From the Spring 2018 Journal of the Colorado Dental Association
By the end of 2017, Google estimated that 1.2 billion people used Gmail for countless personal and business uses. However, healthcare providers may be putting themselves at risk by using Gmail for any message that contains Protected Health Information (PHI). This can include even the smallest bits of health information, such as patient names and appointment times.
You may have read that Gmail—and other large services for everyday email—have HIPAA-compliant servers. Unfortunately, this is only a very small part of the entire picture required for your use of Gmail to be HIPAA compliant and secure. Before you press “send” on that next email, you should be sure you can confidently answer the following five questions:
- Do you have a HIPAA Business Associate Agreement (BAA) signed by Google? It’s your responsibility as a customer to acquire BAAs from your vendors. Google offers BAAs only to those people paying to use G Suite. The BAA itself does not ensure HIPAA compliance, but it is one necessary component.
- Will Google verify the identity of other healthcare provider recipients before sending Electronic Protected Health Information (ePHI)? In order to be compliant with HIPAA regulation §164.312(d), fully HIPAA-compliant email exchanges verify a recipient provider’s identity through professional credentials and other information sources. They employ safeguards such as the federal government’s recommended DIRECT protocol. Gmail does not employ the DIRECT protocol.
- Have you increased message encryption to the highest level? Google provides varying encryption levels, however, Google states that how their encryption works depends on each customer’s software configuration. Some HIPAA email exchanges for health professionals provide end-to-end (person-to-person) security and 2048-bit encryption without the need to perform custom configurations.
- Has Gmail definitively stated in writing that it will not search or scan the body of your email or its attachments? Fully HIPAA-compliant email exchanges do not read, scan or access the content of your emails for data gathering, marketing or advertising functions. HIPAA regulation §164.312(a)(1) requires no unauthorized access of ePHI.
- If you are audited, will Google provide a comprehensive audit trail of all access to ePHI? How? In order to be fully HIPAA-compliant with regard to regulation §164.312(b), an email exchange must be able to produce a highly detailed audit trail of every exchange of ePHI. It’s also important that you be able to receive this audit trail when it’s needed. Some HIPAA email exchanges for health professionals provide a phone number that allows you to speak with an actual healthcare support specialist who can provide exactly the audit trail you need in a matter of minutes.
The CDA endorses and uses iCoreConnect for HIPAA-compliant email and secure messaging in dental practices. CDA members receive substantial discounts off normal monthly pricing. Contact iCoreConnect at 888-810-7706 or iCoreConnect.com/cda.