For organizations that need their communications to be HIPAA compliant, there are some key details you should know to ensure HIPAA compliance when using Gmail.
For HIPAA compliance, email containing personal health information, or PHI, must be end-to-end encrypted. This is not a standard feature of Gmail or Google Workspace (formerly known as G Suite). Depending on your business’s individual requirements, there are a few other options available to find the sweet spot where Gmail functionality and HIPAA compliance intersect.
Email communications containing protected health information (PHI) need to meet certain HIPAA security standards to satisfy compliance guidelines. These standards are left purposely flexible, which in turn can lead many businesses to wonder whether they’re transmitting PHI according to HIPAA’s Security and Privacy rules. The “reasonable safeguards” for email include precautions like encrypting patient-bound email and verifying recipients’ identities prior to disclosing personal information.
While HIPAA email rules don’t directly require encryption at all times (inter-agency emails, for instance, don’t have mandatory encryption rules), encrypted email by nature fulfills all requirements of HIPAA: sender and recipient are both verified, PHI is protected coming and going and the extra effort taken by all parties involved constitutes a reasonable safeguard.
Penalties can add up quickly because they are “per violation,” which means every single email that violates HIPAA requirement constitutes a fineable event. Penalties are broken down into four tiers:
The maximum annual fine is $1.5 million for each covered entity.
Gmail is not innately HIPAA compliant, at least in the way that most businesses use the service. Like the vast majority of email services, Gmail does not encrypt emails by default. Protecting sensitive data communication falls to you, the user.
Google specifically states that individual users are responsible for determining whether their business needs to maintain HIPAA compliance, and adds that any customers who have not entered into a BAA shouldn’t share PHI via any Google services.
However, Google can support HIPAA compliance for those Google App customers who are willing to sign a HIPAA Business Associate Agreement (BAA) with Google. The BAA ensures certain measures to protect data stored on Google’s servers, but it does not include end-to-end email encryption.
Fortunately, there are other options.
With Virtru, users can send HIPAA compliant emails and attachments seamlessly from Gmail (including on mobile devices). Virtru fits within your current infrastructure so that you can take control of your PHI within minutes and ensure HIPAA email compliance.