Call Us Today to learn more: 888-646-1616

How to Make Gmail HIPAA Compliant



Google’s email, calendar, and productivity tools (recently renamed to “G Suite”) are absolutely fantastic.  They’re easy to use and very affordable.

G Suite is also highly secure, but there are very specific things that you need to do to make G Suite / Gmail HIPAA-compliant.  Here are some big ones…

Disclaimer: we are not lawyers.  You should seek your own legal advice in interpreting regulations like HIPAA.  We are sharing lessons that we’ve learned from our work with other practices for informational purposes only.

1) Become a Google Customer

Unfortunately, only the paid version of Gmail can be used for handling PHI, and only if it’s set up the right way.  Why?  Here are a few reasons:

  • Google will only sign a HIPAA BAA with paid customers
  • Google’s computers scan emails for advertising
  • Google’s employees can (though usually don’t) see your emails
  • A patient might notice you’re using insecure email and complain

Here’s what Google says in their HIPAA implementation guide:

gmail hipaa compliant implementation guide

If you are absolutely, completely, 100% certain that you will never have PHI anywhere in Google (not in Gmail, not in Google Drive, not in video conference, or any other service), then you shouldn’t have any issues continuing to use your free @gmail.com account.

However, it’s very easy to make a mistake when you’re busy and dealing with patients and insurance companies.  There is also a chance that a vexed customer will file a complaint if they’re worried about your use of insecure email.  Read on for other options.

2) Sign a HIPAA Business Associate Agreement

Once you’re a customer, Google has a very simple process for executing a HIPAA BAA.  You can do it right online, with no forms to fill out.  It’d be nice if every vendor made it this simple!

hipaa compliance with g suite

Here’s an article that explains how to do it: https://support.google.com/a/answer/3407074

3) Get Patient Consent

Patient consent is highly recommended.  If you’re in a healthcare practice, get written consent from your patients before you communicate with them via email or text messages.  It’ll save you a world of pain down the line if you get a complaint.

Here’s a great article that explains how and why.

4) Use your email signature.

Add an automatic email signature that reminds people that email is insecure, and to delete email not meant for them.

Here are some great examples that you can edit.

gmail hipaa compliant sign disclaimer

Once you sign up for Gmail, they have a feature where your administrator can add a signature automatically to all outbound emails.  It’s called “Appending a Footer.” Here’s an article that describes how to do this:
https://support.google.com/a/answer/2364576?hl=en

gmail hipaa compliant sign outbound footer

5) Carefully plan how you will use PHI in email

If you are absolutely, completely, 100% certain that you will never have PHI anywhere in Google (not in Gmail, not in Google Drive, not in video conference, or any other service), then you shouldn’t have any issues continuing to use your free @gmail.com account.

This means you will never send an email that could tie a patient to healthcare data (like insurance numbers, social security numbers, etc.) or medical info (like diagnoses, lab results, prescriptions, etc.).

If you do want to email patients, insurance companies, and other providers (or if you just don’t want to have to worry about it), you have options.

We recommend an excellent secure email service to our clients.  It also provides advanced security for both inbound and outbound emails.

While we were researching secure email, we also wrote an article about this called “HIPAA Compliant Email: 7 of the Best Ways to Email PHI.” We tested seven different services, ranging from free to premium, to figure out which ones worked best.

6) Warn your patients about insecure email

Here’s a way you can email with patients using a free account, but it will take time and a lot of attention.

In fact, even if you use secure email (ours or a service from another provider), it’s a good idea to do this anyway.

Check out this sentence from the Dept. of Health and Human Services site:

gmail hipaa compliant hhs

The way many practices interpret this is that it is OK to communicate with patients via insecure email IF you know that the patients understand the risk.  Some practices have patients sign an insecure email consent form (like the example here) to get their permission to communicate via unsecured email.

gmail hipaa compliant email consent form

There are a couple of downsides of this approach.  First, you’re going to need an ironclad way to make sure you don’t accidentally email with a patient who hasn’t signed this form.  It’s a bit of a hassle.  Second, this wouldn’t apply to your emails with insurance companies, partners, or other medical providers.

7) Secure connection between Gmail and your computer

If you access Gmail in your browser (using Chrome, Internet Explorer, Safari, Firefox, etc.), then you already have this covered.  A secure connection is always on by default.

If you’re curious, here’s how you can tell.  Look for the green lock and the “https.”

gmail hipaa compliant https

However, lots of people use other programs to check their email.  For example, you might be using:

  • Apple Mail
  • Microsoft Outlook
  • Mozilla Thunderbird
  • Windows Mail
  • Your iPhone or Android phone
  • Your iPad or Android tablet

You need to make sure that the connection between Gmail and every single device you own is secure.

This isn’t hard to do, but you need to carefully follow instructions.  Try searching for “how to set up secure Gmail on <your mail program>” for instructions.

For our clients, we’ll help make sure it’s set up the right way.  Even if you already have G Suite, we’ll thoroughly check it over and make sure everything is set up properly.

8) Train Your Staff

If you have any employees (even one), you need to have a clear policy and train them on your expectations of using email and SMS.

Specifically, train them thoroughly on how to identify PHI, and your expectations of how they should handle PHI in email and SMS.

You should also train them on how to identify and handle:

  • Emails with viruses
  • Emails with tricky links
  • Emails with unusual attachments
  • Emails from people they don’t recognize

More on these coming up.

9) Phishing and Hackers

Ultimately, HIPAA is about keeping medical data from being stolen.

These days, you need to be worried about getting hacked.  Hackers are going after small businesses, and medical records are highly valuable on the black market.

gmail hipaa compliant business hacking

Hackers are using phishing messages (fake emails) to try to trick you.  How?

Gmail does a pretty good job here.  In fact, it’s definitely the best free service that we’ve found (and it’s what we use for our personal email accounts).

You don’t get any additional protection between the free version and the paid G Suite customer with Google.

Honestly, that’s not enough.

Our service includes an additional layer of security to all of our clients. We layer on advanced email antivirus, to protect computers against ransomware, viruses, and phishing.

10) Train your staff about phishing

No matter how good your email scanner is, highly targeted attacks can still get through.  That’s why it’s super important to train your staff about phishing.

Here are three completely free websites that can both teach users how to spot a phishing attack AND test whether they would get fooled or not:

Most companies we meet have good intentions, but quickly get too busy and forget to do these phishing trainings.  That’s why we put it on autopilot as part of our service and send every user a fun monthly video and quiz to teach them about phishing and cyber security.

11) Make sure every computer and device is secure

To be HIPAA compliant, it’s not enough to just worry about email.  Every computer, mobile phone, and tablet you use must also be secure.

Making you “fully secure” is a complex topic, definitely outside the scope of this short checklist.

However, to get you started, we’ve put together a couple of guides that you might find helpful.

If you’re a Mac user:

Here are 5 tips to get you started.

Here’s a great review of antivirus programs for Mac users (yes, Mac users need antivirus too).

If you’re a Windows user

We also wrote an article “5 Free Cyber Security Tips for Windows Users.”

Antivirus MUST be installed on every computer that receives emails.  Here’s a review of Windows antivirus programs.

12) Make sure your Gmail password is completely unique

According to the Identity Theft Resource Center, almost 900 million records have been involved in security breaches.  That’s almost three times the population of the US.

Popular breach-tracking site HaveIBeenPwned has a list of 3.8 billion usernames and passwords that have been breached.  And those are only the ones we know about.

Hackers know that most people reuse the same password over and over.  When they get a password, the first thing they do is to go to other sites and try the username and password to see if they can get in.

If someone gets ahold of your email, they own you.

They can send emails to patients on your behalf.

They can reset the password on your EMR system.

They can email your bank.

Make sure your email password is completely unique.

Here’s a fun trick (the “correct horse battery staple” method) for making up strong passwords that are easy to remember: https://xkcd.com/936/

If you find passwords confusing, do what we do — use a password manager like Dashlane or LastPass to manage your passwords.

Then you only need to remember one password, ever.

13) ALWAYS use two-factor authentication for your email

You know those codes that get sent to your phone when you try to log on to some sites?

That’s called “two factor authentication,” and it’s incredibly important to keep your data safe and your company HIPAA compliant.

Gmail makes it super easy to use and turn on, and it’s available to everyone

All you have to do is follow these instructions: https://support.google.com/accounts/answer/185839?hl=en

It’s critical to turn this on (go do it now!).  Even if a hacker steals your password, they won’t be able to get to your email or your PHI unless they steal your phone too.

14) Configure enterprise sender identity management

Fair warning — this one is important, but fairly technical.

It is super easy to send an email and make it look like it came from someone else.

Don’t believe me?  Try it yourself: http://deadfake.com/Send.aspx

If it’s this easy for you and me, a hacker can make it appear like an email is coming from anyone.

Even from someone inside your company.

That’s actually how “whaling” attacks happen — they send emails that appear to come from your CEO.  Businesses have lost $5.2 billion to this kind of attack.

There are a few different technologies to ensure that hackers can’t “spoof” your email address.  The three main technologies are called SPF, DKIM, and DMARC. Here are articles on how they work:
(a) DKIM support, (b) SPF Records, and (c) DMARC support

15) Limit file sharing permissions.

You can use Google Drive (the document system that comes with G Suite) to store and edit files that contain PHI.  However, you are still very much responsible for making sure that nobody accesses PHI that isn’t needed for their job.

The other thing you need to manage is to make sure that your users don’t accidentally share PHI with the public.

The stakes are very high.  Here’s a practice that was fined $218,000 because they messed this up:

gmail hipaa compliant fine phishing

This is the area where we most commonly see companies making big mistakes when we first help them get set up.

We recommend that you set pretty stringent file sharing permissions.  Google makes this very easy.  Here are instructions:
https://support.google.com/a/answer/60781

16) Monitor user activity.

It’s incredibly important to monitor the usage of your Gmail system to watch for any indicators of hacking or breaches.

Thankfully, Google offers some incredibly robust capabilities for this.  The most helpful reports that they offer are:

  • External Link Shared Files — any files that are publicly accessible
  • External Apps – any externally linked apps, which can pose a risk
  • Verification in 2 Step Enrollment – making sure users are on 2FA
  • Full email audit log – a full audit log of all emails sent

If you’re a paid Gmail user, log in at least once a month and check these reports for weird or unusual behavior.

17) Finally, RTFM

“RTFM” is a highly technical term that means “Read the Freaking Manual.”  Your choice of gerund may vary.  

These 17 tips should be enough to get you started, but there’s way more to making Gmail and G Suite HIPAA compliant than what we’ve reviewed here.

Thankfully, Google has put together a site to help paying customers fully and completely use Gmail and G Suite in a HIPAA-compliant fashion.

It’s called “HIPAA Compliance & Data Protection with G Suite.”

gmail hipaa compliant g suite implementation guideSpecifically, you want to click on the link that says “G Suite HIPAA Implementation Guide.”

That will bring you to a 19-page PDF (pictured at right) that is chock full of things you need to do to make G Suite HIPAA compliant.

If you’re good with computers and have 4-8 hours to spend reviewing all of your G Suite and Gmail settings, then you can totally tackle it on your own.

If you want help, we can help you.

What should you do next?

  1. Get our free “17-Step Guide on Gmail and HIPAA Compliance” to learn more about keeping your email safe.
  2. Know someone who might like this article?  Share it!
  3. Have questions or something to add?  Let us know in the comments below!
By |2019-01-08T20:01:11+00:00December 20th, 2018|Cloud Cyber Security, HIPAA|1 Comment

One Comment

  1. […] Check out our long article “How to make Gmail HIPAA Compliant.”  […]

Leave A Comment