Four key points on HIPAA compliant emails
- The messages you send to others need to be encrypted during transit/transport
- Correspondents using non-compliant hosts should send secure messages to you
- You must validate that you are only communicating with the intended party (part of the Privacy Rule)
- You need to confirm that email cannot be intercepted (confidentiality aspect), and this is where encryption plays a key role
Gmail supports opportunistic TLS
Encryption at rest is a default setting in Gmail. If you use the free email service, your email is already encrypted at rest. However, once your email leaves Google’s servers, encryption may no longer be applied.
In one of its blog posts, Google says: Gmail has always supported encryption in transit using TLS, and will automatically encrypt your incoming and outgoing emails if it can. It also goes on to say: […] it’s really important that other services take similar measures to protect your messages–not just Gmail.
Gmail supports opportunistic TLS. The sending server sends (or attempts to send) email encrypted. But if the receiving server doesn’t accept encrypted messages, then the message is transmitted unencrypted.
Sure, opportunistic TLS is an optimal encryption solution for personal Gmail use. But for business communication and messages of a sensitive nature, it is insufficient because you don’t have control over your email after it is transmitted to your recipient and you have no way to be sure that any particular message will be sent securely.
Gmail is secure up to a point. However, it does not offer a native email encryption solution. And it is certainly not HIPAA compliant nor can it be made HIPAA compliant because Google won’t sign a Business Associate Agreement (BAA) with Gmail users.
Gmail does offer some add-ons but for advanced features, you have no choice but to purchase G Suite.
Is G Suite the solution to HIPAA compliance?
The paid service G Suite – formerly known as Google Apps – is a collection of popular Google apps for business, including Google Calendar, Gmail and Google Drive.
G Suite users can sign a BAA with Google. But there’s a catch. You have to bear all responsibilities related to the contract and it can be confusing to manage all steps to compliance. Importantly, to be compliant, you must ensure that all messages you send are encrypted during transit and anyone using non-compliant hosts can send you secure messages.
G Suite administrators can set up rules requiring outgoing messages to be sent with S/MIME encryption. But the feature is available only with G Suite Enterprise, which charges $25/user/month. Furthermore, most people are not setup to use S/MIME. G Suite does not include any native email encryption solution that enables you to email anyone in a compliant manner. G Suite users who require HIPAA compliance for email must use a third-party solution to encrypt their outbound email (this is often called “smart hosting”). G Suite also does not offer any option which would enable people to send HIPAA-compliant messages to you.
And even though you can be HIPAA compliant with G Suite, you will most probably need expert technical guidance to make your G Suite account compliant.
Google scans emails
Google automatically scans email for different purposes such as spam and security measures, and this is true regardless of whether you are a Gmail or G Suite user. Although the company offers assurance that the content is never read by a person, the risk arising from scanning emails still remains.
Although Google no longer scans email for keyword research, the company helps email marketers – some of whom are spammers – by showing images in email messages by default. Images are important to marketers as they contain tracking codes to track who has viewed the email. Details such as which recipients opened the email and when helps marketers test the success of their email campaigns. Suffice to say, there are numerous software programs that make light work of tracking email users’ behaviors.
Third-party encryption is essential
If you decide to go with G Suite, you still need a third-party to configure G Suite to ensure the encryption of outbound emails before being transmitted to recipients. LuxSci’s smart hosting solves the problem and meets HIPAA rules by encrypting email with SecureLine. You don’t have to change settings and can continue sending and receiving email as you normally do. Smart hosting is also a recommended encryption solution if you use Office365 or an in-house Exchange server.
In this case, you will be paying for G Suite and our encryption service. An email service purpose-designed for HIPAA compliance is a smart solution. LuxSci’s Secure Email comes with features that protect ePHI and adhere to HIPAA’s privacy and confidentiality requirements. Note that under no circumstances, even if you have a partner like LuxSci encrypting your outbound email, is regular free Gmail HIPAA compliant.