In order for Gmail to be deemed HIPAA compliant, Google would have to see to it that the email service is 100% safe and satisfies the basic standards for security as stated in the HIPAA Security Rule.
A covered entity would also be obligated to complete a business associate agreement with Google that incorporates Gmail, as Google would be deemed a business associate under the auspices of HIPAA. While encryption for email is not an obligation of HIPAA, it is a requirement if emails that include protected health information are to be outside of the company without the protection of a firewall. If emails are shared like this, it would be a requirement that they be secured with end-to-end encryption.
Google has established excellent security and its email service meets the obligations of the HIPAA Security Rule. Google will commit to completing business associate agreements with HIPAA-covered entities that cover its email service, so once a BAA is obtained, that HIPAA compliance requirement is also fulfilled. Encryption for email can be configured, so Google does provide an email services that can be found to be HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not compliant unless you complete a few steps.
Google supplies Gmail for free and this email service is not HIPAA compliant as it comes due to the fact that is is only intended for personal use.
In order to adhere with HIPAA you need to have a subscription for Google’s G Suite (formerly Google Apps) email service. This email service was designed for use with a company-owned domain. Google will provide a business associate agreement for G Suite, but its BAA does not also include the free @gmail.com email service.
If you register for G Suite and get a BAA there are still a few steps to completed to make it HIPAA compliant as you still need to add encryption. Encryption is only in place with Google emails at rest, not in transit. If you wish to send PHI via Gmail-powered G Suite, you will need to register for an end-to-end email encryption service.
There are multiple encryption services that can be used in conjunction with Gmail such as Google Apps Message Encryption (GAME) or a third-party email encryption solution like those provided by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
Once this is in place then steps must betaken to train your staff on the correct use of email, are aware of the internal and federal rules that govern the transmission of PHI via email, and they must take care to ensure the emails are sent to the appropriate recipient. Once this is up and running then consent must also be obtained from patients to send their PHI through email.