Is Gmail HIPAA Compliant?

Do you use Gmail? Gmail is one of the best email services available. Almost everyone has a Gmail account.

I know many acupuncturists who use Gmail, so it seems like something worth digging into. Is Gmail HIPAA Compliant?

First some house keeping…

As, we all know, HIPAA is the Health Insurance Portability and Accountability Act passed by Congress to regulate different aspects of healthcare.

As, part of HIPAA, the privacy rule regulates the handling of PHI (Patient Health Information) by “covered entities” (ie. you, the acupuncturist).

And, Gmail is a popular email service provided by Google.

Is email secure?

I say this all the time, and I’ll say this again. EMAIL IS NOT INHERENTLY SECURE!

You do not want to be sending HIPAA sensitive information or PHI through email.

In the following blog post, I explained why email is insecure. Click on the link to learn why.

What makes email HIPAA Compliant?

We know email is inherently INSECURE. But can email be HIPAA Compliant?

There are a few things that need to be satisfied for email to be compliant.

  1. You must inform patients that email is insecure and get consent that it is ok to send PHI through email.

    Below is guidance from the HIPAA Omnibus Final Rule:

    We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

  2. The email service must have proper safeguards in place for handling HIPAA sensitive information.

    See HIPAA sections (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)).

  3. You must sign a BAA (Business Associate Agreement) with the email provider.

Is Gmail HIPAA Compliant?

As you might know, Google offers 2 versions of Gmail. One is free. The other is a paid version as part of G-Suite.

ONLY the G-Suite version of Gmail is HIPAA Compliant.

And the reason is that only the G-Suite version of Gmail allows you to sign a BAA.

Do you use Gmail in your practice? Post a comment below!

Minto Tsai

P.S. If this helped you, please Like, Share, email… all the social network love you can give!