Is Gmail HIPAA compliant?

Gmail is the most widely used email service around, with 1.5 billion users worldwide, an increase of 500 million users just since 2016. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.

However, using Gmail in your healthcare company raises questions. Does sending protected health information (PHI) through Gmail comply with the Health Insurance Portability and Accountability Act (HIPAA)? What does it take to protect ePHI in emails?

Pro Tip

HIPAA compliance begins with collecting PHI in a secure manner and includes every BAA you sign with all of the healthcare companies you share information with. JotForm offers HIPAA-compliant BAAs and forms for collecting patient information.

What it takes to keep emails HIPAA compliant

HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-compliant emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure.

Every employee must understand how HIPAA applies to their email. Your staff needs training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients.

Ongoing training is necessary as healthcare workers are often targeted by phishing and other email attacks. Recent breaches have compromised the sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of thousands of patients. Continuous training improves the chances your employees will thwart phishing scams before they cause any damage.

Your business needs a straightforward, step-by-step process to help staff comply with both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.

You need a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.

The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. HIPAA-compliant email services should have strong security features or allow third-party plugins that provide the needed security.

Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.

A patient checking their Gmail on their cell phone

Does Gmail meet HIPAA compliance requirements?

Is Gmail HIPAA compliant? The answer is both no and yes. The free version of Gmail that most people and many businesses use is not HIPAA compliant, but Google’s G Suite can be HIPAA compliant. G Suite includes Gmail, Google Calendar, and Google Drive just like the free version, but it also has a suite of security features that, once configured, make G Suite HIPAA compliant.

Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation.

Healthcare companies have embraced G Suite because of its robust security features and low cost.   

Setting up a HIPAA-compliant Gmail account

Simply purchasing G Suite doesn’t make your email HIPAA compliant. To use Gmail, even with G Suite, you must configure your account correctly. Here are the steps to ensure Gmail is HIPAA compliant:

  • Sign up for G Suite and set up your business’s Gmail account.
  • Sign a BAA with Google, following these instructions.
  • Have each patient sign a consent form that explains the risks involved in using email. Patients are legally entitled to revoke this consent at any time. Never send PHI to a patient who hasn’t signed a consent form.
  • Use G Suite security tools to restrict PHI access to authorized employees. Remember, it’s a HIPAA violation if PHI is ever accessible to unauthorized people, regardless of whether anyone actually accesses it.
  • Install end-to-end encryption to prevent any unauthorized access to PHI contained in emails.
Just so you know
If your organization is fighting against COVID-19, you can apply for a free, unlimited, HIPAA-compliant JotForm account with our Coronavirus Responder Program.

A single mistake emailing PHI can lead to hefty fines, a damaged reputation, and lost sales. Configuring your email correctly protects you and your patients. Following HIPAA regulations keeps patient data secure and protects you from legal trouble.

This article is originally published on Nov 06, 2019, and updated on May 28, 2020
Firm believer in personal data privacy in the age of information. Close follower of the new regulations concerning patient confidentiality & HIPAA. You can reach George through his contact form.

Send Comment:

JotForm Avatar


Podo CommentBe the first to comment.