Gmail is HIPAA compliant when an organization subscribes to a Google Workspace plan that supports HIPAA compliance and enters into a Business Associate Amendment with Google. However, it is not always necessary for Gmail to be HIPAA compliant in order to communicate PHI with a patient – or even between workplace colleagues.
If an organization uses any email service to collect, receive, store, or transmit PHI, it is a best practice to ensure the email service has capabilities to support compliance with the Security Rule, that the capabilities are configured to mitigate threats to the confidentiality, integrity, and availability of PHI, and that a Business Associate Agreement (BAA) is signed with the service vendor.
In terms of the question is Gmail HIPAA compliant, it is important to be aware that the free Gmail service lacks the capabilities to support HIPAA compliance and Google will not sign a BAA unless an organization subscribes to a Google Workspace plan. There are four Google Workspace to choose from, with the capabilities and features increasing with each step up in price.
Making Gmail HIPAA Compliant
There is not a lot of configuration required to make Gmail HIPAA compliant as most of the controls manage where shared files can be obtained from and who they can be shared with. It is also possible for system administrators to apply Data Loss Prevention policies to accounts in order to prevent PHI being disclosed accidentally or maliciously (i.e., if a user steals PHI and sends it to a private account).
The problem with subscribing to a Google Workspace plan to access a HIPAA compliant Gmail service is that the plan gives you access to a further fifteen services that also have to be configured to be HIPAA compliant if they are going to be used to create, receive, store, or transmit PHI without a patient’s consent (for provider-patient communications) or a patient’s authorization (for provider-provider communications). It is possible to disable them all, but then you will be wasting money for services you are unable to use.
Google’s Business Associate Agreement
If you are able to utilize more services in a Google Workspace plan than just Gmail and will use any service to create, receive, store, or transmit PHI without a patient’s consent/authorization, you will need to accept Google’s Business Associate Agreement. Due to the way in which Google provides a standard service for all customers, Google has one standard Business Associate Agreement for all customers and will not enter into a covered entity’s or business associate’s own BAA.
To review and accept Google’s Business Associate Agreement (also called an “Amendment” or “Addendum” in some Google documents), an administrator must sign into the Google Admin Console and navigate to the “Security and Privacy Additional” terms section via the “Account Settings” and “Legal and Compliance” screens. Click on the “BAA” button to review the Agreement, the “Review and Accept” button to accept the Agreement, and answer three questions to confirm the user’s HIPAA status. Finally click “OK”.
The Difference Patient Consent/Authorization Makes
Under §164.522 of the Privacy Rule, patients have the right to request communications of PHI via a channel of their choice. Healthcare providers are required to accommodate “reasonable requests”(which imply consent); so, to deny a request to communicate PHI via an unsecure email service (i.e., a free Gmail service) would be a violation of HIPAA and the patient would be justified in making a complaint to HHS’ Office for Civil Rights.
With regards to the unsecure communication of PHI by free Gmail between workplace colleagues, if a scenario existed in which one member of a care team did not have access to a secure channel of communication (i.e., a frontline caregiver), it is possible for a healthcare provider to obtain an authorization from a patient to transmit their PHI for this single purpose via a non-compliant version of Gmail.
Conclusion – Using Gmail in Healthcare
Using Gmail in healthcare is a good idea if there are other services in a Workspace plan you are able to take advantage of. Furthermore, if you subscribe to a business plan, you are also able to use your domain name with the Gmail account to add credibility to email communications (i.e., healthcare@ABChospital.com rather than firstname.lastname@example.org).
If you are unable to use any of the other Workspace services (because they duplicate existing productivity and communication services), it can be a waste of money to subscribe to a business plan to make Gmail HIPAA compliant. It is far better to prohibit PHI in Gmail communications unless a patient requests or authorizes an unsecure email communication.
Organizations unsure about whether or not to make Gmail HIPAA compliant should assess the amount of times Gmail – and other Workspaces services – might be used to communicate PHI, analyze the risk of not making Gmail HIPAA compliant, and seek professional compliance advice if doubts persist.