Complying with HIPAA privacy and security rules requires strict access control policies for protected health information. HIPAA applies to the tools you use on the job, not just your personnel. Gmail has more than 2.5 billion active users, likely including some or all of your team. Does Gmail meet HIPAA requirements, or is it a HIPAA violation waiting to happen?
Is Your Organization’s Gmail HIPAA Compliant?
Some versions of Gmail are HIPAA compliant, but not all. Healthcare organizations must use Gmail with a Google Workspace subscription to enable the necessary administrative controls and security safeguards to meet HIPAA standards.
“Regular” Gmail Isn’t HIPAA Compliant
The free Gmail accounts that many doctors use for personal communications do not meet HIPAA requirements. Here’s why:
- Google doesn’t provide a Business Associate Agreement for this version of Gmail.
- The default settings don’t support encryption.
- The basic version doesn’t create account access logs.
- Gmail’s default security is vulnerable to phishing because anyone with the right password can log into the account.
This type of account can’t be used to transmit patient data at all, even for consulting with medical colleagues.
Google Meets HIPAA Privacy and Security Standards
Google performs regular independent security audits, and Workforce products have leading security and privacy certifications:
- HITRUST CSF
- ISO 27001
- ISO 27017
- ISO 27018
- SOC 2 Type 2 and SOC 3 Reports
Keep in mind that Gmail must be properly configured to be HIPAA compliant.
The Right Workspace Plan
Your organization must also select the correct Workspace subscription. Unless you have additional tools for endpoint protection and secure archiving, only Enterprise Plus versions of Gmail are HIPAA compliant.
Only this tier includes Google’s Security Center, a hub that allows admins to monitor access and configure settings for messages and file attachments. Enterprise Plus plans also include data loss prevention safeguards.
How Can You Make Gmail HIPAA Compliant?
Google helps onboard healthcare organizations to the Workspace platform. It provides a detailed HIPAA implementation guide for integrating Google Meet, Gmail, Drive, and other administrative apps. Here are a few takeaways:
Follow a checklist: Having a HIPAA checklist helps you avoid errors when configuring Gmail’s settings for email attachments and logging.
Request a BAA: You must accept Google’s BAA to use the service and remain HIPAA compliant.
Set up MFA: Your admin can enable multifactor authentication in Gmail by default and restrict access to patient data based on roles.
Train your workforce: Employees can still unintentionally violate HIPAA if they send PHI to unauthorized third parties or use the CC function for group emails with patients (unlike BCC, which maintains the recipient’s identity private).
Email Communications Can Still Violate HIPAA
Google Workspace encrypts internal emails, making it acceptable for communications with PHI, but only within your network. Outbound emails are not encrypted once they leave Workspace, so you need a third-party HIPAA-compliant solution for TLS-enabled or password-protected communications with patients. Many healthcare organizations require patients to log into an EHR platform instead.
Make Sure Your Gmail Is HIPAA Compliant
Gmail can be HIPAA compliant, but only if your personnel follow through on your organization’s efforts. Tracking internal adoption rates is essential. Compyl’s centralized integration, oversight, and auditing controls streamline compliance in healthcare. Discover how Compyl’s HIPAA compliance solutions can make your program more effective and efficient.
