Everyone Loves Gmail, but is it HIPAA Compliant?

As I talk to medical professionals, the question of Gmail and its compliance comes up. We all like Gmail because it just works and is easy to use. I personally use it outside of my business because it works so well. But is it HIPAA compliant for your practice? Let’s find out.

What is HIPAA compliant email?

Before we go into the unique case of Gmail, it is first important to understand what it means for email to be HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. More specifically, the HIPAA Privacy Rule is an important component to be familiar with. This includes protecting patient data when it is transmitted by email.

In most cases, making an email HIPAA compliant means making sure that the message is encrypted from inbox to inbox and not delivered in clear text. Unencrypted email is both a security risk and a HIPAA fine risk for healthcare providers.

Just a quick clarification before I continue. You may be using Google Apps for your practice. That is not the same as Gmail. Google will sign a BAA with you to use Google Apps. That’s great!

But Google does NOT offer a BAA for its Gmail accounts. No BAA means that Gmail is NOT compliant and should NOT be used in your practice.

Another issue with Gmail is that it only encrypts email at rest and not in transit. This makes your email vulnerable.

Automated Processing by Gmail

Did you know that Gmail is subject to automated processing. Yes. Your patients’ data and your email will be scanned for targeted advertising. How do you think your patients would feel knowing that Google is scanning for and exposing their PHI? This is why ad-supported Gmail is not a HIPAA compliant email platform.

So, what should you do?

Gmail is not HIPAA compliant and it likely never will be. This is due to lack of encryption, no BAA, and automated processing of email. It is definitely not advised to use Gmail for your practice. There are options of email providers that focus on HIPAA compliance that you should be using. Some compliant email platforms that I recommend are Office 365 and EmailDDS. There are a few other options that we can explore depending on your business need.

The best way for you to protect your legacy is to choose a trusted partner like ProHIPAA to complete a HIPAA Risk Assessment for you. Then we can determine the best solution for your practice and help to protect your legacy and your patients’ privacy.

Contact us today to start the conversation.

3 Common HIPAA Compliance Mistakes