If Gmail is to be deemed HIPAA compliant, Google would have to see to it that the service provided is 100% secure and adheres with the minimum requirements for security laid down in the HIPAA Security Rule.
A business associate agreement must have been signed by a covered entity and Google covering Gmail, as Google would be thought of as a business associate under HIPAA law. While encryption for email is not a legal requirement under HIPAA, it is a requirement if emails including protected health information are to be sent externally outside the security of a firewall. If emails are sent outside, they would need to be safeguard with end-to-end encryption.
Google has created excellent security provisions and its email service meets the legal obligations of the HIPAA Security Rule. Google is willing to enter into business associate agreements with HIPAA-covered entities that incorporate its email service, so once a BAA is obtained, that HIPAA requirement is met. Encryption for email can be used, so Google does offer an email services that are deemed HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not automatically compliant.
Google provides Gmail at no cost and this email service is not HIPAA compliant. The standard free email service, which includes an @gmail.com email address, is intended for personal and not business use.
if you are to comply with HIPAA you need to use Google’s G Suite (formerly Google Apps) email service, for which a subscription is charged. This paid email service is intended for use with a company level domain. @hipaajournal.com for example. Google will complete a business associate agreement for G Suite, but the BAA does not cover its free @gmail.com email service.
Should you take the decision to pay for G Suite and obtain a BAA, your email is still not yet compliant. In order for it to be so you must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. If you want to share PHI via Gmail-powered G Suite, you will need to pay for an end-to-end email encryption service.
There are many encryption services that are can be used with Gmail. You can implement Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those provided by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.
You must then see to it that your staff your employees are guided on the proper use of email, are aware of the internal and federal rules governing the transmission of PHI via email, and they must be careful to ensure the emails are sent to the proper recipient. You must also receive consent from patients to share their PHI via email.