Call now for cybersecurity help: 888-646-1616
Does HIPAA-compliant Gmail exist? The answer is YES if you set it up properly. Read on more to learn how!
Google’s email, calendar, and productivity tools (recently renamed from G Suite to “Google Workspace”) are absolutely fantastic. They’re easy to use and very affordable.
Google Workspace is also highly secure, but there are very specific things that you need to do to make Gmail HIPAA compliant. Here are some big ones...
Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)
Disclaimer: we are not lawyers. You should seek your own legal advice in interpreting regulations like HIPAA. We are sharing lessons that we've learned from our work with other practices for informational purposes only.
Is Your Gmail HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit.. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance and encryption requirements.
Unfortunately, only the paid version of Gmail can be used for handling PHI, and only if it's set up the right way. Why? Here are a few reasons:
Get our guide on How to get HIPAA-compliant.
Here’s what Google says in its HIPAA implementation guide:
If you are absolutely, completely, 100% certain that you will never have PHI anywhere in Google (not in Gmail, not in Google Drive, not in video conference, or any other service), then you shouldn’t have any issues continuing to use your free @gmail.com account.
However, it’s very easy to make a mistake when you’re busy and dealing with patients and insurance companies. There is also a chance that a vexed customer will file a complaint if they’re worried about your use of insecure email. Read on for other options.
Once you’re a customer, Google has a very simple process for executing a HIPAA Business Associate Agreement (BAA). You can do it right online, with no forms to fill out. It’d be nice if every vendor made it this simple!
Here’s an article that explains how to do it: https://support.google.com/a/answer/3407074
But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.
Patient consent is highly recommended. If you’re in a healthcare practice, get written consent from your patients before you communicate with them via email or text messages. It’ll save you a world of pain down the line if you get a complaint.
Here’s a great article that explains how and why.
Add an automatic email signature that reminds people that email is insecure, and to delete email not meant for them.
Here are some great examples that you can edit.
Once you sign up for HIPAA Compliant Gmail, they have a feature where your administrator can add a signature automatically to all outbound emails. It’s called “Appending a Footer.” Here’s an article that describes how to do this:
https://support.google.com/a/answer/2364576?hl=en
If you are absolutely, completely, 100% certain that you will never have PHI anywhere in Google (not in Gmail, not in Google Drive, not in video conference, or any other service), then you shouldn’t have any issues continuing to use your free @gmail.com account.
This means you will never send an email that could tie a patient to healthcare data (like insurance numbers, social security numbers, etc.) or medical info (like diagnoses, lab results, prescriptions, etc.).
If you do want to email patients, insurance companies, and other providers (or if you just don’t want to have to worry about it), you have options.
We recommend an excellent secure email service to our clients. It also provides advanced security for both inbound and outbound emails.
While we were researching secure email, we also wrote an article about this called “HIPAA Compliant Email: 7 of the Best Ways to Email PHI.” We tested seven different services, ranging from free to premium, to figure out which ones worked best.
Here’s a way you can email patients using a free account, but it will take time and a lot of attention.
In fact, even if you use secure email, it’s a good idea to do this anyway.
Check out this sentence from the Dept. of Health and Human Services site:
The way many practices interpret this is that it is OK to communicate with patients via insecure email IF you know that the patients understand the risk. Some practices have patients sign an insecure email consent form to get their permission to communicate via unsecured email.
There are a couple of downsides to this approach. First, you’re going to need an ironclad way to make sure you don’t accidentally email with a patient who hasn’t signed this form. It’s a bit of a hassle. Second, this wouldn’t apply to your emails with insurance companies, partners, or other medical providers.
If you access Gmail in your browser (using Chrome, Internet Explorer, Safari, Firefox, etc.), then you already have this covered. A secure connection is always on by default.
If you’re curious, here’s how you can tell. Look for the green lock and the “https.”
However, lots of people use other programs to check their email. For example, you might be using:
You need to make sure that the connection between Gmail and every single device you own is secure.
This isn’t hard to do, but you need to carefully follow instructions. Try searching for “how to set up secure Gmail on ” for instructions.
For our clients, we’ll help make sure it’s set up the right way. Even if you already have Google Workspace, we'll thoroughly check it over and make sure everything is set up properly.
If you have any employees (even one), you need to have a clear policy and train them on your expectations of using email and SMS.
Specifically, train them thoroughly on how to identify PHI, and your expectations of how they should handle PHI in email and SMS.
You should also train them on how to identify and handle:
More on these coming up.
Ultimately, HIPAA is about keeping medical data from being stolen.
These days, you need to be worried about getting hacked. Hackers are going after small businesses and medical records are highly valuable on the black market.
Hackers are using phishing messages (fake emails) to try to trick you. How?
Gmail does a pretty good job here. In fact, it’s definitely the best free service that we’ve found (and it’s what we use for our personal email accounts).
You don’t get any additional protection between the free version and the paid Google Workspace customer with Google.
Honestly, that’s not enough.
Our service includes an additional layer of security to all of our clients. We layer on advanced email antivirus, to protect computers against ransomware, viruses, and phishing.
No matter how good your email scanner is, highly targeted attacks can still get through. That’s why it’s super important to train your staff about phishing.
Here are three completely free websites that can both teach users how to spot a phishing attack AND test whether they would get fooled or not:
Most companies we meet have good intentions, but quickly get too busy and forget to do these phishing trainings. That’s why we put it on autopilot as part of our service and send every user a fun monthly video and quiz to teach them about phishing and cyber security.
To be HIPAA compliant, it’s not enough to just worry about email. Every computer, mobile phone, and tablet you use must also be secure.
Making you “fully secure” is a complex topic, definitely outside the scope of this short checklist.
However, to get you started, we’ve put together a couple of guides that you might find helpful.
Here are 5 tips to get you started.
Here’s a great review of antivirus programs for Mac users (yes, Mac users need antivirus too).
We also wrote an article “5 Free Cyber Security Tips for Windows Users.”
Antivirus MUST be installed on every computer that receives emails. Here’s a review of Windows antivirus programs.
According to the Identity Theft Resource Center, almost 900 million records have been involved in security breaches. That’s almost three times the population of the US.
Popular breach-tracking site HaveIBeenPwned has a list of 3.8 billion usernames and passwords that have been breached. And those are only the ones we know about.
Hackers know that most people reuse the same password over and over. When they get a password, the first thing they do is to go to other sites and try the username and password to see if they can get in.
If someone gets ahold of your email, they own you.
They can send emails to patients on your behalf.
They can reset the password on your EMR system.
They can email your bank.
Make sure your email password is completely unique.
Here’s a fun trick (the “correct horse battery staple” method) for making up strong passwords that are easy to remember: https://xkcd.com/936/
If you find passwords confusing, do what we do -- use a password manager like Dashlane or 1Password to manage your passwords.
Then you only need to remember one password, ever.
You know those codes that get sent to your phone when you try to log on to some sites?
That’s called “two-factor authentication,” and it’s incredibly important to keep your data safe and your Gmail HIPAA compliant.
HIPAA Compliant Gmail makes it super easy to use and turn on, and it’s available to everyone
All you have to do is follow these instructions: https://support.google.com/accounts/answer/185839?hl=en
It’s critical to turn this on (go do it now!). Even if a hacker steals your password, they won’t be able to get to your email or your PHI unless they steal your phone too.
Fair warning -- this one is important but fairly technical.
It is super easy to send an email and make it look like it came from someone else.
Don’t believe me? Try it yourself: http://deadfake.com/Send.aspx
If it’s this easy for you and me, a hacker can make it appear like an email is coming from anyone.
Even from someone inside your company.
That’s actually how “whaling” attacks happen -- they send emails that appear to come from your CEO. Businesses have lost $5.2 billion to this kind of attack.
There are a few different technologies to ensure that hackers can’t “spoof” your email address. The three main technologies are called SPF, DKIM, and DMARC. Here are articles on how they work:
(a) DKIM support, (b) SPF Records, and (c) DMARC support
You can use Google Drive (the document system that comes with Google Workspace) to store and edit files that contain PHI. However, you are still very much responsible for making sure that nobody accesses PHI that isn’t needed for their job.
The other thing you need to manage is to make sure that your users don’t accidentally share PHI with the public.
The stakes are very high. Here’s a practice that was fined $218,000 because they messed this up:
This is the area where we most commonly see companies making big mistakes when we first help them get set up.
We recommend that you set pretty stringent file-sharing permissions. Google makes this very easy. Here are the instructions:
https://support.google.com/a/answer/60781
It’s incredibly important to monitor the usage of your Gmail system to watch for any indicators of hacking or breaches.
Thankfully, Google offers some incredibly robust capabilities for this. The most helpful reports that they offer are:
If you’re a paid Gmail user, log in at least once a month and check these reports for weird or unusual behavior.
“RTFM” is a highly technical term that means “Read the Freaking Manual.” Your choice of gerund may vary.
These 17 tips should be enough to get you started, but there’s way more to making Gmail and Google Workspace HIPAA compliant than what we’ve reviewed here.
Thankfully, Google has put together a site to help paying customers fully and completely use Gmail and Google Workspace in a HIPAA-compliant fashion.
It’s called “HIPAA Compliance & Data Protection with Google Workspace.”
Specifically, you want to click on the link that says “Google Workspace HIPAA Implementation Guide.”
That will bring you to a 19-page PDF (pictured at right) that is chock full of things you need to do to make Google Workspace HIPAA compliant.
If you’re good with computers and have 4-8 hours to spend reviewing all of your Google Workspace and Gmail settings, then you can totally tackle it on your own.
Due to the COVID-19 response, we’ve heard from practices across the country looking for help with telemedicine options. The good news is that Google Meet can be HIPAA compliant! Google Meet is a great option for HIPAA-compliant telehealth and is thankfully very easy to use.
There are two ways to place video calls in a Google Workspace account:
Check out our article Is Google Meet HIPAA Compliant? for answers to common questions.
The Google Workspace Learning Center has excellent tutorials and explanations on how to use Google Meet, including if you need to switch from using Zoom, WebEx, or Skype.
[…] Check out our long article “How to make Gmail HIPAA Compliant.” […]