Stay Complaint Exclusively For Healthcare practices in San Antonio & Helotes CEOs

Is Gmail or Yahoo email HIPAA Complaint?
What do you think?
This is about the Free Email account not the pay version of Google Workspace.

What is HIPAA compliant email?

Before we address the particular case of Gmail, it’s first essential to recognize what HIPAA compliant email is.

In essence, the Health Insurance Portability and Accountability Act (HIPAA) establishes the standard for safeguarding sensitive patient data.

More specifically, the HIPAA Privacy Rule is a crucial component to be familiar with.

For the first time, this rule created a set of national standards for safeguarding certain health information, including protecting patient data when it’s transmitted in email.

This is why a standard approach for outgoing HIPAA email security is to implement end-to-end encryption on all emails sent with protected health information (PHI).

Unfortunately, email was initially designed to connect people without security in mind.

With this in mind, email message delivery is more important than security; this is why even if the email is sent encrypted, it can arrive in cleartext.

Email is essentially an open book that is certainly not ideal for companies and individuals working with regulations like HIPAA.


What makes an email complaint?

In most cases, making an email service HIPAA compliant means ensuring that the message is encrypted from inbox to inbox and not delivered in cleartext. Unencrypted email is both a security risk and a HIPAA fine opportunity for healthcare providers.

For Gmail to be HIPAA compliant, Google would have to ensure that the email platform is secure and meets the minimum standards for security laid down in the HIPAA Security Rule. A covered entity would also need to enter into a business associate agreement with Google covering Gmail, as Google would be classed as a business associate under HIPAA. While encryption for email is not mandatory under HIPAA, it is a requirement if emails containing protected health information are sent externally beyond the protection of a firewall. If emails are sent externally, they would need to be secured with end-to-end encryption.


Automated processing by Gmail breaks HIPAA compliance.

Another reason providers are wary of using free Gmail is the little-known practice of automated processing.

Google has admitted in court documents that Gmail users’ emails are “subject to automated processing.” In other words, Google scans Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.

How would your patients feel if they realized your Gmail account is exposing their health data to Google?

The good news is that Google has finally decided to stop this process, though there’s still no date set for when the change will occur.

Even Google Workspace email needs to be configured to be HIPAA compliant.

If you pay for Google Workspace (formally known as G Suite) and obtain a BAA, your email is still not yet compliant. You must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. To send PHI via Gmail-powered Google Workspace, you will need to pay for an end-to-end email encryption service.

Many encryption services are compatible with Gmail. For example, you can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those offered by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.


So is Gmail HIPAA compliant?

Google does not sign a business associate agreement with free Gmail users.
Therefore, Gmail is not a HIPAA-compliant solution.
To make matters worse, Google also scans emails stored in Gmail accounts for advertising purposes.



Is Yahoo! HIPAA compliant?

As you may have guessed by now, Yahoo is not HIPAA compliant. Their encryption technology is not adequate and poorly documented. In addition, they are not offering to sign Business Associate Agreements. In conclusion, if you are a covered entity and bound by HIPAA compliance laws, you should stay away from Yahoo! Small Business for email.


Limited-Time Offer Exclusively For San Antonio & Helotes Businesses
Get a FREE HIPAA Compliance Assessment


Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.

What Our Customer Saying

Dr. Nathan Ortiz, Audiologist

Dr. Nathan Ortiz, Audiologist

0IT.US makes sure our servers are always safe and provide services with honesty and best IT practices. 0IT.US will make sure you do not get a generic one-size-fits-all “IT package,” they take the time to know your business and the technology you need. The team is always honest and will never try to sell you unnecessary services. You will not regret it. 0IT.US will go the extra mile to make sure you and your business are taken care of. Pablo will cater to you by providing the best customer service.

Read more