If you are not using Google Workspace (formerly known as "G Suite" and "Google Apps") or are looking to change to provider that specializes in security and compliance, see the HIPAA-compliant email hosting services provided by LuxSci.
Free Gmail is not HIPAA compliant and cannot be made HIPAA compliant. It should never be used in any context where HIPAA compliance is required. However, Google Apps (now called Google Workspace) can be HIPAA compliant if you sign a HIPAA Business Associate agreement with Google (see how). However, Google does not actually include email encryption with Google Workspace; they do not even sell email encryption.
If you want to stick with Google and not migrate to an email provider that specializes in HIPAA-compliant email, the only solution is to purchase outbound HIPAA-compliant email encryption through a specialized third-party, such as LuxSci, and configure Google such that all of your outbound email messages are relayed (smart hosted) through LuxSci for encryption before being sent off to their recipients.
With "smart hosting" you will keep using your Google email as you do now. You'll receive emails in your inbox just as you currently do; you'll send email just as you currently do; and you won't need to change settings on any of your devices or email clients. What changes is that the messages will be relayed to LuxSci email servers to deliver to the recipients. In so doing the emails will be encrypted with SecureLineTM and made HIPAA compliant.
To use LuxSci or smart host encryption of your your Google Workspace outbound email, you would:
While you may be accustomed to Google's email services, using them and staying HIPAA-compliant is not that simple.
HIPAA regulations are purposely vague to give businesses flexibility in how they protect patient information. This allows them to use the technology and processes that suit their unique situations.
This lack of clarity can make the regulations confusing, but it serves a purpose, because the appropriate protections for one company may be completely different to those of another. There are certain practices that may not be necessary for compliance, but they can make some aspects of the regulation easier to meet.
HIPAA regulations state that PHI should be encrypted "whenever deemed appropriate." The requirements will vary depending on each company's size, complexity, software, hardware, technical infrastructure, the risks that it faces and the costs of various security measures.
The Department of Health and Human Services states that when PHI is transmitted from one point to another it must be protected in a manner commensurate with the associated risk. Risk analyses should be undertaken, and communications should be encrypted where ever there is a significant risk of unauthorized access.
At the very least, emails containing PHI need to be encrypted once they leave the company firewall. While doing this can make some businesses compliant, it is far from the best approach. Many companies find it more beneficial to go beyond the bare-bones expectations of HIPAA and implement National Institute of Standards and Technology (NIST) compliant encryption instead.
NIST guidelines recommend using the TLS protocol to protect PHI and prevent unauthorized access. For complete end-to-end email encryption, S/MIME and OpenPGP enable both encryption and digital signatures, which can authenticate the contents and provide confidentiality.
Following the NIST guidelines can be more beneficial than just complying with the HIPAA minimums. If PHI is accessed in an unauthorized manner, you may be obliged to report it to the relevant parties. If the information is encrypted to NIST standards, it is generally not considered insecure PHI, meaning that it does not need to be reported or the consequences of a breach are significantly diminished.
HIPAA's Privacy Rule includes provisions for how companies can work alongside other businesses. If ePHI will be involved in the collaboration between the two businesses, they must sign a business associate agreement (BAA) beforehand.
These agreements are contracts that stipulate the terms under which PHI can be processed by the other company, the business associate. They require the business associate to have adequate safeguards in place to protect the PHI, specify how the business associate may use the PHI, stipulate that they must not disclose the information, as well as placing several other conditions.
If you use an external email provider to send ePHI, you will need to sign a BAA with them to be HIPAA compliant. This agreement will legally bind them to treat the PHI of your customers appropriately.
When asking whether Gmail is HIPAA compliant, we need to be certain of which Google service we are talking about. Gmail is Google's personal email option that many people have used at some stage of their lives.
It is not possible to make "Gmail" HIPAA compliant, because Google will not sign a BAA for Gmail users. Another issue is Google's automated processing -- they essentially scan every email and use the data for marketing purposes -- which obviously goes against HIPAA requirements.
Google also offers "Workspace", formerly known as Google Apps and G Suite. It is a paid service which is targeted towards businesses rather than individuals. It is possible to be HIPAA-compliant with Google Workspace, but the process isn't particularly straight-forward or cheap.
The minimum monthly Google Workspace plan currently goes for $5 per user, but it is not automatically configured to be HIPAA compliant. Once you sign your BAA, you still need to set it up properly to meet the regulations. The BAA leaves most of the responsibility up to the users, and the necessary steps towards compliance can be confusing.
To make Google Workspace HIPAA compliant, you need to make sure that all of your messages are encrypted during transit, and that those using non-compliant hosts can also send secure messages to you. Google does not provide any native email encryption solution. Everyone using Google for HIPAA-compliant email must purchase email encryption through a third party and configure Google to relay their outbound email through that encryption gateway provider.
These factors make Google a complicated and expensive option for HIPAA-compliant email. You may find that an email service that is tailored towards HIPAA-compliance is an easier and cheaper option. LuxSci's Secure Email safeguards your ePHI and offers a number of extra security features.
While it can be inconvenient and expensive to become HIPAA-compliant with Google, some users may be too accustomed to the interface to make the switch. One option that enables users to keep the Google email client and also makes it easier to meet the regulations is to use LuxSci's Secure Connector service. This allows you to route your Google Workspace email through LuxSci's email servers.
It's easy to integrate LuxSci with Google. You just need a LuxSci email account with users that correspond to your Google users. Once LuxSci and Google are configured, your outbound email flows though our servers, without the need to configure each user.
Using LuxSci's Secure Connector gives you outbound email encryption and other email processing and content scanning features, and a potentially better IP sending reputation. It also enables you to archive your emails, helping you keep the necessary records to comply with HIPAA.
LuxSci's Secure Connector offers its users TLS security, authentication, and outbound email encryption.
Although regular Gmail cannot be HIPAA compliant, it is certainly possible to meet the regulations while using Google's paid service, Google Workspace. Unfortunately, it can be complicated and relatively expensive to run, so many users may want to look at a dedicated HIPAA-compliant email service, such as LuxSci.
If you are committed to making your Google compliant with HIPAA regulations, you may find that it is best to use our third party solution, LuxSci Secure Connector. It's easy to integrate and makes HIPAA-compliant email much less stressful.
Created by Erik Kangas, PhDGet the White Paper