What is HIPAA compliant email?
Before we address the particular case of Gmail, it’s first essential to recognize what HIPAA compliant email is.
In essence, the Health Insurance Portability and Accountability Act (HIPAA) establishes the standard for safeguarding sensitive patient data.
More specifically, the HIPAA Privacy Rule is a crucial component to be familiar with.
For the first time, this rule created a set of national standards for safeguarding certain health information, including protecting patient data when it’s transmitted in email.
This is why a standard approach for outgoing HIPAA email security is to implement end to end encryption on all emails sent with protected health information (PHI).
Unfortunately, email was initially designed to connect people without security in mind.
With this in mind, email message delivery is more important than security; this is why even if the email is sent encrypted, it can arrive in cleartext.
Email is essentially an open book that is certainly not ideal for companies and individuals working with regulations like HIPAA.
Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.
Another reason providers are wary of using free Gmail is the little-known practice of automated processing.
Google has admitted in court documents that Gmail users’ emails are “subject to automated processing.” In other words, Google scans Gmail accounts, looks for keywords, and then uses those keywords to target advertisements at you and your contacts.
How would your patients feel if they realized your Gmail account is exposing their health data to Google?
The good news is that Google has finally decided to stop this process, though there’s still no date set for when the change will occur.
Even Google Workspace email needs to be configured to be HIPAA compliant.
If you pay for Google Workspace (formally known as G Suite) and obtain a BAA, your email is still not yet compliant. You must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. To send PHI via Gmail-powered Google Workspace, you will need to pay for an end-to-end email encryption service.
Many encryption services are compatible with Gmail. For example, you can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those offered by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
Google does not sign a business associate agreement with free Gmail users.
Therefore, Gmail is not a HIPAA-compliant solution.
To make matters worse, Google also scans emails stored in Gmail accounts for advertising purposes.
Google does not sign a business associate agreement with free Gmail users.
Therefore, Gmail is not a HIPAA-compliant solution.
To make matters worse, Google also scans emails stored in Gmail accounts for advertising purposes.
