- Raffi Bilek
Is Gmail HIPAA compliant?
Updated: Jan 9
This is a question that has befuddled many. Let’s take it one step at a time.
First of all, let’s recall that “HIPAA compliant” is a term that applies to you, not your tools. Tools can help you to work in a secure way, but none of them are HIPAA-compliant. (You can use pretty much any tool to do something foolish. Trust me, I know. I once cut myself with a safety razor.) So Gmail is not “compliant.”
Gmail is a secure service, when you use a paid Workspace account, and you can be HIPAA-compliant if you use it.
Note that this means that the free Gmail service is not HIPAA-secure. In order for any service to work with you in a HIPAA-compliant fashion, they need to provide you with a Business Associate Agreement (BAA). Google will only provide you one if you’re paying for Workspace.
So let me give you the bottom line here, then we’ll unpack it a bit:
Gmail provided through Google Workspace is a HIPAA-secure tool. Encryption is a way to improve your compliance with HIPAA and your caretaking of client confidentiality, but it is not strictly necessary for HIPAA compliance; you can get a request for non-secure electronic communications instead.
Why do I need encryption?
Glad you asked! Encryption makes it so that your messages cannot be intercepted and read as they travel on their merry way across the internet from your device to your client’s device (we call this “in transit”). Google does automatically encrypt messages that are sitting in your inbox or that you’re preparing to send (“at rest”). Once you click send, however, it’s a different story.
Without encryption, Bad People could peek into that message as it flies through cyberspace, and that would not be Secure or Confidential. HIPAA requires us to take reasonable precautions to safeguard the protected health information (PHI) of our clients, and at this stage in the game, encryption is so accessible that it’s hard to claim that it’s not a “reasonable” precaution.
Note that while PHI is on your actual computer, there are other measures you need to be taking to secure it, including encrypting your entire hard drive. More on this on another post.
On the flip side, once it gets to your client’s inbox, it gets unencrypted. Couldn’t Bad People gain access to it there?
Yep. They could.
But your HIPAA responsibility only covers that which is under your control. Once your client is holding onto it, the security thereof is no longer on your head. (Note that this doesn’t mean that sending even encrypted email is always a good idea. It is always wise to discuss with our clients. One good example of a thorny situation is if you work with victims of domestic violence. The possibility of an abusive partner invading your client’s inbox and thereby discovering that your client has sought out the help of a therapist portends consequences that are not pretty. Which is why discussing it with the client beforehand is always wise.)
So then I do need to encrypt my emails?
Well, no. Let’s keep going here.
Under HIPAA, clients have the right to request non-secure electronic communications. This is very relevant when it comes to, say, texting, which is not encrypted. (You can use services that offer secure texting, like Signal, but only if your client also has that same app, and then you only text through that app, and it’s really kind of a pain and nobody wants to do that.) Clients who want to text with you about scheduling and cancelling and all those good things have the right to do so. But they need to make a formal request for this. Let’s creatively call it the Request for Non-Secure Electronic Communications.
If clients do submit a Request for Non-Secure Electronic Communications, then you can use regular texting, and also regular email (with a service that offers a BAA; texting and BAAs is a different matter – we’ll circle back to that another time). So in this way, you’d be compliant with HIPAA, and you wouldn’t need to encrypt your emails.
Note that making non-secure communications the default with an opt-out option is not the same thing! Clients are supposed to make the request to opt in, not opt out. (You can see and purchase the forms I use here – but this is such an uncharted area of law that I strongly recommend do your own due diligence on this one, even if starting from my form.)
So... I don’t need to encrypt my emails?
Strictly speaking, no.
BUT – it’s a good idea anyway. Why is that?
Well, first of all, it’s not a bad thing to provide extra security even if your clients do request regular old unencrypted email. If someone intercepted the email, sure, you wouldn’t be on the hook for that if that’s what the client requested – but wouldn’t we prefer to avoid that happening anyway?
Another point is that, say you didn’t receive a Request for Non-Secure Electronic Communications (they opted not to, or they forgot, or they filled it out wrong, or...) and now you really need to email them for some reason or other (let’s say their phone number has gone out of service). With encrypted email, you can do that without needing to ask their permission. (Generally speaking you should clear it with clients before emailing them in any case, but the point is that if you had to, you could.)
There’s one more important back-and-forth worth understanding. Let’s get a bit more into the weeds (but just a bit). Most modern email systems already do use TLS (Transport Layer Security) encryption, which is plenty secure enough for HIPAA. This leads some people to believe that the encryption problem is already solved!
But note that I said most modern email systems. Most – but not all. So if you are relying on the default encryption that is already in general use, your emails will likely be encrypted for most of the emails you send, but you are not guaranteeing that all of them will be encrypted. Would you be comfortable entering the password to your bank account if the bank told you that most of the time it would be kept secure?
So in order to demonstrate HIPAA-level encryption security (which, again, we mentioned is not strictly necessary if you’re getting a request for non-secure electronic communications), you’d have to guarantee that you are always encrypting your emails. If you are at any point relying on encryption rather than the request for non-secure electronic communications, you want to have that guarantee.
(I should note that in my inexpert opinion the odds of anyone breaking in to see the contents of your email messages with clients is pretty low – but that doesn’t mean you don’t have to guard against it. You do – largely because it is so easy to do.)
Another useful point: you can actually determine if a client's email system uses TLS (it probably does) by having them send you an email and checking to see if the header says its TLS-secured, which would mean your emails to them would also be secure. That would look like this:
Of course you'd need them to first have informed consent about sending you emails. Just pointing out another reason/way you would not NEED third-party encryption.
So I don’t need to encrypt my emails, but I should probably do so anyway?
You got it.
Okay, how do I do that?
There are several ways you can handle this.
You can use a service ProtonMail, which at the time of this writing offers free, encrypted email, and you can request a BAA. You can also pay for Hushmail, which is a very robust, HIPAA-secure system (but it’s an escrow email system, meaning clients have to log into a portal to see their emails, and I am so not messing with that). However, both of these options mean you’re using e-mail that is not Google Workspace which is already part of the $6/month package. (There are other options out there for encrypted email, no doubt I have not heard of them all.)
Then there are add-ons you can use with your Workspace Gmail. Paubox and LuxSci are two great options that basically get plugged into your Gmail and then nobody notices any difference at all – not you and not the sender. I use LuxSci basically because the pricing worked out better for me there. (Paubox comes out financially advantageous for practices that have between 5-9 accounts; for less than that, LuxSci is cheaper; and once you go over 10 users in Paubox, the price quadruples.)
Another Gmail-compatible option is Virtru, but it is a big pain to use – verifying identity, inputting passwords – don’t bother.
A critical point about services like LuxSci and Paubox is that they will determine whether the recipient’s email will allow you to send the email with TLS, and if not, it will use a different encryption approach to keep things secure. You thereby guarantee encryption, and HIPAA is happy.
This does lead to a small number of clients with backwater email services getting an email that looks like this, which prompts them to click on a link and sign up for a SecureLine account (for free):
(Admittedly, Paubox does this better – it’s a one-click process with no login needed; but this also means it’s less secure.)
September 2022 update: I just came across this infographic comparing various encryption services which I thought was helpful:
When a client gives me their email address and it’s not one of the normal ones like Gmail or Yahoo or Hotmail, I just notify them that if they receive an email from LuxSci, that’s actually me. This happens close to never, so I don’t find it a major obstacle (but to each his own).
Other than that, LuxSci is set-it-and-forget-it, which is exactly what we’re all looking for, amiright?
One more important technical point about all of this: with a service like LuxSci, only your outbound emails are encrypted. You need to make sure your clients understand this – if they email you, their messages may not be encrypted. As I mentioned above, I believe the likelihood of that actually causing a problem is low, and the truth is I think most people get that email is hackable (BTW, even with LuxSci or anything else, if a hacker really wants to get in, they’re getting in) and don’t care all that much. But if you don’t get informed consent on this point, you are not doing your HIPAA duty, so make sure to be explicit about this.
How do I get LuxSci?
The prevailing wisdom is that LuxSci requires a minimum number of users, which is true (as of this writing, it’s 5, but there’s also a $50/month minimum to use their services). Fortunately, there is an alternative. The alternative is Eric.
Eric runs PMI Pros, and he can set you up with even a single LuxSci license for your Gmail; it will cost you all of $6 per month (per user). It’s by far the best and most affordable option out there, in my semi-humble opinion.
Eric also has a whole suite of useful services like website building, marketing, social media, etc. (I do not use those services because by the time I found him I already had that kind of stuff set up, but if the service he provides me for my LuxSci needs is any indication, I imagine he does great with those as well.)
You can reach out to Eric here and get yourself signed up. Tell him I say hi! Also, please mention account #289 so I can get a very small kickback from the referral.
In short, I think it is wise to get encryption – it’s good policy, it shows your care for client confidentiality, and it’s very affordable. Have at it!
Many thanks to the late Roy Huggins and his team, who taught me virtually everything I know about HIPAA.
I've noticed the comment being thrown around that "Gmail is not HIPAA compliant without encryption." As explained above, this is not 100% correct. But I'd like to point out another problem with this comment, which is that it implies that once you add encryption (like Paubox or LuxSci), you are in compliance. This is also not correct!
The reason for this is that these systems encrypt the emails you send out, not the emails your clients send to you. So if you email them with an encrypted system and ask (or maybe even imply) that they email you back, without having gotten informed consent for non-secure communications, you are improperly leading them to send you unencrypted emails.
Meaning, even if you use an encrypted system, you need to make it clear to clients that their emails to you aren't covered by that encryption. (What suffices for that disclosure is something you need to clear with a lawyer. I have disclaimers in relevant places and one of those legalistic email signatures. I also have an important rule about all this stuff: never take legal advice from a social worker.)
The only systems that are encrypting emails that clients send to you are ones in which they have to log into a separate portal to send them (like Hushmail). So even if you have encryption (which, as we discussed, is a good idea), you need to be clear with clients about what that applies to.
January 2023 update: there has been a buzz going around about Google offering end-to-end encryption in the near future. As far as I can tell, this won't eliminate the need for third-party encryption services like LuxSci. It's not going to do what we wish it would do.