This article talks about how you can send HIPAA compliant email. This act was designed to protect a patient’s personally-identifying information from being accessible to the general public. As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that emails are secure.
Isn’t All Email Secure? No way!
Email in general is not secure. Most people don’t realize there really is no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department. Oftentimes companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.
What does HIPAA Say about Email?
I’m summarizing here, but generally HIPAA requires three things when it comes to email:
Strong security: According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.
Consent: The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.
Business Associate Agreement: Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.
How does Gmail measure up with HIPAA compliance?
In case you don’t know, Gmail is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s inexpensive, convenient, and offers some very nice security features. While most people feel secure sending and receiving personal and confidential information via their Gmail accounts, let’s see how Gmail does against our three criteria:
Strong Security: Google arguably has some of the best security available in a hosted web service. Companies that take advantage of Google’s free two factor authentication have strong assurance that their email accounts aren’t hacked, plus Google offers some nice user logging and other security features that are much stronger than many competitors. Also, third party services (reviewed in another article) are available to add secure email and outbound email scanning which really make Gmail’s security top notch.
Consent: Since this is something that you’ll need to manage in your own office, this has no bearing on which email provider you choose.
Business Associate Agreement: As of September 2013, Google has stepped up and will agree to sign a Business Associates Agreement stating that they will “implement physical, technical and administrative safeguards” to hold the information secure. The company states publicly that Gmail is already HIPAA compliant in its security and privacy practices.
So is Gmail HIPAA Compliant?
The answer is yes! Gmail can be used as part of a HIPAA-compliant organization.
However, only the paid version (Google Workspace Gmail, not @gmail.com email addresses) provides the features you need for HIPAA compliant email. You also probably will need to add some extra services to be able to send and receive email safely.
Microsoft365: Google’s competitor, Microsoft, has also stated that they would be willing to sign a Business Associates Agreement stating that their Microsoft365 program will maintain the standards of HIPAA compliance. We’ve experimented with their service and find it comparable to Google in many respects, though slightly more complex.
Other Secure Email Providers: lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — simply using an email provider that claims to be “HIPAA compliant” does not suddenly make your practice HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
Use two email services: some companies still use Gmail for their main email service, but then use a secondary, secure email service for communicating about lab results, diagnoses, or treatments. While we wouldn’t recommend that as a long term solution (it’s much easier to accidentally email PHI/PII when bouncing back and forth), this is something that could be implemented quickly as a short-term fix.
What About Mobile?
iPhones, Android devices, and tablets use various programs such as Google Apps to download their email messages while they are out of the office. Gmail is pre-programmed into most of those devices for the convenience of users. However, this convenience can create a breach of security according to HIPAA, and such breaches are required to be reported, causing further liability issues and potential fines for violation. Be especially careful about giving employees access to email via mobile, especially if it may contain PHI/PII.