Sending Protected Health Information (PHI) via a free Gmail account is not HIPAA compliant. However, Gmail can be configured for HIPAA compliance using Google Workspace and Paubox. This allows for secure transmission of PHI while meeting regulatory requirements.
HIPAA and PHI security
PHI encompasses a broad spectrum of personal health data, including but not limited to medical records, test results, and patient demographics. HIPAA sets forth the standards and requirements to ensure the confidentiality, integrity, and availability of PHI.
Go deeper: What are the 18 PHI identifiers?
Gmail: Free vs. Google Workspace
When evaluating Gmail as a platform for handling PHI, you must distinguish between a free Gmail account and Google Workspace (formerly G Suite). Free Gmail accounts are primarily designed for personal use and lack the robust security and compliance features required to ensure HIPAA compliant email.
Conversely, Google Workspace, a comprehensive suite of productivity and collaboration tools offered by Google, can be configured to align with HIPAA requirements.
HIPAA compliance with Google Workspace
Healthcare organizations must establish a business associate agreement (BAA) with Google to ensure HIPAA compliance when using Google Workspace. This agreement outlines Google's responsibilities in protecting PHI and provides the legal framework for compliance. Google Workspace offers security and privacy features, including encryption, access controls, and audit logs, which can be customized to meet HIPAA stipulations.
HIPAA compliance issues with Google Workspace
Despite configuring Google Workspace for HIPAA compliance, healthcare organizations may still face encryption gaps due to the recipient's email setup. Secure email communication relies on both the sender's and recipient's email servers supporting Transport Layer Security (TLS). The connection won't be secure if the recipient's server doesn't use TLS, resulting in a potential HIPAA violation.
According to Google, "If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure." While there is a setting to enforce TLS, the email will bounce back if the recipient isn't
configured to receive encrypted emails. Google tracks their unencrypted emails here, generally ranging from 2% to 15% unencrypted.
The best practices for sending PHI via Google Workspace
For those using Google Workspace with a signed BAA and tasked with sending PHI via Gmail, adherence to best practices ensures HIPAA compliance:
- Encryption and secure transmission: Enable encryption for emails containing PHI to safeguard the content during transit.
- Access controls and authorization: Limit access to PHI within the email to authorized personnel with a legitimate need to access the information.
- Maintaining audit trails and records: Establish a system for tracking sent PHI emails, including details such as sender, recipient, and timestamps, to meet compliance and auditing prerequisites.
- Use Google Workspace in conjunction with Paubox Email Suite
Risks and consequences
The transmission of PHI via unsecured email, whether Gmail or any other service, poses substantial risks. HIPAA violations can lead to severe repercussions, including fines and reputational damage to healthcare organizations.
Related: How can I make my existing Gmail account HIPAA compliant?
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.