By Gil Vidals, , HIPAA Blog, Resources

As smartphones and the internet increasingly impact the way we communicate, the demand for sharing sensitive, electronic-protected health information (e-PHI) through email and instant messaging continues to grow.

While these innovations are clearly attractive to many healthcare providers (and their patients), shouldering the underlying burden of IT concerns to support them is not. Issues of security (safe transmission of data, and whether to trust a third-party service with patient information) are paramount.

Concerns over maintaining a secure, complex cloud infrastructure that can withstand vulnerabilities, while keeping IT capital expenditures to a minimum, can seriously detract from the provider’s primary focus on patient care.

Additionally, all transmission of personal medical data must sufficiently meet the standards required by HIPAA compliance, to “restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.” (§ 164.312(e)(1)) Typically, this is not something that the average email service provides.

Thankfully, there are compliant, “Trusted Data Stewards” like HIPAA Vault with the security and IT expertise to help you secure your PHI. While there is still no one official HIPAA or HITECH certification, these stewards have undergone careful audits by accredited, independent auditors, and so can meet the burden of HIPAA regulations while offering affordable, IT solutions, including compliant email. This can greatly ease provider’s minds, and keep them focused on what they do best – treating patients.

We’ll cover how some of the more popular email services, like Gmail and Outlook, can be configured for HIPAA compliance, but first, we need to understand how the process works.


A vital aspect of what makes email HIPAA compliant is encryption. Essentially, encryption is the process of “disguising” email content to make it unreadable, not only in transit but all the way to the recipient’s inbox.

Once received, the recipient can open and decrypt the email to make it readable only for the intended parties. This involves an encrypted network connection to make it secure, and encrypting the email message itself before it leaves the sender’s inbox. This guarantees that if the email should be intercepted by an unauthorized user or hacker, the contents will be unreadable.

In addition, stored or backed-up email messages are also encrypted, in the event that someone manages to gain unauthorized access to password-protected accounts.

Google’s Gmail is one popular offering that needs to be configured for HIPAA compliance. If your organization utilizes Workspace (Google Apps), then Google is willing to sign a Business Associate Agreement (BAA) with you as the covered entity. Required by HIPAA, this contract stipulates that Google will use the appropriate safeguards to protect PHI. A third-party vendor like HIPAA Vault is still required to ensure the encryption of the email from inbox to inbox.

Once set up, Gmail can also be used for PHI on a mobile device, though special care must be taken to prevent unauthorized access. Google offers a two-factor authentication app for added security, requiring a password and an additional code or physical token that only the user has access to.

Microsoft’s Office 365 is another popular suite of tools that offers email, chat, and more to business users. (Additional versions of Office 365 are available for the US Government as well). Like Gmail, Microsoft Office 365 requires a third-party to configure encryption for inbox to inbox transmission, and users must sign a BAA. Office 365 is also easily used on a smartphone or tablet, and offers the two-factor authentication app for added security.

Protecting sensitive data from hackers, viruses, and other threats is essential in today’s world, especially for those who require a secure, HIPAA-compliant solution for email.

HIPAA Vault meets this need by offering a cost-effective, fully secure, HIPAA Compliant email solution with advanced encryption technology that can integrate seamlessly with existing email infrastructure – including Gmail and Office 365. Transport Layer Security (TLS) allows users to securely transmit PHI through a secure network, harnessing advanced Data loss prevention capabilities to maintain HIPAA compliance, and prevent your sensitive data from falling into the wrong hands.