Gmail can enable HIPAA compliance for its G Suite products — but if you want to make a Gmail account HIPAA compliant, it must be a part of G Suite and cannot be a free, personal account.
Just so you know
Gmail is the most widely used email service around, with 1.8 billion users worldwide. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies.
HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-friendly emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure. Every employee must understand how HIPAA applies to their email. Training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients can help.
Healthcare workers are sometimes targeted by phishing and other email attacks. Recent breaches have compromised sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of patients. Continuous training improves the chances that your employees won’t fall prey to phishing scams.
Your business needs a straightforward, step-by-step process to help staff comply with both applicable laws, which can include HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among others. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things.
If you’re a covered entity, or a business associate of a covered entity, you should have a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required.
The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. Email services that enable HIPAA compliance should have strong security features or allow third-party plug-ins that provide the needed security.
Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands.