This question comes up a lot to us when we begin discussing HIPAA and risk to patient data. Is Gmail HIPAA compliant? How can a Covered Entity or Business Associate communicate with patients via email? We will cover all of these and how email works so that you can make an informed decision about your own business situation.
Each organization needs to have a policy and procedure in place for using email. Items that need to be addressed in these policies should include:
- What type of information will be sent?
- What methods to transmit will be used? SMS, fax, email, etc.
- What will be done to ensure the confidentiality and integrity of the ePHI?
- Who is allowed to transmit ePHI?
- Can the transmissions be audited? In other words, can we know who sent what and when?
All of these should be documented in your own manual. And then your staff needs to be trained to use these policies. Its not enough to just have policies in place. Staff must be trained to follow them. You should also document the fact that they have been trained.
How does email work?
Whether email is sent from an online service like Gmail, Yahoo Mail, Hotmail, etc or via a client like Outlook, it works in much the same way. The email is created on the client and then sent across the internet until it reaches the destination server. Along the way, it will pass through many other servers. Each of these servers is able to make a copy of the email. This means that there are many potential breaches of ePHI by just sending one email.
And Gmail is a special case on its own. Google scans each incoming email for content so that is may better show you advertisements. this means that anything you send via to or from Gmail is scanned and read by Google. In 2017, Google revised this policy to say they would no longer scan personal emails but it didn't distinguish for business emails. This part seems to be left undefined. Regardless, your email is setting on Google's servers when you send or receive using Gmail. When you send, a copy is stored in your Sent Items. This means that the Gmail server will have direct access to the ePHI in this email.
In addition, sending ePHI using Gmail violates Gmail's own terms of service. Google doesn't want the liability so they make it a violation of their terms for you to even use Gmail for sending ePHI.
Protecting email using encryption
When discussing email security, the first term you will often hear is encryption. The problem is that there are two basic ways to use encryption to protect email and they are not the same or equal. We need to have a good understanding of this so we can ensure we are protecting email in a HIPAA compliant way.
The two basic methods of protecting email with encryption are transport encryption and content, or file, encryption. I'll break down both quickly to give you and overview.
Transport encryption creates a secure tunnel between your device (computer, phone, tablet, etc) to your email server (Gmail, hosted email, etc). This means that as the email moves from your device to the server, it is protected. However, once it reaches your email server, it is no longer encrypted. Once the email is sent from your email server to its destination server, the tunnel is no longer used. In some cases, services like Gmail will create a tunnel to other services like Hotmail. But this is the exception and not the rule. Regardless, every server the email passes through can read the email's content. Transport encryption is good for situations when you are using public WiFi or other public internet access. Your email wouldn't be visible to anyone that might me trying to listen to the internet traffic at that level.
At content, or file, encryption is more like wrapping the email in an unbreakable envelope as it moves along its path. Regardless of where it goes, it is encrypted. It is encrypted in your Sent Items and in your recipient's Inbox. This is a big difference to transport encryption because it protects the email when its at rest. At rest is when the email is stored or copied somewhere such as a Sent items box or Inbox. Transport encryption cannot protect information once it has been moved to its destination.
Why is this an issue? You will see many email providers offering "HIPAA compliant email". But many times all they are offering is transport encryption. If you were to send an email to the wrong person using transport encryption, the person would still be able to read it and a HIPAA breach would occur. The other reason this is an issue is that email security is hard and takes time and effort. Most people just don't want to put that effort into protecting their email. Security is often hard. Be skeptical when someone tells you that HIPAA or security can be made easy. If its secure, it isn't easy or convenient and if its easy, it isn't secure.
So, is Gmail HIPAA compliant?
Gmail, or any other standard email service, is not HIPAA compliant in their default configuration.Gmail uses transport encryption only and this is not sufficient to protect ePHI from breach. In addition, its against Google's own terms of service to use Gmail to send ePHI. Gmail should never be used to send ePHI to patients.
How can we make Gmail HIPAA compliant?
To make Gmail HIPAA compliant we have to make use of file level encryption such as PGP or GPG or a third party service. To be fair, this isn't specific to only Gmail and is for all standard email services such as Hotmail, Yahoo Mail. Its also not enough to use an encrypted email provider such as Proton Mail or Hushmail. These services will protect the email from your device to their server and while its on their server. But once it leaves their server, it loses protection. Both the sender and the recipient would need to be using these same provider and this isn't practical.
Google does offer its G Suite service that does include a HIPAA compliant version of Gmail. It is not free but it is very reasonably priced.By using G Suite, you will be able to keep using your familiar email format. In addition, Google will supply you with the necessary Business Associate Agreement. This is a requirement for any entity to be in compliance themselves.
You can learn more about G Suite here.
Hushmail also offers a HIPAA version of its service. It is also reasonably priced and will also supply a Business Associate Agreement. If you are a little more paranoid about your privacy, then Hushmail is a good choice for you.
You can learn more about Hushmail's HIPAA compliant mail service here.
This post should give you a good overview about how email works and why standard email services like Gmail are not HIPAA compliant. You don't need to spend a lot to be compliant for email and we gave some well known examples of services that can help entities of all sizes.
If you need any help with setting up your own HIPAA compliant email, please contact us at [email protected] or call us at 770-506-4383.
