From the Fall 2018 Journal of the Colorado Dental Association
Over 1 billion people use Gmail for countless personal and business messages. However, healthcare providers may be putting themselves at risk by using Gmail for any message that contains PHI. This can include even the smallest bits of health information, such as patient names and appointment times.
You may have read that Gmail—and other large services for everyday email—have HIPAA-compliant servers. Unfortunately, this is only one small part of the entire set of requirements for your use of Gmail to be HIPAA compliant and secure. Before you press “send” on that next Gmail containing electronic PHI (ePHI), make sure you can confidently answer the following five questions:
- Do you have a HIPAA Business Associate Agreement (BAA) signed by Google? It’s your responsibility as a customer to acquire BAAs from your vendors. Google offers BAAs only to those people paying to use G Suite. The BAA itself does not ensure HIPAA compliance, but it is one necessary component.
- Will Google verify the identity of other healthcare provider recipients before sending ePHI? To be compliant with HIPAA regulation §164.312(d), fully HIPAA-compliant email exchanges verify a recipient provider’s identity through professional credentials and other information sources. They employ safeguards such as the federal government’s recommended DIRECT protocol. Gmail does not employ the DIRECT protocol.
- Have you increased message encryption to the highest level? Google provides varying encryption levels. However, Google states that how their encryption depends on each customer’s software configuration. Some HIPAA email exchanges for health professionals provide end-to-end (person-to-person) security and 2048-bit encryption without the need to perform custom configurations. If Google hasn’t asked you, and you haven’t asked Google, about your encryption needs, then you can’t assume you’re HIPAA compliant.
- Has Gmail definitively stated in writing that it will not search, scan or record the body of your email or its attachments? Fully HIPAA-compliant email exchanges do not read, scan or access the content of your emails for data gathering, marketing or advertising functions. HIPAA regulation §164.312(a)(1) requires no unauthorized access of ePHI.
- If you are audited, will Google provide a comprehensive audit trail of all access to ePHI? If so, how? In order to be fully HIPAA-compliant with regard to regulation §164.312(b), an email exchange must be able to produce a highly detailed audit trail of every exchange of ePHI so you can provide this audit trail when it’s needed. Some HIPAA email exchanges for health professionals provide a phone number that allows you to speak with an actual healthcare support specialist who can provide exactly the audit trail you need in a matter of minutes.