Andrew Kroninger, Total HIPAA’s Director of Customer Success, recently interviewed Gil Vidal, founder and CEO of VM Racks, a HIPAA compliant cloud managing solution. The two discussed Gmail’s potential for HIPAA compliant email messaging. You can listen to this episode of our podcast HIPAA Talk! here or on your mobile device via Apple Podcasts. Or, read our summary.
Can I email PHI?
HIPAA mandates that you protect PHI (Protected Health Information) in transit, in storage, and at rest. There is a common misconception that email is a secure way to send and receive PHI. On its own, email is not a secure platform to transmit PHI. In fact, using Google’s email service, Gmail, to send PHI without encryption is against Google’s Terms of Service.1
Emailing PHI without encryption could very easily lead to a breach if the email ended up in the hands of the wrong party.
Is Gmail HIPAA compliant? What about G Suite?
Gmail is not automatically HIPAA compliant, however, you can implement security measures to ensure the safety of sensitive information you send via Gmail. When it comes to protecting emailed information, email encryption is the name of the game. You need to use a third party email encryption service to protect any PHI you send over Gmail.
End-to-end email encryption configures the data so that only the sender and intended recipient can read the email’s content. It assigns a unique “key” for unlocking the contents of the email that only the intended recipient gets. This way, if you send the email to the wrong address, the information is still safe.2 There are several services you can use to make Gmail HIPAA compliant, including but not limited to: Virtru, RMail, LuxSci, Identillect, and Zix. You can learn more about those here.
G Suite is the paid version of Gmail. You can make Gmail HIPAA compliant without purchasing G Suite, but it is more difficult.
There are several security benefits to purchasing this program, like administrator controls on users. For example, administrators can mandate the use of two-factor authentication for all employees. Additionally, admins can limit employees’ email usage on mobile devices. Most notably, in order to be effective, you must implement these security measures on all employee accounts.
Do I need a Business Associates Agreement with Google to make Gmail HIPAA Compliant?
To make Gmail HIPAA compliant, you must enter into a Business Associates Agreement with Google.
Because Google is such a large company, the process of signing a Business Associates Agreement is different. Unlike your other Business Associates, Google will not send you a signed document. Instead, you will virtually enter into the agreement when you set up the administrator account on your company’s G Suite profile. When you click on the tab “Privacy Additional Terms” there is an option to accept Google’s Business Associates Agreement.
Does sending HIPAA compliant emails mean I am fully compliant with HIPAA law?
So you’ve made Gmail HIPAA compliant with email encryption and secure email practices.
Does this mean your company is now fully compliant with HIPAA law?
No. Sending HIPAA compliant emails does not ensure HIPAA compliance.
For example, imagine an employee is drafting an encrypted email containing PHI, and she gets up to go to lunch, leaving her computer unlocked. Now, the PHI is exposed to everyone who walks by, putting her company at risk of a breach.
HIPAA requires organizations to protect PHI they come into contact with at all times. Safe email practices are just one piece of the puzzle. Therefore, making Gmail HIPAA compliant requires constant mindfulness and effort.
As with every HIPAA compliance security measure, organizations must train their employees how to correctly use programs like Gmail. Employers must include email practices for making Gmail HIPAA compliant in their policies and procedures.
Additionally, entities should assign an administrator who is knowledgeable and readily available to help with all matters concerning email security. Penalties for violating HIPAA via email are just a severe as any other punishments, with fines ranging from $100 – $50,000 per violation (with an annual cap at $1.5 million per incident). Your company can make Gmail HIPAA compliant with a little concentrated effort.
If you have any questions about our business or anything you read in the blog, please email email@example.com or get in touch with us on Twitter @TotalHIPAA.