Many of you might be asking “Is Gmail HIPAA compliant?” Google applications such as Gmail and other G Suite Services have long been a standard resource for businesses. But when it comes to healthcare practices, how do you know if your sensitive patient data is being kept safe?
Google has safeguards in place that can successfully keep protected health information (PHI) secure during email transmission. HIPAA regulation demands that safeguards be put in place to keep PHI secure when it is transmitted electronically (also known as electronic protected health information, or ePHI).
These safeguards are outlined in the HIPAA Security Rule, which was first published in 2003, and went into effect in 2005. Since then, all transmissions of ePHI by HIPAA-beholden entities have been subject to federal regulatory standards.
Before we answer the question “Is Gmail HIPAA compliant?”, here are a few key HIPAA definitions you should be familiar with in order to understand your regulatory obligations.
Covered Entity (CE): A health plan or a healthcare provider who stores or transmits any health information in electronic form in connection with a HIPAA transaction.
Business Associate (BA): Any entity that uses or discloses protected health information (PHI) on behalf of a covered entity (e.g. group health plan, hospital, etc.). Furthermore, it is any person or organization who, on behalf of a covered entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI. Examples include: storage services, MSPs, IT providers, lawyers, billing services, shredding services, and cloud storage providers, to name a few.
Business Associate Agreement (BAA): A contract entered into between two HIPAA-beholden entities (either between a CE and BA or between two BAs). A good BAA defines liability in the event of a PHI breach. It acknowledges that both entities entering into the agreement will handle PHI in accordance with HIPAA regulation. BAAs must be executed before any PHI can be legally shared.
Protected Health Information (PHI): Any information collected by a CE that can be used to identify a patient or their health records is considered PHI. This includes name, address, date of birth, phone number, email address, Social Security number, medical record number, health insurance ID number, or full facial photograph, among others. Electronic PHI (ePHI) is any PHI maintained in an electronic format, including electronic health records (EHR).