It is possible to have HIPAA compliant Gmail if you subscribe to a Google Workspace account that supports HIPAA compliance, if the products included in the Workspace account are configured to support HIPAA compliance, and if the Gmail service is used in compliance with the Privacy Rule standards relating to permissible uses and disclosures.
When an individual or organization qualifies as a HIPAA covered entity or business associate, they are required to comply with regulations that protect individually identifiable health information from impermissible uses and disclosures. When “Protected Health Information” is communicated electronically, additional regulations apply to the channel of communication.
If the channel of communication can be configured to comply with the regulations for electronic communications, it is considered to be “HIPAA compliant”. However, it is often the case that, for a channel of communication to be considered HIPAA compliant, customers must subscribe to a certain type of account or level of account that contains the tools to support HIPAA compliance.
Such is the case with Gmail, where the free Gmail service lacks the tools to support HIPAA compliance. For Gmail to be considered HIPAA compliant, customers must subscribe to a Google Workspace account, configure the controls to comply with the regulations for electronic communications, and agree to the terms of Google’s Business Associate Addendum.
What is Google Workspace?
Google Workspace (formerly known as G Suite) is a collection of products that can be used individually or together to accelerate communications, enhance collaboration, and improve productivity. There are four types of Workspace account with the same products available in each type of account. The difference between accounts is the capabilities of each product.
In the context of whether it is possible to have HIPAA compliant Gmail, all four Workspace accounts have the “included functionalities” required for HIPAA compliant Gmail. However, larger organizations may have to opt for an account with advance endpoint management capabilities if alternative security solutions for remote workforces are not already in place.
In addition to subscribing to a Workspace account, it is also necessary for covered entities and business associates to agree to Google’s Business Associate Addendum to the Workspace Terms of Service. Although a standard HIPAA Agreement, customers are advised to carefully review clause #4 (“Customer Obligations”) before digitally signing the Agreement.
How to Make Gmail HIPAA Compliant
To help customers make Gmail HIPAA compliant, Google provides a HIPAA Implementation Guide. The Guide outlines how the controls of each product should be configured to support HIPAA compliant, explains which products in the Workspace portfolio should be disabled, and describes the process for setting up administrator notifications for potential security incidents.
With regards to HIPAA compliant Gmail, the only controls that require configuration are those that manage file sharing from Google Drive and those that manage Data Loss Prevention policies. The only other advice provided for HIPAA compliant Gmail is to use the BCC function when copying an email to multiple recipients, so email recipients are hidden from each other.
One item not covered in the HIPAA Implementation Guide is encryption. This is because Google encrypts all Workspace emails at rest and in transit. Emails in transit are encrypted using TLS encryption which encrypts the connection rather than the content of the email. Customers wanting more robust encryption may want to look at S/MIME or propriety encryption options.
Using HIPAA Compliant Gmail Compliantly
Even with an appropriate Workspace subscription, a signed Business Associate Addendum, and the right configuration, it is still important to use a HIPAA compliant Gmail service in compliance with the Privacy Rule standards relating to permissible uses and disclosures of Protected Health Information (45 CFR §§164.506 to 164.512).
These standards can be complicated by times when the minimum necessary standard applies, times when patients can request confidential communications by unsecure channels of communications, and times when patients can authorize disclosures of Protected Health Information by Gmail even when it is not HIPAA compliant Gmail.
Covered entities and business associates are advised to study the applicable standards carefully, develop HIPAA email policies, and provide training to members of the workforce likely to use Gmail to send or receive emails containing Protected Health Information. Individuals and organization that encounter challenges with using HIPAA compliant Gmail compliantly are advised to seek independent compliance advice.