Is Gmail HIPAA compliant? Many health care providers are required to adhere to the Health Insurance Portability and Accountability Act (HIPAA).
This article talks about how you can send HIPAA compliant email. This act was designed to protect a patient’s personally-identifying information from being accessible to the general public. As more clinicians are electronically transmitting patient records and other personal information to specialists and medical facilities, it is imperative that we ensure that emails are secure.
Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)
Isn’t All Email Secure? No way!
Email in general is not secure. Most people don’t realize there really is no way to know that the person receiving the email you sent is who you intended. This is especially so in companies whose messaging system is controlled through an IT department. Oftentimes companies have an email policy in place informing employees that they should expect no privacy as it relates to using the company’s email or Internet systems. So, those people handling sensitive information, including discussing diagnoses and treatments for patients, need to be aware that general email has no guarantee of privacy.
What does HIPAA Say about Email?
I’m summarizing here, but generally HIPAA requires three things when it comes to email:
- Strong security: According to Section 164.314(a) of HIPAA, it is the responsibility of the health care provider to ensure that everyone involved in handling such confidential and personally-identifying information complies with the safeguards established by the HIPAA laws. Most providers meet this requirement by adding extra security around email like secure email, scanning outbound emails for sensitive data, and having a good handle on who is allowed to access email.
- Consent: The HIPAA Omnibus Final Rule released March 18, 2013 states that clients are allowed to authorize communications via email, but to do so the client must be informed of the risks relating to sending protected health information via email before they sign the authorization. Most firms have a consent form that clients must fill out before email can be used.
- Business Associate Agreement: Many health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as “Business Associates.” These Business Associates are required to sign an agreement that states they will protect a patient’s confidential information with the same high standards required of the health care provider.
How does Gmail measure up with HIPAA compliance?
In case you don’t know, Gmail is a service used for email by hundreds of millions of people worldwide. Many small businesses use it for email because it’s inexpensive, convenient, and offers some very nice security features. While most people feel secure sending and receiving personal and confidential information via their Gmail accounts, let’s see how Gmail does against our three criteria. Is Gmail HIPAA compliant?
- Strong Security: Google arguably has some of the best security available in a hosted web service. Companies that take advantage of Google’s free two factor authentication have strong assurance that their email accounts aren’t hacked, plus Google offers some nice user logging and other security features that are much stronger than many competitors. Also, third party services (reviewed in another article) are available to add secure email and outbound email scanning which really make Gmail’s security top notch.
- Consent: Since this is something that you’ll need to manage in your own office, this has no bearing on which email provider you choose.
- Business Associate Agreement: As of September 2013, Google has stepped up and will agree to sign a Business Associates Agreement stating that they will “implement physical, technical and administrative safeguards” to hold the information secure. The company states publicly that Gmail is already HIPAA compliant in its security and privacy practices.
So is Gmail HIPAA Compliant?
The answer is yes! Gmail can be used as part of a HIPAA-compliant organization.
However, only the paid version (Google Workspace Gmail, not @gmail.com email addresses) provides the features you need for HIPAA compliant email. You also probably will need to add some extra services to be able to send and receive email safely.
Want to learn how to make Gmail HIPAA compliant? Get the free checklist.
You also need to consider how you plan to handle PHI. If you want to send PHI via email, then you either need to sign up for an additional secure email service (we found the best one in this article), or you need to get written consent from your patients.
Are there alternatives?
- Microsoft365: Google’s competitor, Microsoft, has also stated that they would be willing to sign a Business Associates Agreement stating that their Microsoft365 program will maintain the standards of HIPAA compliance. We’ve experimented with their service and find it comparable to Google in many respects, though slightly more complex.
- Other Secure Email Providers: lots of lesser known companies offer email services that they claim are HIPAA compliant. A simple Google search for “hipaa email provider” will pull up lots of ads. A note of caution here — simply using an email provider that claims to be “HIPAA compliant” does not suddenly make your practice HIPAA compliant. HIPAA compliance comes from holistic protection of sensitive data, not just secure email.
- Use two email services: some companies still use Gmail for their main email service, but then use a secondary, secure email service for communicating about lab results, diagnoses, or treatments. While we wouldn’t recommend that as a long term solution (it’s much easier to accidentally email PHI/PII when bouncing back and forth), this is something that could be implemented quickly as a short-term fix.
What About Mobile?
iPhones, Android devices, and tablets use various programs such as Google Apps to download their email messages while they are out of the office. Gmail is pre-programmed into most of those devices for the convenience of users. However, this convenience can create a breach of security according to HIPAA, and such breaches are required to be reported, causing further liability issues and potential fines for violation. Be especially careful about giving employees access to email via mobile, especially if it may contain PHI/PII.
Don't miss this part: BAA does not mean HIPAA compliance
But here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Gmail HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, you CAN make Gmail HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure
Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)
What should you do next?
- Get our Checklist to make Gmail HIPAA compliant.
- Know someone who might like this article? Share it!
- Have questions or something to add? Let us know in the comments below!
I searched and searched for a truly helpful security website related to HIPAA and medical offices, well, mental health practice in my case. I'm a Quality & Compliance Specialist full-time and have a private practice part-time.
Simply, thank you for your hard and valuable work. I look forward to following your website.
One question: Are there any particularly important articles or even products you offer for mental health practices?
Heather Nelson MA, LPC, NCC
Hi Heather - great question. Mental health practices really aren't any different from any other medical practices from a cyber security perspective, so all of the information on this site (and on others) should be equally relevant! Thanks, Josh
One question - in order to be HIPPA compliant don't the patient and the provider have to be on a HIPPA Compliant system?
Hi Vijayeta - thanks for asking this! Unfortunately, HIPAA compliance isn't that simple. The "system" doesn't matter as much as the steps you take to make sure healthcare data isn't seen by anyone else. In the case of email, you shouldn't send any medical information via email unless you're using a secure email system. If you limit your emails to topics like appointments and calendars, you should be fine.
I just found this in google business user agreement. last lines says customer is solely responsible for HIPPA compliance. Please clarify this?
2.6 Restrictions on Use. Unless Google specifically agrees in writing' Customer will not, and will use commercially reasonable efforts to make sure a third party does not: (a) sell, resell, lease or the functional equivalent, the Services to a third party (unless expressly authorized in this Agreement); (b) attempt to reverse engineer the Services or any component; (c) attempt to create a substitute or similar service through use of, or access to, the Services; (d) use the Services for High Risk Activities; or (e) use the Services to store or transfer any Customer Data that is controlled for export under Export Control Laws. Customer is solely responsible for any applicable compliance with HIPAA.
Hi Hina -- that's 100% true! Google isn't going to indemnify you against all of the things you might do to compromise HIPAA, like email diagnoses to the wrong person, have your email password compromised, or have your laptop stolen. That's on you, not them. All they'll do is make sure their email service is secure against attackers. HIPAA compliance is 100% your responsibility. Hope that helps, might be good to contact an attorney if you have questions about where your liability starts and ends.
how do we buy the paid version so our email can become secured?
Hi Aminah - great question! We can help you set it up.
How do I obtain a Google BAA for Gmail, Videochatting, etc....
Hi Rebecca - here's the link! https://support.google.com/a/answer/3407074
How do we be sure Google is not data mining diagnosis and patient info? Is there any guarantee beyond their promise to not mine that data? This is a curiosity question. I am a systems admin and will be helping put together an office for a local physician.
Hi Steve - that's a great question. I'm going to answer from the perspective of Google Workspace (their paid, HIPAA compliant product), not free Gmail (which is never HIPAA compliant).
Also, responding as a cybersecurity expert, #notalawyer.
Firms like Google can't just say "hey, we're HIPAA compliant." By accepting responsibility to house so much data, they know that their reputation could be seriously damaged if they had a breach that was their fault.
As a result, Google hires independent security auditors to regularly come in and confirm that they're doing everything that they're saying they're doing to keep data safe. You can read more about it on this page (https://gsuite.google.com/security/), under the "COMPLIANCE, EDISCOVERY & ANALYTICS."
You might be particularly interested in their SOC3 report, which you can download in the section referenced above. Google hired audit firm EY to audit their security, and without going into specifics, they clearly say "Strong authentication and access controls are implemented to restrict administrative access to Google Workspace, Other Google Services and Supporting Services System production systems, internal support tools, and customer data."
So the short answer -- you don't have to just take their word for it. If Google was getting access to your data, they'd have to be tricking not just their own internal security team, but also the independent auditors who regularly come in to review their practices.