This week on the HIPAA Vault Show, we talk about the HIPAA compliance of Gmail.
To learn more, read our blog post on HIPAA-compliant Gmail!

Transcript:


Adam
Hello, and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine, and I’m joined today by CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil. 


Gil
Hey, Adam. Looking forward today’s episode. 


Adam
Last week we talked about cloud architecting for HIPAA, and this week we’re going to answer a frequently asked question, which is Gmail HIPAA compliant? To give a little bit of an intro to this. In today’s digital age, email has become a vital modern tool for communication. 


Adam
That goes without saying, but in the healthcare industry specifically, it plays a crucial role in sharing important information with patients and healthcare professional colleagues to improve overall healthcare outcomes. However, when it comes to choosing the right email platform, the question of HIPAA compliance often arises. As a HIPAA compliance service provider ourselves, we frequently receive inquiries about what’s the best platform to use for HIPAA compliance, and specifically, we get asked a lot, is Gmail HIPAA compliant? So let’s dive into that and explore it more. 


Adam
Gil, I guess a good place to start would be what are the key requirements for HIPAA compliance when it comes to yeah. 


Gil
Thanks, Adam. That’s a great place to start, because if you’re going to be evaluating different email platforms like Gmail, Outlook, and many others, then it’s important to know what is required of an email platform. So one of them is encryption, the email that goes out from the medical practitioner. Let’s say you want that message to be encrypted, including any attachments, because the attachment might have the information that’s vital for the patient that has the patient information. So that’s one thing. The other consideration is the retention period of the data. So how long do you have to retain that patient information that you’re sending and receiving back and forth? And it’s multiple years, depends on the state. So that’s another consideration. And of course, having a business associate agreement signed is another important consideration. 


Adam
Great. So that’s email in general, and when it comes to Gmail in particular, how does Gmail fulfill these requirements? 


Gil
Yeah, so Gmail has a couple options you can use. One of them that’s the least expensive is to use confidentiality mode. But before we get into that, let’s clarify something. We do get a lot of calls that ask if their free Gmail account in other words, they’re dr. Susie@gmail.com that’s the free account if they could make that HIPAA compliant. And the answer is no, that cannot be compliant. You have to buy a domain. And that confuses a lot of people to say, what do you mean by buy a domain? Well, let’s just give an example. So Dr. Susie@gmail.com no go. But if you said therapist@drsusie.com, so you buy the domain Drsusie.com, and then you buy a Google Workspace. Used to be called G suite. Now it’s called workspace. 


Gil
If you buy a license for that now, you can enter the world of HIPAA compliant email, but don’t try to force the free one. I know everybody wants to get something like that. It’s not going to happen for free. You’re going to have to pay something for it. 


Adam
Okay, so make sure that it’s at a private domain and then also there’s Google Workspace, right? And that includes Gmail as like an application that’s in there. I know that we typically recommend so that the retention is covered. We typically recommend a higher license on the Google Workspace platform. So Business Plus, I believe it is and that includes the retention and also the e discovery in case there needs to be discovery of documents within the Google Workspace account. So definitely go for the Google workspace Business Plus. 


Gil
I would like to mention on that, Adam, that what you mentioned, the Ediscovery, I’ve heard it called the Vault before, nothing to do with HIPAA Vault, but Google uses the term Vault or rediscovery. And essentially that means that, let’s say you have a condition where some patient comes back years later and has some kind of a gripe or complaint and you’re like, hey, I don’t remember this person in this situation. Once you have the Ediscovery or Vault enabled, you’re able to look up the person’s name. It’s just a search bar where you type in the person’s name or email, whatever you remember. And then it goes through all the emails, all the email interactions that you’ve had with that particular client, and then it’ll pull up emails that you had three years ago. 


Gil
Oh, now I remember this guy and the issue we had and so on and so forth. So that’s part of HIPAA compliance to retain that data and be able to access it. 


Adam
I believe it also gives functionality for if you needed for legal proceedings to kind of present that as evidence. It gives a nice way to output that versus manually trying to claw all the different emails and threads. And then you also touched on the encryption in transit. So would that be TLS in this case? 


Gil
Yeah, and TLS that’s transport layer security so for our audience, so they don’t get lazy eyes. Like what is all this technology stuff? Well, essentially when you send an email, you connect from one computer, one server to another. You make this secure tunnel. That’s what TLA, it’s just good information to have. So that tunnel is formed, the information flows through it, through this encrypted tunnel that goes from one end to the other and that you can control from the sender side. Now what happens about the recipient? What if they don’t have some modern, what if they’re with some old junkie email platform that doesn’t have that? Well, you can set it so it doesn’t try to deliver the message. It’ll say, oh, the endpoint, the recipient point isn’t secure. Enough. So abandoned ship, don’t try to deliver that email. 


Gil
That’s not very common, but it can happen. So it’s good that TLS functionality be present. 


Adam
Okay, are there any other considerations? 


Gil
Well, I think in terms of security, there’s also a consideration that is oftentimes overlooked, and that is the two factor authentication. When you have a Google Workspace account, you have the option to enable the two factor authentication that definitely should be enabled so that you can claim that you’re HIPAA compliant. So Google has a lot of different settings and that’s where we come in. We help our customers set those things up, but there’s lots of different settings that you can have, and that’s one of the more important ones that you want to make sure you get it enabled. 


Adam
Okay, fantastic. 


Adam
And for our audience, let us know, reach out to us at podcast@hipaavault.com, let us know what kind of email tools you use. And also if you have any questions about Gmail, in particular, how to make sure that it’s secure, getting things set up in that way, also reach out to us at hipaavault.com, you can chat into us there. Until next time, thanks for stopping.