Most industries rely on email to communicate, whether that is for status updates, meeting requests, or general information. The healthcare industry is no exception. Doctors, nurses, and specialists have to speak to one another about patient care just as regularly as the rest of us have to schedule that critical brunch meeting. What you might not have considered is that healthcare professionals must take an extra level of care to keep your private information safe.

Email within the healthcare industry must be HIPAA compliant and have compliant cloud storage, especially when discussing patient-related issues. With over 281 billion e-mails sent worldwide every day, it is vital to maintaining HIPAA compliance for any medical industry.

As the largest email provider in the world, Google’s free service, Gmail, is available to everyone. But can it be used to maintain HIPAA compliance?

Let’s discover how e-mail works with Gmail, HIPAA compliance requirements, and if Gmail can function as a modern and efficient system for managing healthcare correspondence.

medical professional checking Is Gmail HIPAA Compliant

HIPAA Compliant Email Defined

Being HIPAA compliant goes back to People, Process, and Technology. “People” need to appropriate training to protect and handle Personal Health Information. “Processes” need to be supportive and simplistic to use, so people don’t circumvent them for more straightforward solutions. Finally, “Technology” should provide a platform that supports all of the above using the latest, auditable technology tools. In other words, you need to be able to capture usage logs, history, etc. into a long-term archive. We break it all down in our HIPAA Compliance Checklist.

Before determining whether an email service is HIPAA compliant or not, you should have a basic understanding of what HIPAA compliance in e-mail is. The Health Insurance Portability and Accountability Act (HIPAA), exists to protect the sensitive personal data of patients. HIPAA laws regulate how insurance and healthcare providers can disclose and use their Protected Health Information (PHI).

In theory, this should mean that if you are following all HIPAA standards and procedures, that e-mail can, in fact, be HIPAA compliant.

One of those standards is a robust level of multi-factor encryption. The goal is to guarantee that the communication between the provider and the patient is limited to those two parties and no one else. Therefore, even an encrypted email accessible by someone else (ex. a family member) who should not have seen it, theoretically is a HIPAA violation. That said, file encryption puts email text in a sort of code that cannot be read without decrypting the content—something that is done by the end user when the email is opened, and the user’s password is entered.

Gmail Itself is Not HIPAA Compliant

It’s easy enough to get a Gmail account. With over a billion active users, it’s clear that Gmail is the most active e-mail service in the world. Here-in lies the issue: this type of personal email is not compliant.

What makes email HIPAA compliant?

To be compliant, an email provider must sign a Business Associate Agreement (BAA). A BAA is a contract between the healthcare provider and anyone they do business with that will have access to protected health information.

Email, or more specifically an email server, is a perfect example of a third party who would have the opportunity to gain access to patient information. Therefore, any email provider that wants to support a healthcare institution must be willing to sign a BAA.

The issue with using an out-of-the-box Gmail account that you or I can sign-up for is that Google is unable to sign a business associate agreement baa. Not having a BAA means you’re not HIPAA compliant.

google suite for business

Introducing G Suite for Business Users

Fortunately, Google offers additional services to businesses. GSuite is a collection of the most-used Google apps for business, including Gmail, Google Drive, and Google Calendar, specially packaged for enterprises. GSuite must be associated with a domain that the user owns and is a paid service.

Although GSuite gives users access to Gmail, the most significant difference lies in Google’s ability to sign a BAA. This means that healthcare providers who wish to use Gmail as an email service for their company have the opportunity to purchase GSuite, link it to their company’s domain, and handle the technology component of the solution triad.

But not so fast: this does not create a HIPAA compliant solution. There’s more to do after a BAA is signed to ensure that all patient data that would be shared over email is protected. Encryption is a critical component of verifying that patient information is safe when being transmitted via email.

Think of it in terms of achieving two goals:

    1. Validate that you are only communicating with the intended party. This falls under the Privacy Component. By using PKI infrastructure and the encryption of the email using the patients Public Key, you can increase the level of confidence in the “privacy” of this communication.
    2. Confirm that the transmission cannot be intercepted. This component falls under Confidentiality. This is where encryption plays a role. As the communication is encrypted via the patients Public Key, only the patient can decode the message using their Private Key.

Third Party Encryption is Necessary for Full Compliance

While it is possible to encrypt emails using GSuite, this does not meet the encryption requirements to remain HIPAA compliant. Google uses Transport-Layer Security (TLS) to help encrypt e-mails in transit, but by Google’s own published statistics, 10% of emails sent and received remain unprotected. This is well under any limit that is acceptable to comply with HIPAA standards.

Users should be aware that even for GSuite, Google will automatically scan emails for spam and necessary security prevention. In 2017, Google eliminated scanning public e-mails for keyword research.

For Gmail to be genuinely HIPAA compliant, you need to use third-party encryption. A third party service will encrypt emails from inbox to inbox, allowing health providers to remain confident that their emails are compliant with HIPAA laws and keep their patients’ data as protected as possible.

a doctor obtaining patient content for emails

Should You Also Obtain Consent from Patients?

You may want to consider having your patients fill out a consent form if you plan on communicating with them via email. Remember that households often still use shared e-mail addresses. A patient needs to sign off that it is okay to send such an email where others can potentially access the information. With today’s advances in technology and the busy lifestyles that people lead, email is often preferred over other forms of communication when it comes to confirming appointments or sending lab test results. However, patients should be aware that even despite extensive efforts on the part of the healthcare provider to protect sensitive information, no email is 100% safe.

When you obtain written consent from patients, you ensure that your patients are not only aware of the possibility that their data could be compromised when sent over email, but you obtain their permission to do so.

While some people believe that a written consent takes the place of purchasing a G Suite account and working with a third-party encryption service, this is not recommended. Even if your healthcare facility obtains approval from patients to send their data over secure email, you should still make every effort to ensure that data is encrypted and protected.

Sending HIPAA Compliant Email With a Signature

In the past, an email signature would be used to remind the recipient that the email may contain Protected Health Information.  It would prompt them to delete the email if they believed that it was not intended for them.

While this in no way guarantees that an email received in error will be removed, it is one more step to show patients and lawmakers that as a healthcare provider, you are making every reasonable attempt to protect patients’ private data.

However in today’s market, if the e-mail is encrypted appropriately, the recipient would never see the footer, to begin with. These types of “security rules” are not considered acceptable and would never be compliant whatsoever.

You should use an email signature to remind patients how they can contact you and have their email removed if they should decide they are no longer comfortable sending and receiving emails that may contain their PHI. Making it easy for patients to opt out is another way to make sure that the only patients who receive emails are those who want to and have accepted the potential risks.

using signature for HIPAA Compliance in Gmail

Compliant Email—It’s A Requirement In 2018

With the technology that is available today, there are very few legitimate reasons why a healthcare provider would not employ them to ensure that patient data is safe over email and all reasonable efforts have been made to make Gmail HIPAA compliant.

Not only are HIPAA violations costly, but they can also be detrimental to the reputation of a practice. A healthcare provider that has been saddled with one or more fines due to violating HIPAA laws may find it more challenging to grow their patient base once word gets out.

Simply put, all healthcare providers who plan to use Gmail as an email service to communicate with insurance companies, patients, and other professionals, should use every available resource to protect their patients’ personal health information. Google makes signing up for G Suite and obtaining a business associate agreement is simple. You can even fill out the agreement online. Additionally, working with a third party encryption service is also a fast and straightforward process.

On the one hand, there would appear to be little to fear in regards to sensitive patient data being compromised when the proper steps are taken to ensure emails are as secure as possible.

However, most security assessment professionals would not necessarily agree that utilizing Google services for HIPAA is ideal. It is always going to be a shared platform that the user does not control. It does not provide the expected metadata and logging that is required among other things.

That said, it is better than nothing. When it comes to your data and your healthcare information, it’s always worth taking extra steps to remain private, secure, and compliant.