Gmail and Google Apps: Not Really HIPAA Compliant Email
We are frequently approached by customers in need of HIPAA compliant email who are currently using Gmail or Google Apps, or who have users that are familiar with and like these services. They would, of course, like to add HIPAA compliance without changing any of their business processes or habits.
For example, some customers may want to setup HIPAA compliant email with LuxSci and have those secure messages forwarded to Gmail, where they can access them in their “usual way”. In general, this is a bad idea — this will almost always be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.
No one who must abide by HIPAA should be accessing ePHI though Gmail or Google Apps.
Revision Note: This is not strictly true anymore (as of September, 2013) as Google Apps now can afford customers some level of HIPAA compliance. We have a new post on this topic that is more relevant than this older one. See: Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price.
The remainder of this blog post is still has some relevance, so read it in the context that it was written before Google started offering Business Associate Agreements to paid Google Apps accounts.
Gmail Supports TLS and SSL … so why isn’t it Compliant?
Many commodity email services support SSL for access to their web site and TLS for inbound email transport encryption. These are good things and help the Internet become a more secure place. However, while these technologies provide the HIPAA-required transport encryption when you access email using Gmail’s web interface and support optional inbound email transport encryption, many features are missing and most will probably never be added to Gmail. These include:
Business Associate Agreement – #1 Biggest Reason
HIPAA Omnibusrequires that you have a signed Business Associate Agreement with any vendor (like Gmail or LuxSci) that may come into contact with your PHI. This includes email providers like LuxSci and Google, cloud providers like Amazon and Rackspace, and a whole host of other services provides. Google does not sign contracts — you can’t even talk to them on the phone (without paying lots of money, at least). No signed BAA means non-compliance, by definition, no matter what features you are using.
Enforced Outbound Email Encryption
Gmail – none. If you send email with ePHI to someone using your free Gmail account, it will usually go over the Internet to the recipient’s mail servers and folders in an insecure and unencrypted fashion, automatically violating HIPAA. While Gmail supports opportunistic TLS for transmission encryption of outbound email, it will happily send that email without encryption if (a) the recipient’s servers do not support encryption, or (b) the encryption setup fails.
Google Apps – some: Google Apps users do have the option of using Google Message Encryption for enforcing encrypted outbound email. This is a simple encryption system like the “Escrow” component of LuxSci’s more robust SecureLine encryption system — it will use a web-based email pickup service for recipients to get their secure messages. It does not support enforced TLS delivery for TLS-supporting recipients and does not support PGP or S/MIME either. Be wary of using policies that allow messages to be encrypted if they match certain policies or rules … as these leave the door open for PHI accidentally slipping out — Opt In Encryption is risky under Omnibus.
Calendars, Contacts, and More
Google does not ensure encryption for data stored in calendars, contacts, and other Apps. Emailed calendar notices of appoints will be send without security, information can be easily shared with anyone without consideration for compliance and auditing. The level of privacy and security obtainable under Gmail and Google Apps, at least with respect to HIPAA, is minor when you start considering these other applications. Certainly they should not be used for PHI at all — e.g. no Google Calendars for Doctor’s office appointments.
Google provides very limited auditing of connections and accesses to accounts.
Secure Business Policies
HIPAA requires that you will:
- Ensure secure tracking of stored data
- Ensure secure disposal of used hard drives and other media
- Ensure secure access to facilities
- Ensure all employees with access to any data are trained in and abide by HIPAA privacy standards. Gmail engineers have complete access to user data and do look at it. See Google worker fired for stalking teens.
Google would need to follow all of the steps in the HIPAA Compliance checklist, and more.
Who owns and where is your data?
Google scans all your mail (and ePHI?) to provide ads and other information to you if you have a free account. This data may be stored anywhere and in any format.
Some user data, such as documents and email messages, are scanned and indexed so your users can privately search for information in their own Google Apps accounts (free and paid).
While the data might not be tracked back to you easily, the data itself is the problem … HIPAA-compliant privacy of the data cannot be ensured within the Google infrastructure.
Furthermore, Gmail believes and has stated that you have no real expectation of email data privacy when using their services.
What happens to deleted data?
Unless you subscribe to Google’s email archival services, they do not provide any backups that can be used to recover data if it is deleted.
Google doesn’t like for you to delete data, ever. They would prefer it stick around. Private data, like ePHI, cannot be guaranteed to be removed from their servers even if you delete it from your account. They state that “When you ask us to delete messages and content, we make reasonable efforts to remove deleted information from our systems within a commercially reasonable amount of time” … e.g. there is no expectation of when that could happen or where that data is after your account is closed. Also, since they do not sign a HIPAA BAA, there is no penalty to Google if that data is used or disclosed improperly.
Google doesn’t appear to implement much in the HIPAA checklist in a way that would be fully compliant under Omnibus. In the future, they may extend their security (as they have added SSL and TLS support and two-factor authentication) to give the appearance of more security. However, it may never be cost effective for them to offer fully HIPAA- compliant email and to police their huge workforce to ensure that proper policies are obeyed.
Can Gmail be used for ePHI, ever?
We said above that use of Gmail will “almost always be non-compliant”. Can Gmail be compliant, ever? This used to be a real a grey area before Ombibus was released. It used to be argued that if the following conditions are present…
- All of the email that contains ePHI arrives at Gmail encrypted using an end-to-end encryption mechanism like PGP or S/MIME,
- You access that email from an email program, like Thunderbird, that allows you to decrypt the message once it is downloaded to your computer, and
- You never send outbound email though Gmail or use Google Apps with ePHI in Calendars or any other tools
- You use third party “add ons” to Google that ensure encryption of the email.
Then you might be OK. Why? Because the ePHI would never be in an unencrypted form during its time at Google and none of Google’s servers or staff would be able to access the private data.
Why only “might” and why is this no longer a grey area? Well, it was “might” because you could accidentally configure your program to send out though Google insecurely or have poor policies that allow PHI to be not encrypted. Or, you could have ePHI arrive that is not encrypted using PGP or S/MIME. Your HIPAA auditors would not like having Google in the loop because your data is there in your own account, encrypted or not, and thus should be protected by all of the other HIPAA checklist items… This was a grey area and we recommended that you consult your lawyer to be sure — as you should do with regards to all HIPAA questions. It is not really a grey area anymore as the Omnibus rule requires that vendors like Google sign Business Associate Agreements even in cases like these, and Google does not do that. E.g., you can no longer be HIPAA compliant just by “configuring” a service provider appropriately.
What about sending email to recipients who use Gmail or Google apps?
Individuals (i.e. patients) who receive ePHI in their Gmail account are OK. Why?
- Individuals are not required to comply with HIPAA, so they do not have to worry about the privacy of their personal health information (or that of their friends and family) — as least with regards to the law. They should worry about it and not give it out nonetheless. So, use of Gmail for reading that information and even forwarding it on to others is “OK”.
- Organizations that send ePHI email TO them at Gmail are required to comply with HIPAA. That just means sending ePHI messages to Gmail users in a way that ensures the messages are delivered to these recipients securely. That could be done by using forced TLS for delivery, or by other means like a secure message pickup solution. Once the message is delivered securely and in the user’s “hands”, the responsibility of the sending organization is complete.
A Note of Caution: If your organization must be HIPAA compliant and you have staff who forward ePHI to their own Gmail or Google Apps accounts (or other accounts at non-compliant email providers), then they are making your organization non-complaint and setting your organization up for possible liability if there should be a breach in the privacy of that information. This is why, for example, LuxSci’s HIPAA agreements state (see section 4.1) that customers must only forward their own email to other accounts of theirs that are also compliant. This should be a part of your organizations internal HIPAA policies as well.