Is Gmail HIPAA Compliant?

HIPAA Basics

HIPAA regulation demands safeguards be put in place to keep PHI secure when it is transmitted electronically (also known as electronic protected health information, or ePHI). 

Before answering the question “Is Gmail HIPAA compliant?” here are a few key HIPAA definitions you should be familiar with to understand your regulatory obligations.

• Covered Entity (CE): A health plan or a healthcare provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
• Business Associate (BA): Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity. Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI. Examples include storage services, MSPs, IT providers, lawyers, billing services, shredding services, and cloud storage providers.
• Business Associate Agreement (BAA): A contract entered into between two HIPAA-beholden entities (either between a CE and BA or between two BAs). A good BAA defines liability in the event of a PHI breach. It acknowledges that both entities entering the agreement will handle PHI per HIPAA regulation. BAAs must be executed before any PHI can be legally shared.
• Protected Health Information (PHI): Any information collected by a CE that can be used to identify a patient or their health records is considered PHI. This includes name, address, date of birth, phone number, email address, Social Security number, medical record number, health insurance ID number, or full facial photograph, among others. Electronic PHI (ePHI) is any PHI maintained in an electronic format, including electronic health records (EHR).

Is Gmail HIPAA Compliant: Security Features

Does Gmail offer HIPAA compliant safeguards to ensure the confidentiality, integrity, and availability of PHI? End-to-end encryption is the best way to ensure that PHI sent through email is secure. 

Although Gmail does not have encryption enabled by default, it can be enabled on the platform. However, it is important to not that Google does not offer end-to-end encryption.  Google only encrypts emails “at rest” (stored emails), and HIPAA requires emails to also be encrypted in transmission. As such, users that send emails containing PHI externally must contract an email encryption service. End-to-end email encryption services include Google Apps Message Encryption (GAME), Paubox, Identillect, LuxSci, RMail, Virtru, and Zix.

Is Gmail HIPAA Compliant: Business Associate Agreements

Since Google is considered a business associate when used with PHI, users are required to sign a business associate agreement with Google before they can use Gmail to send PHI. Google is willing to sign a business associate agreement (BAA) for users with paid accounts, however they do not sign BAAs with users using the free version of their service. Since Google only offers BAAs for paid accounts, users with the free version of Gmail cannot send emails containing PHI.

Other G Suite services covered under Google’s BAA include:

Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Apps Script, Keep, Sites, Jamboard, Hangouts (chat messaging feature only), Google Chat, Google Meet, Google Voice (managed users only), Google Cloud Search, Cloud Identity Management, Google Groups, Google Tasks and Vault (if applicable).

For more information on Google and HIPAA, please click here.

Is Gmail HIPAA Compliant?

Is Google email HIPAA compliant? Yes, it can be made to be HIPAA compliant. To make Gmail secure and HIPAA compliant, users must have a paid Gmail account, utilize end-to-end email encryption services, and have a signed BAA with Google.