making the proper efforts to educate your patients about HIPAA policies, documenting your compliance plan with detailed reports, and creating policies and procedures within your organization to ensure the security of ePHI.

Policies and Procedures for HIPAA Email Compliance

In order to be compliant with HIPAA, covered entities must establish policies and procedures of 3 specific types, found in Part 164 of the Health Insurance Portability and Accountability Act. They are: administrative safeguards, physical safeguards, and only then, technical safeguards.

Any entity that transmits or stores your organization’s ePHI, including clearing houses, email service providers, server hosts, etc. must establish these same safeguards within their facilities.

While we won’t go into great detail for each stipulation, you can read a comprehensive outline of all the requirements on our HIPAA Compliance Checklist.

Administrative Safeguards

Ranging from security management and information access management, to security awareness and contingency plans, HIPAA requires each covered entity to establish dozens of administrative policies and procedures to be considered compliant.

Administrative policies should ensure:

  • Management, employees, and subcontractors of your organization maintain the confidentiality and integrity of ePHI materials.
  • Confidentiality/integrity risks of ePHI are periodically analyzed, their probability of occurrence and magnitude are assessed, and policies and procedures are put in place to manage them.
  • There are proper checks and balances in place to sanction individuals within your organization who are misusing ePHI.
  • Your organization conducts a review of their information systems to determine whether ePHI is being used appropriately.
  • A member of your organization has been assigned operational responsibility for maintaining your organization’s compliance.
  • Clearance procedures that determine who can have access to ePHI, when, and why are codified and enforced.
  • Every employee has undergone a security training program that equips them with a wholesome understanding of how to keep ePHI secure.
  • Your organization identifies ePHI security incidents and responds by mitigating harmful effects.
  • Detailed contingency plans are in place in case of security breaches/human error/technological malfunctions/etc.
  • Contingency plans are periodically tested and revised to stay ahead of the quickly changing technological environment.
  • Business associates that transmit ePHI on behalf of your organization must provide satisfactory assurances for the safety of the data, and must be willing to document these assurances via signing of contractual obligations.

Physical Safeguards

As with administrative safeguards, physical safeguards must be codified in your organization’s policies and implemented as procedures. Without the proper physical security policies and procedures, ePHI transmission will not be considered legal.

Your organization must have the following physical safeguards in place:

  • Facility access controls that limit access to your organization’s network/servers/computers.
  • Controls that specify the proper functions of workstation, how these functions are to be performed and by who, as well as the physical requirements of a secure workspace.
  • Controls that govern the addition or removal of hardware and electronic media containing ePHI to/from your facility.

Technical Safeguards

Lastly, your organization must implement policies and procedures that ensure the proper technology is being used for transmitting ePHI safely. They are:

  • Access control procedures that establish standards for unique user identification, emergency access, automatic logoff, and encryption/decryption of ePHI.
  • Hardware/software/procedural audit controls that monitor all activity on devices/workstations containing ePHI.
  • A mechanism for authenticating that ePHI has not been altered in any unauthorized manner.
  • Authentication procedures that can verify that those who are seeking access to ePHI are who they claim to be.
  • Integrity controls for transmitting ePHI that can ensure that the data being sent remains unchanged when it is received.
  • Adequate encryption standards for transmitted ePHI.

When is using a HIPAA Compliant Email Provider Necessary?

As mentioned in the first section of this article, using a HIPAA compliant service provider is not equivalent to compliancy for your organization. However, several important stipulations outlined above may require your organization to contract with other HIPAA compliant companies to ensure the safety of your data.
The most important of these stipulations is the Business Associate Agreement (BAA). As described in the last administrative safeguard standard in section 164 of HIPAA:
…A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added). Source: HIPAA § 164.314(a)

Simply put, if your organization uses 3rd party services (such as email, instant messaging, text messaging, etc.) to transmit ePHI, these services must be HIPAA compliant, and your organization must contract with them as Business Associates to obtain legally binding assurances for the safety of the data.

Furthermore, assuming that your organization has not invested in proprietary technology for internal, HIPAA compliant communication, using a compliant third party can potentially satisfy the following stipulations for transmitting ePHI amongst your team:

  • Access controls: In transmitting ePHI, internally within your organization or externally to patients, a HIPAA compliant email service may offer the necessary preventative measures for unauthorized access to the protected data.
  • User authentication protocols: Beyond the typical username/password authentication, some providers employ multi-step authentication for increased security.
  • Audits: If adopted as the main method of transmitting ePHI internally or externally, a HIPAA compliant service may be able to provide your organization with detailed software-side audit reports of everyone who is accessing ePHI on their servers, when they are accessing it, where they are sending it, etc.
  • Data integrity controls: Using cryptographic techniques like those found on DKIM (DomainKeys Identified Mail) or SPF (Sender Policy Framework), HIPAA compliant email providers can validate the integrity of transmitted ePHI.
  • Encryption: Using protocols like 256-Bit AES, HIPAA compliant services can securely encrypt transmitted ePHI, protecting it from man-in-the-middle attacks and other vulnerabilities.

Looking for HIPAA compliant email services? We compiled a list of reliable HIPAA email providers:
HIPAA Compliant Email Providers

Determining Which Email Provider is Right For You

Before your organization chooses the correct security measures, it must first perform a digital security analysis, as mentioned in section 2.0 of this article, under Administrative Safeguards.

According to the U.S. Department of Health and Services:

…the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. Source: HHS FAQ

Your organization must have a compliance report on hand that documents all security risks, the probability of them occurring, their magnitude, available solutions to mitigating these risks, and all decisions regarding ePHI security.

Furthermore, beyond the initial security assessment required for the proper implementation of policies and procedures to protect ePHI, a covered entity must also conduct analogous security assessments periodically. With the discovery of new security exploits and the development of new hacking tools, HIPAA requires covered entities to perform constant due diligence to ensure there are no new vulnerabilities in their ePHI.

As such, the decision to use a specific HIPAA compliant email provider cannot be arbitrary; it must be based on a carefully documented process of digital security assessment.

Is Gmail HIPAA Compliant?

Seeing how common this question is online, we have decided to address the issue in a more or less definitive manner.

Gmail, as a free, standalone service, is not HIPAA compliant. Even though Google employs some of the best security measures available, sending ePHI using a regular Gmail account is explicitly prohibited by Google’s terms of service.

Google does, however, offer a paid version of Google G Suite that starts at only $6 per user per month with no minimum amount of users requires. The Basic version of G Suite is all it takes for Google to sign a Business Associate Agreement (BAA) with your organization. When you enter into a Business Associate Agreement with Google, you will be able to use their Google Apps HIPAA compliant platform—with some reservations.

Get a Free, 14 Day Trial of Google G Suite!

Firstly, in order to ensure ePHI is adequately protected, it’s best to use an IT Administrator or Compliance Specialist to properly configure the services.

Secondly, assuming that the services have been properly configured by IT professionals, Google only permits you to store ePHI on the following core services: Gmail, Google Drive, Google Calendar, Google Sites, and Google Vault, Google Meet, Google Drive, Google Keep, Google Cloud Identity, and more.

Finally, Google explicitly prohibits storing ePHI on all of their remaining services on certain services.

Once again, it is not enough to just sign up for a Google G Suite account and use their HIPAA compliant services. Before transmitting ePHI, your organization must satisfy all other HIPAA compliance requirements, including performing a security assessment that outlines vulnerabilities and identifies the ideal platform for addressing said vulnerabilities. Absent proper policies, procedures, safeguards, and compliance reports, using Google’s services will not make your communications HIPAA compliant.

Customers are solely responsible for determining if they require a BAA or any other data protection terms in place with a third party before sharing PHI with the third party using Google Apps HIPAA services or applications that integrate with them.

If you are looking for an easier way to use HIPAA compliant email, please have a look at our list of HIPAA compliant email providers.

Conclusion

Put simply, HIPAA compliant email providers are necessary to your organization’s compliance, but not sufficient.

In order to transmit ePHI, with or without the help of a Business Associate (like an email provider), your organization must satisfy dozens of legal requirements outlined in the Act.

In bringing your organization to compliance, your assigned security manager will collect all the necessary information (via the legally required security assessments and compliance reports) to choose the ideal HIPAA compliant email service.

To get a better understanding of all the basic requirements of HIPAA compliance, take a look at the HIPAA Compliance Checklist.

Looking for HIPAA compliant email services? We compiled a list of reliable HIPAA email providers:
HIPAA Compliant Email Providers