In order for Gmail to be deemed HIPAA compliant, Google would have to see to it that the email service is 100% safe and satisfies the basic standards for security as stated in the HIPAA Security Rule.
A covered entity would also be obligated to obtain a signed business associate agreement from Google that incorporates Gmail, as Google would be deemed a business associate under the HIPAA Rules. While encryption for email is not an obligation of HIPAA, it is a requirement if emails that include protected health information are sent externally beyond the protection of a firewall. If emails are shared like this, it would be a requirement that they be secured with end-to-end encryption.
Google has established excellent security measures and its email service meets its obligations under the HIPAA Security Rule. Google will commit to completing business associate agreements with HIPAA-covered entities that cover its email service, so once a BAA is obtained, that HIPAA compliance requirement is fulfilled. Encryption for email can be configured, so Google does provide an email services that can be made HIPAA compliant. However, while you can make Gmail HIPAA compliant, compliance is not guaranteed.
In order to adhere with HIPAA you need to have a subscription for Google’s G Suite (formerly Google Apps) email service. This email service was designed for use with a company-owned domain. Google will provide a business associate agreement for G Suite, but its BAA does not also include the free @gmail.com email service.
If you register for G Suite and get a BAA there are still a few steps to completed to make it HIPAA compliant as you still need to add encryption. Encryption is only in place for Google emails at rest, not emails in transit. If you wish to send PHI via Gmail-powered G Suite, you will need to register for an end-to-end email encryption service.
There are multiple encryption services that can be used in conjunction with Gmail such as Google Apps Message Encryption (GAME) or a third-party email encryption solution like those provided by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
Once encryption is in place, steps must be taken to train your staff on the correct use of email. Employees should be made aware of the internal and federal rules that govern the transmission of PHI via email, and they must take care to ensure the emails are sent to the appropriate recipient. Once the HIPAA-compliant email service has been established, healthcare organizations should obtained consent from patients before transmitting their PHI via email.