Is Gmail HIPAA Compliant?
By Gil Vidals, , HIPAA Blog

Still one of the most popular online searches in regard to HIPAA, the answer is clear: as a standalone service, Gmail by itself is not HIPAA compliant, but it can be.  Even though Google employs some of the best security measures available, sending electronically protected health information (ePHI) using a regular Gmail account is explicitly prohibited by Google’s terms of service.

Google does, however, offer an enterprise solution for HIPAA compliance with their Google Apps platform. If you enter into a Business Associate Agreement (BAA) with Google, you will be able to use their Google Apps, HIPAA compliant platform.

Note: Before transmitting ePHI, your organization must satisfy all other HIPAA compliance requirements, including performing a security assessment that outlines vulnerabilities and also identifies Google Apps HIPAA as the ideal platform for addressing said vulnerabilities. We’ll address what is required for this in a moment, but first, let’s understand what makes email HIPAA compliant.

What is HIPAA Compliant Email?

HIPAA compliant email is a source of much misunderstanding in the world of health. At their core, ‘HIPAA compliant’ email hosting services are a set of tools and protections marketed towards health professionals. These services may offer encryption, advanced permission controls, detailed logs, audit reports, and physical security measures for server hardware.

With a dozen email services boasting ‘HIPAA compliance,’ health care entities often assume that using such services to send emails is somehow equivalent to fully complying with laws for digital transmission of PHI (protected health information). This is not the case.

Policies and Procedures for HIPAA Email Compliance

In order to be compliant with HIPAA, covered entities must establish policies and procedures of 3 specific types, found in Part 164 of the Health Insurance Portability and Accountability Act. They are: administrative safeguards, physical safeguards, and only then, technical safeguards. It’s not enough to contract with Google to use their HIPAA compliant services. Absent proper policies, procedures, safeguards, and compliance reports, using Google’s services will not make your communications HIPAA compliant.

Assuming that your organization has not invested in the proprietary technology for internal, HIPAA compliant communication, using a compliant third party can potentially satisfy the following stipulations for transmitting ePHI amongst your team:

  1. Access Controls: A covered entity must implement technical policies and procedures limiting access to systems containing electronic protected health information (ePHI) only to personnel with sufficient access rights (164.312 (a)). The Access Controls specifications include:
    • having unique user identification
    • having an emergency access procedure
    • having automatic logoff process
    • having encryption and decryption process
  2. Audit Controls: A covered entity must implement software that records and examines activity in information systems that contain or use ePHI (164.312 (b)).
  3. Integrity: A covered entity must implement policies and procedures to protect ePHI from improper alteration or destruction (164.312 (c)). This includes having a mechanism to authenticate ePHI.
  4. Person or Entity Authentication: A covered entity must implement procedures to verify a person or entity accessing ePHI is the one claimed (164.32 (d)).
  5. Transmission Security: A covered entity must implement technical measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (164.312 (e)). This includes having integrity controls and encryption.

HIPAA Compliant Email Hosting

Undoubtedly, building a HIPAA Compliant Email Hosting solution may be too complicated for some healthcare providers. As an alternative to traditional email communications, a healthcare provider may implement or outsource the development of a health record system that offers a portal for patient use with secure channels. The objective would then be to ensure that patients make use of the secure channels of communications rather than send PHI though insecure email.

If a healthcare provider chooses to make use of a HIPAA Compliant Email Hosting provider, methods of risk assessment and testing will need to be implemented to ensure that healthcare providers are able to document and attest to the security of the outsourced application.

Requirements for HIPAA-Gmail

Assuming that the services have been properly configured by IT professionals or the hosting provider, Google only permits you to store ePHI on the following core services: Gmail, Google Drive (Docs, Sheets, Slides, and Forms), Google Calendar, Hangouts (Chat feature only), Hangouts Meet, Keep, Sites, and Google Vault.

Customers are solely responsible for determining if they require a BAA or any other data protection terms in place with a third party before sharing PHI with the third party using Google Apps HIPAA services or applications that integrate with them. And any entity that transmits or stores your organization’s ePHI, including clearinghouses, email service providers, server hosts, etc. must establish these same safeguards within their facilities.  HIPAA Vault offers HIPAA Compliant Gmail with Virtru encryption.

Conclusion

In bringing your organization to compliance, your assigned security manager will collect all the necessary information (via the legally required security assessments and compliance reports) to choose the ideal HIPAA compliant email service. Bringing your communications into compliance with HIPAA laws is not simply a matter of using the right tools; it is a matter of using the right tools in the right way, making the proper efforts to educate your patients about HIPAA policies, documenting your compliance plan with detailed reports, and creating policies and procedures within your organization to ensure the security of ePHI.

To summarize:

  • Gmail, as a standalone service, is not HIPAA compliant. Even though Google employs some of the best security measures available, sending ePHI using a regular Gmail account is explicitly prohibited by Google’s terms of service.
  • Google offers an enterprise solution for HIPAA compliance with their Google Apps platform. This requires that you enter into a Business Associate Agreement with Google.
  • In order to ensure ePHI is adequately protected, you must employ IT specialists/ administrators or a HIPAA compliant email hosting provider to properly configure the services.
  • Assuming proper configuration, Google permits storage of ePHI on the following core services: Gmail, Google Drive (Docs, Sheets, Slides, and Forms), Google Calendar, Hangouts (Chat feature only), Hangouts Meet, Keep, Sites, and Google Vault.
  • Customers are solely responsible for determining if they require a BAA or any other data protection terms in place with a third party before sharing PHI with the third party using Google Apps HIPAA services or applications that integrate with them.