(800) 441-6612    |    +1 (339) 368-5641
Secure Email,
Web and Form Solutions
Phone: 800-441-6612

Gmail and Google Apps: Not Really HIPAA Compliant Email

Share Post:

We are frequently approached by customers in need of HIPAA compliant email who are currently using Gmail or Google Apps, or who have users that are familiar with and like these services.   They would, of course, like to add HIPAA compliance without changing any of their business processes or habits.

For example, some customers may want to setup HIPAA compliant email with LuxSci and have those secure messages forwarded to Gmail, where they can access them in their “usual way”.  In general, this is a bad idea — this will almost always be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.

No one who must abide by HIPAA should be accessing ePHI though Gmail or Google Apps.

Revision Note: This is not strictly true anymore (as of September, 2013)  as Google Apps now can afford customers some level of HIPAA compliance.  We have a new post on this topic that is more relevant than this older one.  See: Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price.

The remainder of this blog post is still has some relevance, so read it in the context that it was written before Google started offering Business Associate Agreements to paid Google Apps accounts.


Gmail Supports TLS and SSL … so why isn’t it Compliant?

Many commodity email services support SSL for access to their web site and TLS for inbound email transport encryption.  These are good things and help the Internet become a more secure place. However, while these technologies provide the HIPAA-required transport encryption when you access email using Gmail’s web interface and support optional inbound email transport encryption, many features are missing and most will probably never be added to Gmail.  These include:

Business Associate Agreement – #1 Biggest Reason

HIPAA Omnibusrequires that you have a signed Business Associate Agreement with any vendor (like Gmail or LuxSci) that may come into contact with your PHI. This includes email providers like LuxSci and Google, cloud providers like Amazon and Rackspace, and a whole host of other services provides.  Google does not sign contracts — you can’t even talk to them on the phone (without paying lots of money, at least).  No signed BAA means non-compliance, by definition, no matter what features you are using.

Enforced Outbound Email Encryption

Gmail – none. If you send email with ePHI to someone using your free Gmail account, it will usually go over the Internet to the recipient’s mail servers and folders in an insecure and unencrypted fashion, automatically violating HIPAA.  While Gmail supports opportunistic TLS for transmission encryption of outbound email, it will happily send that email without encryption if (a) the recipient’s servers do not support encryption, or (b) the encryption setup fails.

Google Apps – some: Google Apps users do have the option of using Google Message Encryption for enforcing encrypted outbound email.  This is a simple encryption system like the “Escrow” component of LuxSci’s more robust SecureLine encryption system — it will use a web-based email pickup service for recipients to get their secure messages.  It does not support enforced TLS delivery for TLS-supporting recipients and does not support PGP or S/MIME either.  Be wary of using policies that allow messages to be encrypted if they match certain policies or rules … as these leave the door open for PHI accidentally slipping out — Opt In Encryption is risky under Omnibus.

Calendars, Contacts, and More

Google does not ensure encryption for data stored in calendars, contacts, and other Apps.  Emailed calendar notices of appoints will be send without security, information can be easily shared with anyone without consideration for compliance and auditing.  The level of privacy and security obtainable under Gmail and Google Apps, at least with respect to HIPAA,  is minor when you start considering these other applications.  Certainly they should not be used for PHI at all — e.g. no Google Calendars for Doctor’s office appointments.


Google provides very limited auditing of connections and accesses to accounts.

Secure Business Policies

HIPAA requires that you will:

  1. Ensure secure tracking of stored data
  2. Ensure secure disposal of used hard drives and other media
  3. Ensure secure access to facilities
  4. Ensure all employees with access to any data are trained in and abide by HIPAA privacy standards. Gmail engineers have complete access to user data and do look at it.  See Google worker fired for stalking teens.

Google would need to follow all of the steps in the HIPAA Compliance checklist, and more.

Who owns and where is your data?

Google scans all your mail (and ePHI?) to provide ads and other information to you if you have a free account.  This data may be stored anywhere and in any format.

Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts (free and paid).

While the data might not be tracked back to you easily, the data itself is the problem … HIPAA-compliant privacy of the data cannot be ensured within the Google infrastructure.

Furthermore, Gmail believes and has stated that you have no real expectation of email data privacy when using their services.

What happens to deleted data?

Unless you subscribe to Google’s email archival services, they do not provide any backups that can be used to recover data if it is deleted.

Google doesn’t like for you to delete data, ever.  They would prefer it stick around.  Private data, like ePHI, cannot be guaranteed to be removed from their servers even if you delete it from your account.  They state that “When you ask us to delete messages and content, we make reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time” … e.g. there is no expectation of when that could happen or where that data is after your account is closed.  Also, since they do not sign a HIPAA BAA, there is no penalty to Google if that data is used or disclosed improperly.

Google doesn’t appear to implement much in the HIPAA checklist in a way that would be fully compliant under Omnibus.  In the future, they may extend their security (as they have added SSL and TLS support and two-factor authentication) to give the appearance of more security.  However, it may never be cost effective for them to offer fully HIPAA- compliant email and to police their huge workforce to ensure that proper policies are obeyed.

Can Gmail be used for ePHI, ever?

We said above that use of Gmail will “almost always be non-compliant”.  Can Gmail be compliant, ever? This used to be a real a grey area before Ombibus was released.  It used to be argued that if the following conditions are present…

  1. All of the email that contains ePHI arrives at Gmail encrypted using an end-to-end encryption mechanism like PGP or S/MIME,
  2. You access that email from an email program, like Thunderbird, that allows you to decrypt the message once it is downloaded to your computer, and
  3. You never send outbound email though Gmail or use Google Apps with ePHI in Calendars or any other tools
  4. You use third party “add ons” to Google that ensure encryption of the email.

Then you might be OK.  Why? Because the ePHI would never be in an unencrypted form during its time at Google and none of Google’s servers or staff would be able to access the private data.

Why only “might” and why is this no longer a grey area?  Well, it was “might” because you could accidentally configure your program to send out though Google insecurely or have poor policies that allow PHI to be not encrypted. Or, you could have ePHI arrive that is not encrypted using PGP or S/MIME. Your HIPAA auditors would not like having Google in the loop because your data is there in your own account, encrypted or not, and thus should be protected by all of the other HIPAA checklist items…  This was a grey area and we recommended that you consult your lawyer to be sure — as you should do with regards to all HIPAA questions. It is not really a grey area anymore as the Omnibus rule requires that vendors like Google sign Business Associate Agreements even in cases like these, and Google does not do that. E.g., you can no longer be HIPAA compliant just by “configuring” a service provider appropriately.

What about sending email to recipients who use Gmail or Google apps?

Individuals (i.e. patients) who receive ePHI in their Gmail account are OK.  Why?

  1. Individuals are not required to comply with HIPAA, so they do not have to worry about the privacy of their personal health information (or that of their friends and family) — as least with regards to the law.  They should worry about it and not give it out nonetheless.  So, use of Gmail for reading that information and even forwarding it on to others is “OK”.
  2. Organizations that send ePHI email TO them at Gmail are required to comply with HIPAA.  That just means sending ePHI messages to Gmail users in a way that ensures the messages are delivered to these recipients securely.  That could be done by using forced TLS for delivery, or by other means like a secure message pickup solution.  Once the message is delivered securely and in the user’s “hands”, the responsibility of the sending organization is complete.

A Note of Caution: If your organization must be HIPAA compliant and you have staff who forward ePHI to their own Gmail or Google Apps accounts (or other accounts at non-compliant email providers), then they are making your organization non-complaint and setting your organization up for possible liability if there should be a breach in the privacy of that information.  This is why, for example, LuxSci’s HIPAA agreements state (see section 4.1) that customers must only forward their own email to other accounts of theirs that are also compliant.  This should be a part of your organizations internal HIPAA policies as well.


Leave a Comment

You must be logged in to post a comment.

Security Certifications TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant
• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries