We've recently discussed whether or not Gmail is HIPAA Compliant. In short, it depends. Gmail is HIPAA compliant when set up correctly. But what about Gmail encryption? Is Gmail encryption HIPAA compliant? Once again, it depends. Gmail encryption also has the potential to be a HIPAA compliant email option depending on how you set it up.
Health care providers must adhere to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance means that the transmission of a patient’s personally-identifying information must be completely secured.
In this article, we'll answer the question, "Is Gmail encryption HIPAA compliant?" We'll also discuss Gmail encryption as it relates to HIPAA compliance. And we'll cover how you can ensure your Gmail encryption is HIPAA compliant.
Before we get into Gmail encryption, let's talk about Gmail and HIPAA compliance. You’ve probably heard this before -- whether or not your use of Gmail is HIPAA compliant depends on how you’re using Google mail.
Are you using the free version of Gmail or Google Workspace? Asked another way, do you have an email address that ends with @gmail.com? If so, then no— your Gmail is NOT HIPAA compliant.
Google Workspace (their paid product) does have the potential to be HIPAA compliant. Are you using a paid Google Workspace account? Yes? Great, you’re on the way to HIPAA compliance! But be sure that you’ve set it up the right way. Find out the right way to set up your Google Workspace account.
If your Google Workspace account is set up properly, then your Gmail account is HIPAA compliant. If not, then you may have some work to do. You can learn more about Google Workspace here.
Something else you may be wondering about is whether or not Google offers a business associate agreement to make Gmail HIPAA compliant.
More and more health care providers use third party email providers such as Gmail or Microsoft for their daily work. In this case, these firms are referred to as “Business Associates” by HIPAA. As business associates, the firms need to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.
So how does Gmail measure up? As of September 2013, Google does sign Business Associate Agreements that state that they will “implement physical, technical and administrative safeguards” to keep the emails and information secure. Google has also gone so far as to publicly state that Gmail is HIPAA compliant in its security and privacy practices.
Also, Google only signs HIPAA Business Associates Agreements with paid customers. Like we mentioned above— you must be a Google Workspace user for any of this to work (not free gmail.com email addresses).
Also, we want to tell you about a common misconception. Google used to scan your emails to find opportunities to show you ads. They no longer do that, and for their paid accounts, they have very strong controls in place to be sure that their employees never see your emails or PHI.
If anything is still fuzzy, then we invite you to head on over to our comprehensive “17-Step Guide on Gmail and HIPAA Compliance”.
Now we know that yes, Gmail is able to be HIPAA compliant. Next, let's talk about how Gmail encryption works.
By default, Gmail has TLS encryption turned on.
Is Gmail’s TLS encryption enough to ensure full HIPAA compliance?
It is, but ONLY emails you send inside your own company will be encrypted. If you never plan to email PHI to anyone outside of your company, you don’t need to use a third party encryption or “secure email” tool.
What if you're emailing outside of your company? Then is end-to-end encryption necessary for HIPAA compliant Gmail? Yes, it is — unless you get written consent from your patients (more below on that).
If you are emailing people outside of your company and need end-to-end encryption to ensure HIPAA compliance, the easiest way to achieve this is through a secure email add-on.
Any email you send that contains information that can identify someone or provide information about their healthcare is considered PHI.
If you want to send PHI via email, then you have 2 main options:
Please note that you need to be 100% sure that you ONLY email patients who have signed an agreement. You must never (even accidentally!) email PHI to a patient who has not signed a consent form. If you did, that would be a breach of HIPAA.
Okay, so you've ticked off all the boxes on Gmail encryption. NOW is Gmail HIPAA compliant? Almost. We're still not 100% there just yet, though.
You see, it’s not just about encryption in Gmail. You also need to encrypt any device you use to access Gmail. This includes any and all computers, phones, and tablets you use.
For phones and tablets, you need to make sure that they’re encrypted as well. You also need a way to wipe your data off of them if they are lost or stolen (which you can do using Google’s mobile device management feature – we help our clients set this up).
Where are you or your staff accessing your Gmail? If you're connecting to Gmail through Safari, Chrome, Firefox, or another browser, then your connection is secured by default.
How do you know it's secured? Just look for a green lock and make sure your URL starts with “https” instead of "http". That extra S right there is for SECURE.
So what if you or your staff isn't checking your Gmail through a browser? If you're checking Gmail through any third party applications such as Apple Mail, Microsoft Outlook, Mozilla Thunderbird, Windows Mail, or any other mobile device, then you should do a quick Google search for how to set up a secure, encrypted connection to Gmail through your specific application.