Sending Protected Health Information (PHI) via a free Gmail account is not HIPAA compliant. However, Gmail can be configured for HIPAA compliance using Google Workspace and Paubox. This allows for secure transmission of PHI while meeting regulatory requirements.
PHI encompasses a broad spectrum of personal health data, including but not limited to medical records, test results, and patient demographics. HIPAA sets forth the standards and requirements to ensure the confidentiality, integrity, and availability of PHI.
Go deeper: What are the 18 PHI identifiers?
When evaluating Gmail as a platform for handling PHI, you must distinguish between a free Gmail account and Google Workspace (formerly G Suite). Free Gmail accounts are primarily designed for personal use and lack the robust security and compliance features required to ensure HIPAA compliant email.
Conversely, Google Workspace, a comprehensive suite of productivity and collaboration tools offered by Google, can be configured to align with HIPAA requirements.
Healthcare organizations must establish a business associate agreement (BAA) with Google to ensure HIPAA compliance when using Google Workspace. This agreement outlines Google's responsibilities in protecting PHI and provides the legal framework for compliance. Google Workspace offers security and privacy features, including encryption, access controls, and audit logs, which can be customized to meet HIPAA stipulations.
Despite configuring Google Workspace for HIPAA compliance, healthcare organizations may still face encryption gaps due to the recipient's email setup. Secure email communication relies on both the sender's and recipient's email servers supporting Transport Layer Security (TLS). The connection won't be secure if the recipient's server doesn't use TLS, resulting in a potential HIPAA violation.
According to Google, "If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure." While there is a setting to enforce TLS, the email will bounce back if the recipient isn't
configured to receive encrypted emails. Google tracks their unencrypted emails here, generally ranging from 2% to 15% unencrypted.
For those using Google Workspace with a signed BAA and tasked with sending PHI via Gmail, adherence to best practices ensures HIPAA compliance:
The transmission of PHI via unsecured email, whether Gmail or any other service, poses substantial risks. HIPAA violations can lead to severe repercussions, including fines and reputational damage to healthcare organizations.
Related: How can I make my existing Gmail account HIPAA compliant?