Being HIPAA Compliant with Gmail

As a continuation of exploring Gmail and HIPAA Compliance, this blog post will focus on using Gmail in a HIPAA Compliant way.

To read the previous blog post on this, click here for “Is Gmail HIPAA Compliant?”

To reiterate the core ideas from previous posts, first, email is inherently insecure, so do not sent PHI (Patient Health Information) through email.

Two, Gmail can be used in a HIPAA Compliant way, as mentioned in “Is Gmail HIPAA Compliant?”

Now, we’re going to talk in detail about how to be HIPAA Compliant with Gmail.

Google Services covered by BAA

At the time of this post, only a subset of the Google Core Services are covered by the G Suite BAA.

This means, that only the apps in this first box are permitted to be used with PHI.

The following Core Services are not supported for PHI.

Signing the BAA

After signing up for Google’s G Suite, you’ll want to sign their BAA. The following steps show you how.

  1. Sign in to the Google Admin Console. Go to
  2. Click on Company Profile
  3. Click on Profile
  4. Scroll down to Security and Privacy Additional Terms
  5. Next, click Review and Accept
  6. Answer all three questions and click “Ok”
  7. Review the HIPAA Business Associate Agreement and click “I Accept”

How to send PHI through Gmail

As we’ve said before, email is inherently insecure. So, you don’t want to directly include or attach PHI to your emails, even with Gmail.
The way to send PHI through email is to use Google Drive.
At a high level, you’ll upload the PHI to Google Drive and follow the steps below to share with your patient.
  1. Right click on the file or folder to share to bring up the file menu
  2. Click on the Share menu item
  3. Click the Advanced link
  4. Ensure the sharing settings are set to “Specific people can access”
  5. Invite people by entering their email address and setting the correct permission for the file

Ask for Permission

As we mentioned in the post, “Is Gmail HIPAA Compliant?”, you’ll want to ask your patient’s for permission to send HIPAA sensitive information through email.

Don’t forget to get it in writing!

Further Reading

HIPAA Compliance with G Suite
G Suite HIPAA Implementation Guide
Opt in to the HIPAA Business Associate Amendment

Do you use Gmail in your practice? Post a comment below!

Minto Tsai

P.S. If this helped you, please Like, Share, email… all the social network love you can give!