Is Gmail HIPAA compliant?

This is a question that has befuddled many. Let’s take it one step at a time.

First of all, let’s recall that “HIPAA compliant” is a term that applies to you, not your tools. Secure tools can help you to work in a compliant way, but none of them are HIPAA-compliant. (You can use pretty much any tool to do something foolish. Trust me, I know. I once cut myself with a safety razor.) So Gmail is not “compliant.”

Gmail is a secure service, and you can be HIPAA-compliant when you use a paid Workspace account.

Note that this means that using the free Gmail service is not in compliance with HIPAA. That’s because in order for any service to work with you in a HIPAA-compliant fashion, they need to provide you with a Business Associate Agreement (BAA) which basically says they’ll take really really good care of your confidential information. Google will only provide you one of these if you’re paying for Workspace.

So let me give you the bottom line here, then we’ll unpack it a bit:

Gmail provided through Google Workspace is a HIPAA-secure tool. You need to sign a BAA with Google, but (in my opinion) you don’t need anything further to make it HIPAA-compliant.

That said, I actually do use an extra encryption service on top of my Gmail (it’s pretty cheap). Why?

Why do I need encryption at all?

Glad you asked! Encryption makes it so that your messages cannot be intercepted and read as they travel on their merry way across the internet from your device to your client’s device (we call this “in transit”).

Gmail actually does automatically encrypt messages that are sitting in your inbox or that you’re preparing to send (“at rest”) as well as those in transit, assuming the recipient’s email can accept those encrypted messages. (This last point is actually a very important asterisk we’ll circle back to shortly.)

Encryption is necessary because without it, Bad People could peek into that message as it flies through cyberspace, and that would not be Secure or Confidential. HIPAA requires us to take reasonable precautions to safeguard the protected health information (PHI) of our clients. Fortunately, at this stage in the game, encryption is the norm; in fact, it's hard to find an email service that doesn't encrypt its emails.

(Note that while PHI is on your actual computer, there are other measures you need to be taking to secure it, including encrypting your entire hard drive. More on this in a future post.)

On the flip side, once it gets to your client’s inbox, it gets unencrypted. Couldn’t Bad People gain access to it there?

Yes. They could.

But your HIPAA responsibility only covers that which is under your control. Once your client is holding onto it, the security thereof is no longer on your head. (You do, however, need to make sure your clients have informed consent about this point.)

Note that this doesn’t mean that sending even encrypted email is always a good idea. It is always wise to discuss with our clients. One good example of a thorny situation is if you work with victims of domestic violence. The possibility of an abusive partner invading your client’s inbox and thereby discovering that your client has sought out the help of a therapist portends consequences that are not pretty. Which is why discussing it with the client beforehand is always wise.

So then my emails are already encrypted, right?

Well, yes. But there’s a small catch.

Remember that asterisk I mentioned above? That this all assumes the recipient’s email can accept encrypted emails? Yeah, that. Well, what if they can’t?

Gmail uses something called TLS (Transport Layer Security) to encrypt the emails you send. If the email service of the person you’re sending the email to doesn’t accept TLS, Gmail will send it without encryption. That would be bad. That would be a HIPAA no-no.

To avoid this problem, there are services (namely, LuxSci and Paubox) that check if the receiving email provider accepts TLS, and if it does not, they will send the email as an escrow message instead – that’s when you get those emails from your doctor's office where they tell you to click and go to the portal to read the message. For LuxSci it looks like this:

When a client gives me their email address and it’s not one of the normal ones like Gmail or Yahoo or Hotmail, I just notify them that if they receive an email from LuxSci, that’s actually me. This happens close to never, so I don’t find it a major obstacle (but to each his own).

So if you use one of these services, your email will never get sent without encryption. And that is good.

(BTW, note that LuxSci and Paubox don’t offer any “stronger” encryption than what Gmail already does for you. They just make sure you can’t send an email without it.)

So... I should get an extra encryption service?

I think so. I do.

But I also believe you don’t have to use such a service. (I should probably note that in this I am in disagreement with many HIPAA-savvy people out there. But I will explain myself, and you can make your own decision.)

Here’s a relevant point about all of this encryption talk:

Nearly every email provider today accepts TLS. It is hard to find ones that don’t – especially in the US.

I asked chatGPT what the most common ones are and here's what I got:

• sohu.com (large Chinese webmail provider)

• sinanode.com (also based in China)

• yahoo.co.jp (Yahoo Japan)

• frontiernet.net (regional U.S. ISP)

• bol.com.br (Brazilian free email provider)

• tiscali.it (Italian ISP)

• tin.it (also Italian ISP, part of Tiscali)

• untd.com (United Online – includes Juno/NetZero ISPs in the U.S.)

• alice.it (part of Tiscali)

HIPAA compliance probably doesn't even apply to clients sitting outside the US (but I am not a lawyer, so don't take my word for that.)

I then asked for domains specifically used in the US and it said "Finding U.S.-based email domains that don’t support STARTTLS (and therefore don’t accept TLS encryption in transit) is quite challenging — especially since virtually all major providers in the U.S. do support TLS nowadays. Most known holdouts are either international, highly specialized, legacy, or very small-scale."

What this means is that it is extremely likely that every email you send already is encrypted with TLS. LuxSci and Paubox just add an extra guarantee that that will happen. I am not convinced it’s necessary.

The reason some people say it is necessary is because you can’t just rely on it working most of the time – you need to make sure your emails are encrypted all of the time. And I agree with this point.

I think where those folks and I disagree is on whether the risk of emailing one of these crazy backwoods email services is significant enough to warrant extra protection or not. (If the chance of sending an unencrypted message were, say, 10%, I would definitely agree that you need the guaranteed encryption service. That doesn’t seem to be the case here.)

The truth is you could always just check if an email provider uses TLS by putting in the domain name (the part after the @) at CheckTLS. Obviously it’s not super efficient to be doing that all the time but if you ever encountered an email address that you weren’t sure about, you could check it there and avoid the problem of potentially sending unencrypted emails.

So if I don’t think it’s necessary, then why did I tell you that I use such a service myself (LuxSci, in my case)? Well, it’s an easy way to up my compliance and security. And it’s really quite cheap (if you know where to look – see below).

Also, I have a group practice – so while I know not to email a weirdo email service from Timbuktu, I don’t want to rely on my employees knowing this too. So to cover the very rare possibility that somebody might send such an email, I feel better having LuxSci covering me.

But like I said, I do believe you can be HIPAA-compliant without it.

So I don’t need to get extra encryption on top of Gmail, but I should probably do so anyway?

You got it.

Okay, how do I do that?

Well, I like LuxSci because you set it up once on your Gmail and you never have to think about it again; and recipients don’t notice any difference either. (Paubox is pretty much the same thing, but more expensive.)

You can get LuxSci for just $6/month. But for that, you need Eric.

Eric runs PMI Pros, and he can set you up with a single LuxSci license for your Gmail (if you go through LuxSci proper you need to buy a chunk of them); it will cost you all of $6 per month (per user). It’s by far the best and most affordable option out there, in my semi-humble opinion.

Eric also has a whole suite of useful services like website building, marketing, social media, etc. (I do not use those services because by the time I found him I already had that kind of stuff set up, but if the service he provides me for my LuxSci needs is any indication, I imagine he does great with those as well.)

You can reach out to Eric here and get yourself signed up. Tell him I say hi! Also, please mention account #289 so I can get a very small kickback from the referral. To make the purchase, click here.

The other option for getting super-duper secure email is to use an escrow system like Hushmail. I go nuts having to sign into user portals when I get an email from a doctor, and I don’t want to inflict that on my clients, so I don’t want to go that route, but that is a perfectly fine way to go about sending secure, HIPAA-compliant emails.

(Another Gmail-compatible option is Virtru, but it is a big pain to use – verifying identity, inputting passwords – I wouldn’t bother.)

One more nontechnical note

After all this technical security stuff is said and done, your responsibilities for using email in a HIPAA-compliant way aren’t quite over.

Recall that we’d said above that Gmail will encrypt your emails at rest (in your account) and in transit (on the way to the recipient’s). It does not encrypt anything once it gets there. Meaning, if your client is using free Gmail (for example), then Google’s army of bots can and will scan the contents of that e-mail, as they do with all emails.

(The odds of it ever being seen by a human being though is pretty much nil; it’s not like Google employees are reading juicy gossip on Gmail users. Over 100 billion emails are sent on Gmail every day! I promise you Sundar Pichai isn't reading your personal emails.)

Thus, it is HIPAAppropriate to make sure your client is informed of that so they can give informed consent to using email to communicate with you. (I have a little section in my consent forms that lets them know what they need to know about using email and texting to communicate with me. You can purchase my documentation packet here.)

Bottom line: in order to be HIPAA compliant you need informed consent + Gmail + BAA. And it doesn’t hurt to have LuxSci as a cherry on top.

Many thanks to the late Roy Huggins and his team, who taught me virtually everything I know about HIPAA.