echo ''

Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

HIPAA Compliant Gmail — What You Need to Know

January 29, 2015

Last year, Gmail celebrated its 10th birthday — and with more than 500 million users, the email service is only getting better with age. Yet, for organizations that need their communications to be HIPAA compliant, there are some key details you should know to ensure HIPAA compliance when using Gmail.

For HIPAA compliance, email containing personal health information, or PHI, must be encrypted. This is not a standard feature of Gmail or Google Apps for Work (now known as G Suite), but Google does offer email encryption for paid users of G Suite. Depending on your business’s individual requirements, there are a few other options available to find the sweet spot where Gmail functionality and HIPAA compliance intersect.

Why HIPAA Compliant Gmail Matters

Email communications containing protected health information (PHI) need to meet certain HIPAA security standards to satisfy compliance guidelines. These standards are left purposely flexible, which in turn can lead many businesses to wonder whether they’re transmitting PHI according to HIPAA’s Security and Privacy rules. The “reasonable safeguards” for email include precautions like encrypting patient-bound email and verifying recipients’ identities prior to disclosing personal information.

While HIPAA email rules don’t directly require encryption at all times (inter-agency emails, for instance, don’t have mandatory encryption rules), encrypted email by nature fulfills all requirements of HIPAA: sender and recipient are both verified, PHI is protected coming and going and the extra effort taken by all parties involved constitutes a reasonable safeguard.

What happens if a covered entity — that is, a healthcare provider, health plan or healthcare clearinghouse – uses Gmail, but neglects HIPAA compliance? Penalties can add up quickly because they are “per violation,” which means every single email that violates HIPAA requirement constitutes a fineable event. Penalties are broken down into four tiers:

  • Did not know: Some organizations may honestly be unaware that their email communications are non-compliant. This tier carries a $100 to $50,000 penalty per incident (again, that is per individual email).
  • Reasonable cause: Penalties range from $1,000 to $50,000 for organizations that know email needs to be compliant, but aren’t making an effort in that direction.
  • Willful neglect (corrected): If you have access to HIPAA compliant Gmail or another compliant email server and still don’t follow the requirements for compliance, penalties between $10,000 and $50,000 can be issued.
  • Willful neglect (not corrected): A flat $50,000 penalty can be imposed upon users who have already been warned about being in non-compliance, yet have made no effort to change policies or actions.

The maximum annual fine is $1.5 million for each covered entity.

HIPAA Compliant Gmail – What You Need to Know

Gmail is not innately HIPAA compliant, at least in the way that most businesses use the service. Like the vast majority of email services, Gmail does not encrypt emails by default. Protecting sensitive data communication falls to you, the user.

Google specifically states that individual users are responsible for determining whether their business needs to maintain HIPAA compliance, and adds that any customers who have not entered into a BAA shouldn’t share PHI via any Google services.

However, Google can support HIPAA compliance for those Google App customers who are willing to sign a HIPAA Business Associate Agreement (BAA) with Google. The BAA ensures certain measures to protect data stored on Google’s servers, but it does not come with email encryption built in. For that, you would need to purchase a separate email encryption service such as Google Apps Message Encryption (GAME), at additional cost.

While GAME helps ensure HIPAA compliance, it does so at the expense of user experience. To access an encrypted message, the recipient must sign in to an online portal. This carries the same frustrations as any web-based email portal solution: it takes added time and clicks just to read each email, users must remember an additional login and password, and secure emails are accessed separately from their normal email.

Fortunately, there are other options.

Streamlining Encryption for Gmail: A Win-Win

Designed to work seamlessly with Gmail’s native features and familiar interface, Virtru Pro is an easy-to-use email add-on that provides client-side email encryption for HIPAA compliant Gmail. By delivering HIPAA-compliant messages directly to the recipient’s inbox, Virtru Pro removes the complexity of traditional portal solutions.

Virtru Pro also enhanced email with a few other HIPAA-friendly features, like the ability to revoke messages secured with Virtru at any time and control forwarding.

To learn more, download our HIPAA guide today.