In 2022, 89% of the healthcare organizations experienced an average of 43 attacks in the past 12 months, which equates to almost one attack per week.

Considering that healthcare is one of the most targeted industries by threat actors, HIPAA compliance is critical for securing protected health information (PHI) — and that includes PHI sent via email. 

In this post, we’ll explain how you can use the popular email provider Gmail while staying in compliance with HIPAA.

Is Gmail HIPAA compliant?

Gmail is not HIPAA compliant by default, but it can support HIPAA compliance. Organizations must review and accept the Business Associate Agreement (BAA) before using Gmail or other covered services in connection with PHI. They also must implement appropriate safeguards designed to prevent unauthorized use or disclosure of PHI. 

While implementing these safeguards on the free version of Gmail is possible, it can be more difficult. A premium Google Workspace subscription, on the other hand, comes with built-in controls for data encryption, 2-step authentication, endpoint management, data-loss prevention, and zero-trust cybersecurity infrastructure. These security features can help simplify the process of making your email HIPAA compliant.

We’ll discuss this in more depth below.

How to make Gmail HIPAA compliant

Making Gmail HIPAA compliant requires several steps, including: 

Sign the business associate agreement.

To sign the business associate agreement with Google, you must have a super administrator account. Then follow these steps:

1. In the Admin console, go to Menu and then Account > Account settings > Legal and compliance.
2. Go to the Security and Privacy Additional Terms section.
3. Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
4. Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.
5. Click OK to accept the HIPAA BAA.

Only customers who have signed a BAA with Google can use Google services, including Gmail, in connection with PHI.

Ensure your email is configured correctly.

Gmail must be configured properly to ensure that ePHI is protected. Here are some steps to follow:

• Enable email encryption settings to protect PHI during transit and at rest. 
• Allow external sharing with trusted domains only
• Configure notifications to get alerts when Google detects these activities: suspicious login attempts, user suspended by an administrator, new user added, suspended user made active, user deleted, user's password changed by an administrator, user granted admin privilege, and user's admin privilege revoked. 
• Override the default link sharing setting from “Anyone with the link” to “Private.”
• Implement a password policy to enforce length and complexity requirements and encourage users to set up robust, unique passwords for their Gmail accounts
• Ensure 2-Step Verification is deployed and set an enforcement date if any users aren’t enrolled

Follow guidance from Google.

In addition to configuring Gmail to help ensure that PHI is properly protected, users should use the built-in controls to ensure that emails and files that may contain PHI are only shared with the intended recipients. For example, if the file is not already shared with all email recipients, the Sender can choose to share the file with “Anyone with the link” within the Google Workspace domain. 

For admins, Google recommends

• Overriding the default link sharing setting from “Anyone with the link” to “Private.”
• Creating data loss prevention policies that inspect emails for evidence of certain PII/PHI identifiers and explain how that data should be shared

Use end-to-end encryption.

Gmail is capable of encrypting emails it sends and receives, but only when the other email provider supports TLS encryption. An end-to-end email encryption service can help provide additional security for your emails that include PHI, when they’re in transit and once they've reached their destination mail server.

End-to-end email encryption works by encrypting the contents of an email on the sender’s end and decrypting it on the recipient’s using a pair of cryptographic keys. This way, only the sender and intended recipient can read the email’s content, even if the email is accidentally sent to the wrong address.

The following solutions offer end-to-end encryption as well as other security features, like access and audit controls and secure file sharing, that can make Gmail HIPAA compliant:

• Aspida
• Barracuda
• Egress
• EnGuard
• HIPAA Vault
• Hushmail
• Identillect
• LuxSci
• MailHippo
• Mimecast
• NeoCertified
• Paubox
• Protected Trust
• RMail
• SecureMail
• Virtru

Create policies and train employees on proper email use.

To ensure employees understand how to handle PHI securely within Gmail and other Google Workspace services in which PHI is permitted, you must create policies on proper email usage, data handling, and reporting procedures for any suspected security incidents. You must also conduct regular training sessions to ensure that employees understand these policies as well as the importance of protecting PHI and that they can recognize potential risks.

Ensure all emails are retained.

HIPAA requires covered entities and business associates to archive and retain certain electronic communications for a minimum of six years. This includes emails containing HIPAA policies and procedures and other documents that pertain to the actual compliance efforts with HIPAA.

There are also state-level requirements for retaining electronic communications that include PHI for a fixed period of time. 

When retaining emails, organizations must follow encryption and backup requirements outlined by HIPAA. They must also properly store and dispose of ePHI. For many organizations, using an email archiving service can simplify the process. 

Obtain consent from patients before communicating via email.

If you are communicating ePHI to a patient or plan member, you must:

• warn the recipient of the risks of communicating ePHI by email
• obtain their consent to receive communications by email
• document both the warning and the recipient’s consent

Consult with a lawyer to ensure you’re fully compliant.

The steps above are intended as guidance only and are not a substitute for legal advice. Always consult with a lawyer to ensure your organization understands the requirements when using Gmail in connection with PHI and is fully compliant with HIPAA. 

Simplify HIPAA compliance with Secureframe

Secureframe makes it faster and easier to achieve and maintain HIPAA compliance by simplifying the process into a few key steps:

• Create HIPAA privacy and security policies
• Train employees on HIPAA requirements and best practices
• Manage vendors with access to PHI
• Ensure business associates protect PHI
• Monitor your HIPAA safeguards

To learn more about how you can automate HIPAA compliance, request a personalized demo.