Outbound Email Encryption for Google Workspace

October 5th, 2021

Google Workspace is one of the world’s most popular email platforms. Although it is more than adequate for basic email correspondence, Gmail does not come configured to meet HIPAA email security requirements. To use Google Workspace in a HIPAA-compliant manner, you need to use a third-party connector to secure your communications.

outbound email encryption for google

Is Sending Email from Google HIPAA-Compliant?

At a glance, it seems like Google Workspace is HIPAA-compliant. They provide a Business Associate Agreement, but signing it is not enough to guarantee HIPAA compliance. When you read the BAA closely, it states (as of August 25, 2021):

“Customer acknowledges that this BAA does not apply to (a) any other Google product, service, or feature that is not a Covered Service; or (b) any PHI that Customer creates, receives, maintains, or transmits outside of the Covered Services.” (emphasis ours).

This means that although patient information may be safe inside Google’s covered services (like Gmail), transmitting PHI outside of Google is not secure. If you want to send emails that contain PHI, they are not covered under the terms of Google’s BAA. If you send insecure emails from Gmail, you will be responsible for the breach. However, Gmail can be compliant if you use a third-party HIPAA-compliant solution to encrypt your outbound emails.

How to encrypt outbound emails from Google Workspace

Google Workspace users can configure their accounts to use a third party “SMTP Relay.” Once set up, all email messages sent from configured addresses are routed from Google to the third party’s (i.e. LuxSci’s) email server. To LuxSci, it looks like you have connected securely from an email program to send outbound email. It just so happens that the “email program” is Google.

Once LuxSci authenticates the user and receives the message, it performs all of the usual outbound email processing tasks that have been setup for your LuxSci account. These could include:

  1. Encryption: HIPAA-compliant outbound email encryption.
  2. Capturing: Sending copies of outbound email to another address.
  3. Tag Lines: Adding custom tag lines and/or disclaimers to all outbound email.
  4. Content Monitoring: Scan outbound email for specific text or regular expressions and block or encrypt matching messages.
  5. Recipient Restrictions: Controlling to whom messages can be sent.
  6. Outbound Email Filtering: Combined with our Premium Email Filtering, you can have outbound email scanned for viruses, content, and other unwanted features.
  7. Archival: Archive copies of all outbound email for compliance and/or business purposes.
  8. Tracking: LuxSci tracks the delivery status and properties for each message to each recipient. Once your email is relayed through LuxSci you can view reports and/or have emailed digests sent to you to monitor your messages. This includes message sending failures and SPAM reports.

What to Look for When Choosing an Outbound Email Encryption Provider

There are many different providers who can secure your outbound emails. However, LuxSci’s SecureLine encryption technology provides the flexibility needed to meet any emailing use case while staying secure and compliant. LuxSci’s Secure Connector is different in two major ways.

First, for customers who need to comply with HIPAA, we automatically encrypt every email with TLS. This reduces the chance of employees accidentally sending PHI without the appropriate safeguards. Emails sent via TLS encryption appear like a normal email in the recipients’ inboxes. No passwords or logins are required to retrieve messages sent via TLS. Administrators can choose to allow users to “opt-out” of encryption by switching a toggle, but the default setting is to encrypt all emails.

Second, LuxSci’s SecureLine encryption allows the email sender to choose more secure types of encryption for emails that contain highly sensitive PHI. For example, it may be advisable to send medical records or test results via a portal pick-up method of encryption so that they are inaccessible if an unauthorized person gains access to the recipient’s inbox.

It’s important to find a balance between security and usability in whatever method of outbound email encryption you choose.

To Set Up Outbound Email Encryption for Gmail at LuxSci

Once your Google Workspace account has been set up, your administrator should be sure that “Outbound Relaying” is permitted for the account users.

Next, purchase a LuxSci Secure Connector account. Add any additional features and settings that you may need, such as:

  • HIPAA compliance
  • Email archival
  • A number of users equal to the number of people that will be relaying through LuxSci from Google.
  • Specify the domain name(s) for the email address(es) that these people will be using for relaying through LuxSci. You cannot use gmail.com as a domain name for Secure Connector.

Once your LuxSci account has been set up and the users created, your individual Google users can add this as a new account in their Gmail interface. We will provide step-by-step instructions to help you get set up quickly.

Once you’ve added and confirmed your LuxSci SMTP account, you will be able to select me@mydomain.com as the “From” address of messages you compose in Google. Any message sent using this From address will automatically be relayed through your LuxSci secure SMTP server.

Troubleshooting Issues with Outbound Email Encryption

SPF Records: Google likes you to add SPF records for your domain to validate which servers are allowed to send email for your domain. If you use LuxSci as described here, you will need to add LuxSci to your SPF record as well. Simply add “include:luxsci.com” inside of your existing SPF records, and you will be all set.

Google does not provide much assistance with compliance configuration. If you use outbound email encryption instead of HIPAA-compliant email hosting services, it’s essential to train employees. Also, institute some means of reviewing each user’s individual Google login to be sure that the settings meet your internal guidelines. This kind of review should be periodic, and even better, somewhat random (like a drug test).

If you need help configuring your Google Workspace account for HIPAA compliance, LuxSci is here to help.