Is Gmail HIPAA Compliant? (mistakes to avoid)

Are you a healthcare professional? You should know that anyone handling Protected Health Information (PHI) must take extra care to ensure that their methods of communication are HIPAA compliant. Have you thought about using email for communicating with patients or others in your industry? If so, you’ve got to ask: is Gmail HIPAA compliant?

Gmail can comply with all HIPAA requirements (and is therefore considered a HIPAA-compliant email service) when you accept Google’s BAA in your Google Workspace settings. This means that as long as you have put in place all the necessary security measures for your account, you can use Gmail to send PHI, but you must use professional Gmail under an active Google Workspace license and update settings to accept Google’s BAA. You cannot use a free Gmail account.

Although it is relatively easy to set up, some mistakes people make when using Gmail can jeopardize the security of PHI.

To avoid jeopardizing security and ensure you maintain your HIPAA compliance, you must understand the features that Gmail offers that can help keep PHI secure. I’ll cover everything you need to know about Gmail HIPAA compliance in this article.

SuiteGuides.com is reader supported. If you make a purchase after clicking a link, we may earn a commission at no additional cost to you.

What is Gmail, And What Are Its Features?

Gmail is a free email service that Google offers, and professional users can enjoy enhanced professional Gmail with a Google Workspace license.

According to Statista, Gmail currently has over 1.8 billion users and is available in over 72 languages. Gmail offers 15GB of storage per user and has spam filtering, conversation threading, and labels.

In addition to these standard features, professional Gmail offers several features that you should use to make it more secure email service. I’ll list these below:

• 2-Step Verification – This feature adds an extra layer of security to your account by requiring you to enter a private code sent to your phone to log in.
• Encryption – Gmail automatically encrypts emails that you send between Google accounts. Encrypting an email makes sure that only the sender and recipient can read it.
• Labels – Gmail allows personalized labels for your emails. As well as being a tool for inbox organization, you can also use it to create a system for tagging emails with PHI.
• Filters – With Gmail, you can set up filters that mean certain kinds of emails get automatic tags or routing to a specific label. With this system, it’s easier for you to make sure that all your PHI emails get the appropriate label.

As long as you use all these features under a Google Workspace license, and accept Google’s BAA in your Workspace admin settings, Gmail is a secure way of sending and receiving PHI.

Again, you must set up your account correctly to ensure PHI remains secure and to comply with the Health Insurance Portability and Accountability Act of 1996.

Your Obligations In Gmail When Handling PHI

When you send PHI information through Gmail or any other digital app or service, you must adhere by the same HIPAA rules you would when using any other form of communication. This means that you must take steps to ensure that the email is private and secure.

A strong password is the first step in establishing the security of your Gmail account. Your password should be 8- characters long and include a combination of upper and lowercase letters, numbers, and symbols.

You should never use a name, phrase, word, or anything else that someone could easily guess.

In addition to a strong password, you should enable 2-step verification for your account. This feature adds another layer of security by requiring you to link your phone to receive a code.

Creating an environment where PHI you handle and transmit is secure also requires you to know the potential risks of using Gmail. User error is the source of the most significant cybersecurity risks with Gmail.

What Are Some Common Mistakes To Avoid?

When using Gmail to send PHI, people make a few common mistakes that can jeopardize the security of the information.

Here is a list of common mistakes people make that compromises the security of their Gmail account and which could make them non-compliant with HIPAA, even if they’ve adopted Google’s BAA in Google Workspace.

• Not Encrypting Emails – Gmail emails get automatic encryption as long as you’re sending them to another Gmail account. However, you will need to manually encrypt the message and PHI if you send an email to a non-Gmail account.
• Failing to Use Labels – Gmail allows you to label emails containing PHI. This is a great way to track which emails contain sensitive information. However, if you do not label these emails, it can be easy to forget which ones contain PHI.
• Sending PHI to the Wrong Person – One of the most common mistakes people make when using email is sending PHI to the wrong person. This can happen if you have an extensive contact list and accidentally select the wrong person when composing an email.
• Not Using Filters – Another common mistake people make is failing to set up filters for their Gmail accounts. Filters allow you to automatically label or route emails containing PHI to a specific location. This is a great way of keeping all PHI appropriately labeled and stored. Although this mistake can be easily remedied by recalling the email, it is still a good idea to double-check the recipient before hitting send.

How Can You Ensure You Are HIPAA-Compliant In Gmail?

There are things you must do to ensure you’re using Gmail in a HIPAA-compliant way. Here they are below.

• Only Send PHI that is Encrypted – Make sure that all PHI (personal health information) that you sent through Gmail is encrypted. All PHI that you receive through your account should also be encrypted.
• Never Share Your Gmail Password – Never share your Gmail password with anyone, not even your boss or IT department.
• Enable Two-Factor Authentication (2FA) – You should enable two-factor authentication for your Gmail account. As mentioned previously, this will help protect your account if anyone ever steals or guesses your password.
• Be Aware of the Dangers of Public Wi-Fi Networks – You should be aware of the dangers of using public Wi-Fi networks to access PHI in Gmail. If you are in a situation where you absolutely have to use public Wi-Fi, always ensure that you connect to a Virtual Private Network (VPN) first to encrypt your connection.
• Log Out of Gmail After Use – You should always log out of Gmail at the end of each session. This will help prevent someone from gaining unauthorized access to your account.

Although Gmail has some extraordinary security measures in place for its users, there are still some risks associated with using the service for PHI.

However, if you take the basic steps I’ve outlined above to protect your account, you can help to mitigate those risks and stay HIPAA compliant.

External Risks To PHI When Using Gmail

Although it is less likely that you will make a mistake when using Gmail for PHI if you follow the steps outlined above, there are still some external risks to consider.

Phishing

Gmail phishing scams are one of the most significant risks to PHI in Gmail. Phishing is a cyber attack in which attackers try to trick victims into giving them sensitive information by impersonating a trusted entity.

These scams can take many forms, but one of the most common is an email that deceives you by pretending to be from a trusted source (like Gmail).

Under this false alias, they will email you a link or attachment that will install malware on your computer if you click it. In Google Workspace, Gmail is really good at spotting potentially harmful emails/links and alerting you clearly so you can avoid phishing scams.

Accidental Disclosure

Another risk to PHI in Gmail is accidental disclosure. This can happen if you accidentally share your account password with someone or leave your Gmail session open and unattended.

To avoid accidental disclosure, it is important to never share your Gmail password with anyone and to always ensure that you log out of your account when you are finished using it.

Server Security

Finally, there is always the risk that Gmail itself could be hacked. Although this is unlikely, it is still a possibility. If Gmail were to be hacked, the attackers would gain access to all the PHI stored in the account.

To protect against this, always ensure you follow security protocols to protect your account and never store more PHI in Gmail than is necessary.

Whether in the medical field or dealing with any type of Protected Health Information, it’s essential to understand the risks associated with emailing PHI. By taking some simple precautions, you can help to ensure that your Gmail account is used in a HIPAA-compliant way.

Gmail Can Be HIPAA Compliant if You Do This

As I’ve explained here, you can use professional Gmail through Google Workspace in a HIPAA-complaint way. If you use Gmail to send or receive protected health information (PHI), make sure you’re taking all the steps I talked about earlier, and accept Google’s BAA.

Gmail can only be compliant with HIPAA laws through a BAA or a Business Associate Agreement. By having an active Google Workspace license, the Gmail app works under the existing privacy agreements set up for the platform.

Google has many communication apps under Google Workspace, including Meet, and Voice which can also be HIPAA compliant as they (like Gmail) are covered under a single BAA that covers the entire Google Workspace suite of productivity and communication apps.

The BAA agreement is not in place automatically with Google Workspace. Organizations must sign the agreement themselves when they start using Google Workspace (and Gmail) for their medical practice.

Doing this is easy:

That’s all there is to it – but if you do not have a Google Workspace license, and do not follow the steps above, Gmail will not be HIPAA compliant. And again – the free version of Gmail will not comply with HIPAA guidelines.