Making Google Apps / G Suite HIPAA Compliant

Free Gmail is not HIPAA compliant and cannot be made HIPAA compliant. It should never be used in any context where HIPAA compliance is required. However, Google Apps (now called G Suite) can be HIPAA compliant if you sign a HIPAA Business Associate agreement with Google (see how). However, Google does not actually include email encryption with G Suite; they do not even sell email encryption.

If you want to stick with G Suite and not migrate to an email provider that specializes in HIPAA-compliant email, the only solution is to purchase outbound HIPAA-compliant email encryption through a specialized third-party, such as LuxSci, and configure G Suite such that all of your outbound email messages are relayed through LuxSci for encryption before being sent off to their recipients.

To use LuxSci or smart host encryption of your your G Suite outbound email, you would:

  1. Sign up for a HIPAA-compliant Email Smart Hosting Account with LuxSci.
  2. Order services for the domain(s) you have set up in G Suite and for the same number of users that you have in G Suite
  3. Setup your LuxSci account so that all of your users and domains are created. There needs to be a one-to-one relationship between users in LuxSci and users in G Suite, for tracking, auditing, and authentication purposes.
  4. Flip a switch enabling your LuxSci account to accept email relayed from G Suite
  5. Flip a switch in G Suite to send your outbound email to LuxSci.
  6. Done!

Try LuxSci: 30-day money-back guarantee.

How Does HIPAA Apply to Email?

While you may be accustomed to Google's email services, using them and staying HIPAA-compliant is not that simple.

HIPAA regulations are purposely vague to give businesses flexibility in how they protect patient information. This allows them to use the technology and processes that suit their unique situations.

This lack of clarity can make the regulations confusing, but it serves a purpose, because the appropriate protections for one company may be completely different to those of another. There are certain practices that may not be necessary for compliance, but they can make some aspects of the regulation easier to meet.

Encryption

HIPAA regulations state that PHI should be encrypted "whenever deemed appropriate." The requirements will vary depending on each company's size, complexity, software, hardware, technical infrastructure, the risks that it faces and the costs of various security measures.

The Department of Health and Human Services states that when PHI is transmitted from one point to another it must be protected in a manner commensurate with the associated risk. Risk analyses should be undertaken, and communications should be encrypted where ever there is a significant risk of unauthorized access.

At the very least, emails containing PHI need to be encrypted once they leave the company firewall. While doing this can make some businesses compliant, it is far from the best approach. Many companies find it more beneficial to go beyond the bare-bones expectations of HIPAA and implement National Institute of Standards and Technology (NIST) compliant encryption instead.

NIST guidelines recommend using the TLS protocol to protect PHI and prevent unauthorized access. For complete end-to-end email encryption, S/MIME and OpenPGP enable both encryption and digital signatures, which can authenticate the contents and provide confidentiality.

Following the NIST guidelines can be more beneficial than just complying with the HIPAA minimums. If PHI is accessed in an unauthorized manner, you may be obliged to report it to the relevant parties. If the information is encrypted to NIST standards, it is generally not considered insecure PHI, meaning that it does not need to be reported or the consequences of a breach are significantly diminished.

Business Associate Agreement

HIPAA's Privacy Rule includes provisions for how companies can work alongside other businesses. If ePHI will be involved in the collaboration between the two businesses, they must sign a business associate agreement (BAA) beforehand.

These agreements are contracts that stipulate the terms under which PHI can be processed by the other company, the business associate. They require the business associate to have adequate safeguards in place to protect the PHI, specify how the business associate may use the PHI, stipulate that they must not disclose the information, as well as placing several other conditions.

If you use an external email provider to send ePHI, you will need to sign a BAA with them to be HIPAA compliant. This agreement will legally bind them to treat the PHI of your customers appropriately.

Gmail vs G Suite

When asking whether Gmail is HIPAA compliant, we need to be certain of which Google service we are talking about. Gmail is Google's personal email option that many people have used at some stage of their lives.

It is not possible to make Gmail HIPAA compliant, because Google will not sign a BAA for Gmail users. Another issue is Google's automated processing -- they essentially scan every email and use the data for marketing purposes -- which obviously goes against HIPAA requirements.

Google also offer G Suite, formerly known as Google Apps. It is a paid service which is targeted towards businesses rather than individuals. It is possible to be HIPAA-compliant with G Suite, but the process isn't particularly straight-forward or cheap.

The minimum monthly G Suite plan currently goes for $5 per user, but it is not automatically configured to be HIPAA-compliant. Once you sign your BAA, you still need to set it up properly to meet the regulations. The BAA leaves most of the responsibility up to the users, and the necessary steps towards compliance can be confusing.

To make G Suite HIPAA-compliant, you need to make sure that all of your messages are encrypted during transit, and that those using non-compliant hosts can also send secure messages to you. Google does not provide any native email encryption solution. Everyone using G Suite for HIPAA-compliant email must purchase email encryption through a third party and configure G Suite to relay their outbound email through that encryption gateway provider.

These factors make G Suite a complicated and expensive option for HIPAA-compliant email. You may find that an email service that is tailored towards HIPAA-compliance is an easier and cheaper option. LuxSci's Secure Email safeguards your ePHI and offers a number of extra security features.

Combining G Suite with Third Party Smart Hosting

While it can be inconvenient and expensive to become HIPAA-compliant with G Suite, some users may be too accustomed to the interface to make the switch. One option that enables users to keep the Google email client and also makes it easier to meet the regulations is to use LuxSci's Smarthost service. This allows you to route your G Suite email through our email servers.

It's easy to integrate LuxSci's Smart Hosting with G Suite. You just need a LuxSci email account with users that correspond to your G Suite users. Once smart hosting is enabled in LuxSci, your outbound email flows though our servers, without the need to configure each user.

Using LuxSci's Smart Hosting gives you outbound email encryption and other email processing and content scanning features, and a potentially better IP reputation. It also enables you to archive your emails, helping you keep the necessary records to comply with HIPAA.

LuxSci's Smart Hosting offers its users TLS security as well as authentication. Our advanced plan also offers outbound email encryption, support for HIPAA-compliant sending, and WebMail.

Making Gmail HIPAA-Compliant

Although regular Gmail cannot be HIPAA compliant, it is certainly possible to meet the regulations while using Google's paid service, G Suite. Unfortunately, it can be complicated and relatively expensive to run, so many users may want to look at a dedicated HIPAA-compliant email service, such as LuxSci.

If you are committed to making your G Suite compliant with HIPAA regulations, you may find that it is best to use our third party solution, LuxSci Smart Host. It's easy to integrate and makes HIPAA-compliant email much less stressful.

Read more: Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price.


Got it all figured out?

New accounts ready in 1 hour*

Account term is month-to-month

Free 30-minute training call included

Welcome to LuxSci!

*for non-dedicated-server orders placed between 9am and 10pm Eastern Time, USA. Provisioning can be delayed due to issues validating orders.

eBook — HIPAA-compliant Email Basics

Safeguarding your healthcare practice and protecting patient privacy

Book 1 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

Get the HIPAA eBook

What People Say About LuxSci