Is Gmail HIPAA Compliant?
Gmail is HIPAA compliant, and can be used to receive, store, or send Protected Health Information (PHI) when Google’s email service is used as part of an Enterprise Workspace Plan supported by a Business Associate Addendum to the Workspace Terms of Service.
To ensure Gmail is used compliantly, it is necessary to configure Workspace controls correctly, apply user policies, and train members of the workforce on how to use Gmail in compliance with HIPAA. In small medical practices without a dedicated HIPAA compliance officer to determine the appropriate procedures for using Gmail and an IT manager to configure Gmail in a HIPAA compliant way, the best option is to use a HIPAA-compliant email provider like Paubox.
Gmail is the most popular personal email service in the world; and, because most employees are accustomed to how Gmail works, Google’s email service is widely used in business behind customized domain names (i.e., [email protected], rather than [email protected]). Although several methods exist to operate a Gmail account behind a customized domain name, the simplest method for larger businesses is to subscribe to a Google Workspace account.
There are several levels of Workspace subscription ranging from the “Business Starter” package – which includes Gmail for Business, Drive Storage, Meet Videoconferencing, and Shared Calendars – to the feature-rich Enterprise package. Businesses can often pick the most suitable subscription level based on the number of users, types of services, and features required. This is not the case for all businesses in, or providing services to, the healthcare industry.
Using Email Services in the Healthcare Industry
Because most healthcare providers are required to comply with the HIPAA Administrative Simplification Requirements (which include the HIPAA Privacy, Security, and Breach Notification Rules), there are two ways to use email services in the healthcare industry. You can either prohibit uses and disclosures of PHI in emails (except when patients exercise their right to request confidential communications by email), or ensure the email service is HIPAA compliant.
Prohibiting uses and disclosures of PHI in emails is impractical unless email is replaced with an equally compliant communication system that integrates with other productivity and collaboration services in the same way as Gmail integrates with other Workspace services. Even then, although an alternative communication system might be suitable for inhouse operations, it could create HIPAA compliance challenges for payers and business associates who do not have a compatible communication system.
Realistically, the only viable option for businesses covered by HIPAA and their business associates is to implement a HIPAA complaint email service. In order for an email service to be HIPAA compliant, it has to support compliance with the Administrative, Physical, and Technical Safeguards of the Security Rule via series of controls and monitoring capabilities. The vendor of the service also has to be willing to enter into a Business Associate Agreement. So, is Gmail HIPAA compliant?
Is Gmail HIPAA Compliant? It Depends!
Gmail’s compliance with HIPAA depends on the type of Workspace subscription and what other security mechanisms a business already has in place. For example, if a business already has account access and monitoring software from another vendor, it may be possible to get away with subscribing to a Business Starter, Standard, or Plus Plan depending on the size of the workforce and the amount of storage space required by each user or pooled group.
If, however, no other security mechanisms are in place, it will be necessary to subscribe to a Workspace Enterprise or Cloud Identity Plan in order for Gmail to be HIPAA compliant. However, in addition to having the necessary access controls and monitoring capabilities, the Enterprise Plan includes a Vault feature for securely archiving and retrieving emails, endpoint management for emails sent and received remotely, and DLP capabilities to prevent data breaches by internal bad actors.
In the context of email security, possibly the most useful tool in the Workspace Enterprise Plan is the Security Center. The unified security dashboard can be configured to alert system administrators and security teams to email borne malware attacks, phishing, and spam. It can also help identify, triage, and take action on privacy and security issues, and examine file sharing activities to prevent data exfiltration from both internal and external bad actors.
The Google BAA and Workspace Terms of Service
Before any emails containing PHI are sent or received via Gmail, it is necessary for a Business Associate Agreement to be in place between Google and the covered entity or business associate. Google has a standard one-size-fits-all Business Associate Agreement (BAA) for core services with “covered functionality”; which, rather than being a separate BAA is a Business Associate Addendum to the Workspace Terms of Service.
For businesses familiar with BAAs, the Google Business Associate Agreement holds no surprises and complies with the BAA requirements of the Privacy Rule (45 CFR §164.504(e)) and the Security Rule (45 CFR §164.314(a)). However, before digitally signing the Business Associate Addendum, system administrators are advised to review the Workspace Terms of Service – particularly clause #3 relating to Customer Obligations.
This clause requires businesses to assume responsibility for user behavior when using Workspace services, requires businesses to prevent and terminate unauthorized access to accounts, and stipulates businesses must notify Google when passwords have been compromised or when Workspace services are used or accessed without authorization. The failure to comply with the Terms of Service can result in a loss of service and the removal of content – including PHI.
How to Make Gmail HIPAA Compliant
To help businesses make Gmail HIPAA compliant, Google has produced a HIPAA Implementation Guide for all Workspace services with covered functionality. The Guide explains the controls available to ensure (for example) messages are only opened by their intended recipients and that messages containing PHI are not forwarded to third party recipients (which will be useful for complying with the recent HIPAA changes relating to attestation).
In addition to configuring the controls to make Gmail HIPAA compliant, it is also necessary to train members of the workforce on how to use Gmail in compliance with HIPAA. As mentioned previously, most employees are accustomed to how Gmail works; but they are unlikely to be as conscious of privacy and security when emailing friends and family members. HIPAA training on how to use Gmail in compliance with HIPAA will help prevent bad personal habits being carried over into the workplace.
Finally, if you are unsure about whether Gmail is a suitable email solution for your business, or have concerns about the technical knowledge you will need to make Gmail HIPAA compliant, Google offers all businesses a 14 day free trial of Workspace for up to ten users. The free trial will give your business an opportunity to test Gmail for Business in your own environment with on-call support from Google’s technical team should you require it.
