The way to get compliant Gmail for HIPAA is to subscribe to an appropriate Google Workspace account, agree to the terms of the Business Associate Addendum, and apply the controls recommended by Google’s HIPAA Implementation Guide. Once you have got compliant Gmail for HIPAA, it is then important Gmail is used in compliance with HIPPA.
Gmail is a popular email service most individuals are familiar with and that many businesses choose to use with an existing domain name. However, when businesses in the health insurance and healthcare industries use Gmail – and their emails contain Protected Health Information (PHI) – they are required to comply with all applicable standards of HIPAA.
Because some standards require controls that the free version of Gmail does not support, it is necessary for HIPAA covered entities and business associates to subscribe to a Google Workspace account to access a version of Gmail that supports HIPAA compliance. There are four types of Workspace account which include compliant Gmail for HIPAA.
Choosing the Most Suitable Google Workspace Account
All four types of Workspace account include the same products. What sets each type of account apart is the increasing “functionalities” of each product. For example, the “Starter” and “Standard” business Workspace accounts provide a basic level of endpoint security for remote devices, while the “Business Plus” account includes advanced endpoint security, and the “Enterprise” account includes the highest level of endpoint security.
Because of the different levels of functionalities, the most suitable Google Workspace account to get compliant Gmail for HIPAA is the account which includes the functionalities to mitigate threats identified in a HIPAA risk assessment. This is unless the threats are mitigated by an existing software solution. For example, if a business is already a Proofpoint customer, it may not be necessary to take advantage of the Workspace DLP tools.
Google’s Business Associate Addendum
Google offers covered entities and business associates a one-size-fits-all Business Associate Addendum to the Workspace Terms of Service and will not enter into individual Business Associate Agreements with health insurance companies and healthcare providers. This is a normal practice for a large software provider because it would be impossible to comply with the terms of thousands of individual and unique Business Associate Agreements.
Covered entities and business associates must agree to the terms of Google’s Business Associate Addendum before disclosing PHI to any “covered service” (Gmail, Drive, Meet, etc.). In most cases this should not be a problem. However, it is important to note that the clause relating to “Customer Obligations” states the customer is solely responsible for ensuring end users’ use of the covered services complies with HIPAA,
How to Configure Compliant Gmail for HIPAA
To help covered entities and business associates to configure compliant Gmail for HIPAA, Google has published a HIPAA Implementation Guide. As many of the Security Rule safeguards are already managed by Google or enforced by default, the few things remaining to do include assigning permissions for members of the workforce, setting up administrator alerts for security events, and managing file sharing policies if files are shared via Google Drive.
With regards to complying with the HIPAA encryption requirements, all PHI stored in an email at rest is protected automatically by AES-128 bit encryption, while PHI in transit is protected by TLS 1.2 encryption (which encrypts the connection between the sender of an email and its recipient). Enterprise Workspace customers have the option of protecting PHI in transit with S/MIME encryption, which encrypts the content of each email and any attachments.
Using Compliant Gmail for HIPAA Compliantly
It is not only a condition of Google’s Business Associate Addendum, but also of the HIPAA Privacy Rule, that HIPAA compliant Gmail is used compliantly. This means members of the workforce with access to PHI must receive HIPAA training on topics such as permissible uses and disclosures of PHI, when the minimum necessary standard applies, and when exceptions to the Privacy Rule exist due to (for example) patients’ requests not to be contacted by email.
Health insurance companies and healthcare providers are advised to review the applicable standards of the Privacy and Security Rules and develop a HIPAA email policy that explains how to use compliant Gmail for HIPAA compliantly. Covered entities and business associates that encounter challenges in developing and implementing a HIPAA email policy are advised to seek independent advice from a compliance specialist.