Is Gmail HIPAA Compliant: Security Features
Does Gmail offer HIPAA compliant safeguards to ensure the confidentiality, integrity, and availability of PHI? End-to-end encryption is the best way to ensure that PHI sent through email is secure.
Although Gmail does not have encryption enabled by default, it can be enabled on the platform. However, it is important to not that Google does not offer end-to-end encryption. Google only encrypts emails “at rest” (stored emails), and HIPAA requires emails to also be encrypted in transmission. As such, users that send emails containing PHI externally must contract an email encryption service. End-to-end email encryption services include Google Apps Message Encryption (GAME), Paubox, Identillect, LuxSci, RMail, Virtru, and Zix.
Is Gmail HIPAA Compliant: Business Associate Agreements
Since Google is considered a business associate when used with PHI, users are required to sign a business associate agreement with Google before they can use Gmail to send PHI. Google is willing to sign a business associate agreement (BAA) for users with paid accounts, however they do not sign BAAs with users using the free version of their service. Since Google only offers BAAs for paid accounts, users with the free version of Gmail cannot send emails containing PHI.
Other G Suite services covered under Google’s BAA include:
Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Apps Script, Keep, Sites, Jamboard, Hangouts (chat messaging feature only), Google Chat, Google Meet, Google Voice (managed users only), Google Cloud Search, Cloud Identity Management, Google Groups, Google Tasks and Vault (if applicable).
For more information on Google and HIPAA, please click here.
Is Gmail HIPAA Compliant?
Is Google email HIPAA compliant? Yes, it can be made to be HIPAA compliant. To make Gmail secure and HIPAA compliant, users must have a paid Gmail account, utilize end-to-end email encryption services, and have a signed BAA with Google.