For HIPAA compliance, email containing personal health information, or PHI, must be end-to-end encrypted. This is not a standard feature of Gmail or Google Workspace (formerly known as G Suite). Depending on your business’s individual requirements, there are a few other options available to find the sweet spot where Gmail functionality and HIPAA compliance intersect.
Why HIPAA Compliant Gmail Matters
Email communications containing protected health information (PHI) need to meet certain HIPAA security standards to satisfy compliance guidelines. These standards are left purposely flexible, which in turn can lead many businesses to wonder whether they’re transmitting PHI according to HIPAA’s Security and Privacy rules. The “reasonable safeguards” for email include precautions like encrypting patient-bound email and verifying recipients’ identities prior to disclosing personal information.
While HIPAA email rules don’t directly require encryption at all times (inter-agency emails, for instance, don’t have mandatory encryption rules), encrypted email by nature fulfills all requirements of HIPAA: sender and recipient are both verified, PHI is protected coming and going and the extra effort taken by all parties involved constitutes a reasonable safeguard.
What Happens if a Covered Entity — that is, a Healthcare Provider, Health Plan or Healthcare Clearinghouse –
Uses Gmail, but Neglects HIPAA Compliance?
Penalties can add up quickly because they are “per violation,” which means every single email that violates HIPAA requirement constitutes a fineable event. Penalties are broken down into four tiers:
- Did not know: Some organizations may honestly be unaware that their email communications are non-compliant. This tier carries a $100 to $50,000 penalty per incident (again, that is per individual email).
- Reasonable cause: Penalties range from $1,000 to $50,000 for organizations that know email needs to be compliant, but aren’t making an effort in that direction.
- Willful neglect (corrected): If you have access to HIPAA compliant Gmail or another compliant email server and still don’t follow the requirements for compliance, penalties between $10,000 and $50,000 can be issued.
- Willful neglect (not corrected): A flat $50,000 penalty can be imposed upon users who have already been warned about being in non-compliance, yet have made no effort to change policies or actions.
The maximum annual fine is $1.5 million for each covered entity.
HIPAA Compliant Gmail – What You Need to Know
Gmail is not innately HIPAA compliant, at least in the way that most businesses use the service. Like the vast majority of email services, Gmail does not encrypt emails by default. Protecting sensitive data communication falls to you, the user.
Google specifically states that individual users are responsible for determining whether their business needs to maintain HIPAA compliance, and adds that any customers who have not entered into a BAA shouldn’t share PHI via any Google services.
However, Google can support HIPAA compliance for those Google App customers who are willing to sign a HIPAA Business Associate Agreement (BAA) with Google. The BAA ensures certain measures to protect data stored on Google’s servers, but it does not include end-to-end email encryption.
Fortunately, there are other options.
The Easiest Way to Send and Receive HIPAA Compliant Gmail
With Virtru, users can send HIPAA compliant emails and attachments seamlessly from Gmail (including on mobile devices). Virtru fits within your current infrastructure so that you can take control of your PHI within minutes and ensure HIPAA email compliance.
- End-to-end email encryption with one click.
- Persistent protection for PHI and medical records.
- Pre-built DLP rule pack to help reduce human error.
- No additional accounts or software needed for recipients.
- Get a signed Business Associates Agreement (BAA).
To learn more, download our HIPAA guide today.