Healthcare practices often use email to send a patient’s records to another provider, email a patient their medical records, circulate internal messages, and engage in other forms of communications. In all these activities, the privacy rules imposed by the Health Insurance Portability and Accountability Act of 1996 or HIPAA must be followed.
Gmail is the most commonly used email platform because it’s low-cost, convenient, and secure. The question on many healthcare providers’ minds is: Is Gmail compliant with HIPAA?
The popular email service is encrypted with Transport Layer Security protocols, which prevents hackers and other malicious entities from snooping on internet traffic. However, healthcare organizations must meet a host of other security rules including the use of email (and Gmail, in particular) to remain HIPAA-compliant.
HIPAA email rules
HIPAA requires that protected health information (PHI) such as diagnoses, test results, treatment information, and other similar data must be protected at all times. Patients’ personal information such as name, address, date of birth, Social Security number, and other data that can identify them are also classified as PHI under HIPAA, and are therefore subject to its privacy rules.
To keep email secure, hospitals, family clinics, mid-sized treatment centers, and similar practices must implement security measures, including restricting access to an email containing PHI and scanning outbound emails for sensitive information. Patients and healthcare business partners must also be made aware of the risks of transmitting PHI via email. Lastly, healthcare providers should ensure that the business associates they work with sign an agreement regarding the protection of patients’ sensitive data.
What healthcare providers need to know about HIPAA-compliant email encryption
Encrypting an email that contains a patient’s PHI ensures that only the intended recipient, i.e., the patient, gets the email. In other words, encryption renders messages unreadable to anyone who doesn't have the decryption key.
Although many healthcare businesses understand the importance of encryption, many are also unsure as to whether it’s mandatory for HIPAA compliance. Encrypting emails are, in fact, not mandatory under HIPAA rules. Rather, the HIPAA Security Rule requires organizations to determine their need to encrypt emails. For instance, in some organizations, most types of internal emails do not need to be encrypted, as they already have specific systems for handling sensitive information.
Fines for email-related HIPAA violations
HIPAA violations are categorized into four tiers based on the violators' level of culpability and come with corresponding fines.
- No knowledge – This applies to instances when staff wouldn’t have known that a violation was committed despite exercising diligence.
- Reasonable cause – In these cases, staff violated HIPAA due to reasonable cause, but not out of willful neglect.
- Willful neglect, corrected – Here, a staff committed a violation but corrected it promptly.
- Willful neglect, uncorrected – In this instance, a staff member committed a violation and was not able to correct it.
Under the Obama administration, fines were capped at $1.5 million annually. That changed under the Trump administration, which interpreted fines differently — annual caps for violations were set under their respective tiers, generally resulting in lower caps per calendar year.
How to make your Gmail account HIPAA-compliant
Although many individuals and organizations use Gmail for its security features that are perceived to be advanced, Gmail — and, by extension, Google Workspace platforms — are not innately compliant with HIPAA. Here are a few key steps to make Gmail accounts HIPAA-compliant.
1. Get a paid Gmail account
If a healthcare practice is using or is planning to switch to Gmail and/or Google Workspace, they need to use the paid version. Having a paid Google account is the only way to ensure HIPAA compliance if you prefer Google’s productivity tools. A healthcare practice must also obtain additional paid services to boost email security, especially concerning PHI transmission.
Google only agrees to sign a HIPAA Business Associate Agreement (BAA) for customers on paid accounts. However, for healthcare organizations that have set rules to never use Gmail, Google Drive, or any Google Workspace program to transmit or handle PHI, the free version of Gmail will suffice. But without any solid measures in place, employees may easily commit mistakes such as accidentally storing PHI on a Gmail draft.
For more information on HIPAA compliance with Google Workspace, you may refer to Google’s HIPAA Implementation Guide.
2. Obtain patient consent
HIPAA rules set boundaries that restrict what healthcare professionals — including researchers, healthcare insurance firms, and other entities that gather healthcare-related information — can do with patients’ protected data. Consent forms are vital to ensuring that these boundaries are always maintained.
Healthcare businesses, therefore, must issue consent forms to their patients to allow them to decide whether they authorize the ways their private information will be used. Agreeing to the terms indicated in the form means the patient consents to the ways their information will be shared with relevant entities (e.g., healthcare researchers).
Healthcare practices must also obtain consent for email correspondences to ensure that patients know the risks involved in sending sensitive information via email. Moreover, they must offer guidelines on how to keep information safe, emphasize key points regarding devices and email addresses used, and indicate a privacy statement regarding patients’ security concerns.
3. Carefully plan the use of PHI in email
The only time it’s acceptable for healthcare practitioners to use the free version of Gmail is when their organization has clear rules in place about not storing PHI within the Google Workspace ecosystem. That entails not sending or receiving any PHI that could be linked to a patient.
If your practice intends to use Gmail to email patients or insurance companies, you need HIPAA-compliant email hosting. For this and other HIPAA compliance solutions for healthcare businesses, a managed IT services provider (MSP) like Solution Partner, which specializes in healthcare IT, will prove invaluable. We will ensure that all safeguards regarding HIPAA-compliant email are incorporated into your systems and see to it that you’re using a generally secure email service that offers high-level security for inbound and outbound emails.
Note that a highly secure email service won’t be enough to satisfy HIPAA requirements. Staff must be adequately trained on security awareness to enable them to identify a variety of threats and vulnerabilities and act on them accordingly. Cybersecurity systems must also be well protected to safeguard against common attacks like phishing scams.
Healthcare organizations in and around the Phoenix, Scottsdale, and Tempe areas trust Solution Partner to handle their practice’s technology needs. Our team of IT professionals can help with every aspect of HIPAA compliance and other healthcare IT support. Call us at 623-584-6993 or fill out this form so we can reach out to you.