If you wish to use Gmail in a HIPAA fashion then you must ensure that the email platform is 100% secure and adheres to the minimum standards for security laid down in the HIPAA Security Rule.
A covered entity would be required to enter into a business associate agreement with Google covering Gmail, as Google would be thought of as a business associate under HIPAA. While encryption for email is not a mandatory requirement under HIPAA. However it must be in place if emails containing protected health information are to be sent outside the protection of a firewall. If emails are sent outside the organization, they would need to be safeguarded with end-to-end encryption in place.
Google has added excellent security features and its email service has in place all of the requirements for the HIPAA Security Rule. Google is amenable to completing a business associate agreements with HIPAA-covered entities that includes its email service, so once a BAA is obtained, that HIPAA compliance box is also ticked. Encryption for email can be put in place, so Google does provide an email service that can be made HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not compliant out of the box.
Gmail is provided for free by Google and this email service is not HIPAA compliant. The standard free email service, which includes an @gmail.com email address, is only intended for personal use and not for professional reasons.
If you wish to be compliant with HIPAA you need to use Google’s G Suite, previously known as Google Apps, email service, for which a subscription must be handed over. This paid email service is intended mainly for use with a company-owned domain. @hipaajournal.com for example. Google provides a business associate agreement for G Suite, but the BAA does not cover its free to [email protected] email service.
However, if you pay for G Suite and obtain a BAA, your email is still not yet compliant with HIPAA. You must see to it that your emails are encrypted. Google only encrypts emails at rest, not in transit. To share PHI via Gmail-powered G Suite, you will need to purchase an end-to-end email encryption service.
There are a number of different encryption services that can be used with Gmail. You can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those provided by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
You must then see to it that your staff are trained on the proper use of email, are aware of the internal and federal rules covering sending PHI using email, and they must take care to ensure the emails are sent to the correct recipient. You must also obtain consent from patients to sharing their PHI using email.