Is Gmail HIPAA compliant? Potentially…

Let’s guess! You’re on the hunt for a HIPAA-compliant email service.

• You love the idea of using Gmail because you’re familiar with it 
• It’s useful to have Google’s other apps tightly integrated 
• And if you aren’t very tech-savvy, you feel it will be the easiest to use

But here’s the million-dollar question: Is Gmail HIPAA compliant? 

The short answer? You can make Gmail HIPAA compliant and this article will show you how.

But be warned, just because it’s possible, doesn’t mean it’s ideal. 

• You’ll need to pay for Google’s business plan, known as Google Workspace 
• You may also need to buy third-party encryption to help you secure your emails 
• Setup won’t be easy, and Google’s support options are limited in case you get stuck 

If this already sounds a bit scary, and you’d prefer a HIPAA-compliant email service with support that can hold your hand along the way, then check out Hushmail for Healthcare.

But if you still want to learn how to make Gmail HIPAA compliant, then let’s dive in!

How to make Gmail HIPAA compliant – A step-by-step guide

These are the 4 steps you’ll need to follow. While the process isn’t easy, we’ll guide you using screenshots and simple explanations.

Step 1: Sign up to Google Workspace

You’re probably used to Gmail – Google’s free version of email for personal use. 

However, regular Gmail isn’t HIPAA compliant.

Instead, you’ll need to sign up and pay for Google’s business plan called Google Workspace (previously known as G Suite).

Here’s how:

1. Click here to go to Google Workspace and click “Get started” in the top corner

2. Fill in your business name and number of employees (if any)

3. Enter your name and current email address

4. Now you’ll need to choose whether you own a “domain”

What is a domain? The domain is the part of your email address after the @ symbol.    Imagine you’re a social worker using the website: watsonsocialwork.com. If you own the domain, you can create a professional-looking email address and increase trust with clients.  So instead of matthew.watson.lcsw@gmail.com, you could be matthew@watsonsocialwork.com. The downside of having a custom domain is that you need to pay a few dollars extra for it every year. However, if you’re with Hushmail, you can use domains like @therapysecure.com, @counselingmail.com, and a few others for free.

4a. If you do have a domain name…

Then click “Yes, I have one I can use”.  Google will ask you to enter it and verify you own it later. Google provides instructions on how to link your domain to Google Workspace which you can follow here. 

However:

• Their instructions use technical language making it hard to follow if you’re unfamiliar with the terms
• Reaching the support team of such a large company could prove difficult if you need help

If you know a developer, you could ask them to assist you – but it may be expensive. 

Alternatively, if you decide to use Hushmail instead of Gmail, we have many walk-through videos and easy to understand guides to help. Plus, if you’re still unsure, or need us to hold your hand, our friendly team is one call away to help.

4b. If you don’t have a domain…

Then click “No, I need one” and Google will help you to search for and buy one. 

Most domain names will cost you between $12-$60/year.

Put your username as the email address you want to use. Then, create a password to go with it. 

To strengthen your password, we advise using a random set of memorable words. You might consider a phrase with a specific meaning to you, or about a family member, hobby, or personal belief. 

For example: “chess is very hard” or “anna goes to nursery.” 

After you’re done, you’ll be redirected to the login screen. Sign in using the username and password you just created, and get ready to choose a plan!

Which Google Workspace plan is HIPAA compliant?

Unlike personal Gmail accounts, any of Google’s Workspace plans have the potential to be HIPAA compliant. Most of the features on the higher-priced plans are aimed at large enterprises. So if you’re a small or medium-sized private practice, you can choose the Business Starter plan.

Step 2: Sign a BAA with Google for Gmail

As you will send and receive patient health information, you need to sign a legal document known as a Business Associate Agreement (BAA). This agreement asks your email provider to comply with HIPAA and ensure your patients’ information is held securely. The good news is:

• These agreements can usually be signed electronically in a few clicks
• The email provider should draft the agreement for you so there are no lawyer fees 

Here’s how you sign a BAA for Google Workspace:

1. Click here and log in to Google’s Admin Panel

2. On the menu bar, go to Account > Account settings

3. Scroll to the bottom of the page. Then click on the “Legal and compliance” box. 

4. Click on "Not accepted" under "Google Workspace/Cloud Identity HIPAA Business Associate Amendment

5. Then click on "Review and accept."

6. A pop-up should appear with 3 questions. Provide a yes/no answer to each of them.

Note: If you’re unsure what a “Covered Entity” is, or if you are one, then check our BAA guide first.

5. Review and accept the BAA agreement

After clicking “I Accept”, you’ve signed the BAA!

Step 3: Add third-party encryption to Gmail

Unfortunately, even after you’ve paid for a domain and Google Workspace, you may still need to buy one more thing… encryption.

Strictly speaking, encryption is not required by HIPAA in all circumstances. 

However, HIPAA considers it an “addressable” requirement which in layman terms means:

• If it’s reasonable to use encryption, you should do so or carefully document why you haven’t
• You should consider the risks of not using encryption, and how you would otherwise balance those risks

This is why nearly all healthcare professionals will conclude they need email encryption. 

Bear in mind that failing to manage risks and safeguard protected health information is a HIPAA violation. 

And falling foul of HIPAA could mean:

• Facing a HIPAA complaint with potential fines of up to $50,000 per violation
• Triggering a lengthy HIPAA audit 
• Having your practice become subject to oversight from Health & Human Services
• Losing your reputation and struggling to attract new clients

Now here’s the problem…

Gmail doesn’t always encrypt emails while they’re on the move from your inbox to your clients’ inbox. 

And it doesn’t always encrypt emails that are stored in your clients’ inbox, unless they also use Gmail.

Some email providers, like Hushmail, use a private message center to keep emails secure. (Don’t worry, we’ll explain more about what this is later).

For now, all you need to know is that without adding encryption to Gmail, your emails could fall into the wrong hands. 

How do you buy encryption for Gmail?

If you Google “Gmail encryption provider” you’ll find a few companies that offer encryption for Gmail. One of the biggest is called Virtru.

But as you may notice:

• Most encryption providers aim their services at large companies, not small-medium sized practices
• Their websites are technical and full of acronyms (HSM, DLP, SIEM, CJAS, ITAR – any idea what these are?)
• Even if you’re familiar with Gmail, you still have to learn how to use encryption software with it
• Pricing for Virtru starts at $119/mo – and that’s when it’s paid yearly!
• Their default support is online assistance only

Unfortunately, there’s no way around this for most healthcare practitioners that want to make Gmail HIPAA compliant.

Step 4: Follow Google’s HIPAA implementation guide

Once you have encryption, you’ll need to adjust a few settings within Gmail. Handily, Google has created a guide with all the details, which you can access below:

You’ll also want to:

• Set strong passwords – Remember when we said it’s important to create a strong password? Well, you can check if your colleagues in your practice are using strong passwords from within the password management section of Google’s admin panel. If Google thinks their passwords are weak, then ask them to change them.
  
  
• Use two-step verification – Gmail and most email providers can send you a code by text or email to verify it’s you every time you log in. Learn why you should turn on two-step verification.

What are the advantages and disadvantages of using Gmail as a HIPAA-compliant email service?

Now you know how to make Gmail HIPAA compliant, is it worth it? Or is there a better alternative for you? Let’s take a look.

Advantages of using Gmail as a HIPAA compliant email service

You’re familiar with it for personal email

Gmail has a simple interface that makes it easy to use. Better yet, most people have had a Gmail account for years which makes it less intimidating.

But remember that:

• It’s very important to keep your personal email separate from your healthcare email
• Adding encryption might make your Gmail inbox feel unfamiliar
• Most email services look and feel very similar so there shouldn’t be a learning curve

Other Google Workspace apps are nearby

Google has some great apps like Docs, Sheets, and Meet, which is a bonus when using Gmail. Just be aware that Google Contacts is not HIPAA compliant, and it integrates closely with Gmail.

Disadvantages of using Gmail as a HIPAA-compliant email service 

It’s difficult to set up

If you’re tech-savvy or run a large practice with a tech team, you should be OK. But for everyone else, it might be difficult, time-consuming, and expensive to set up.

Lack of personalized support

Google provides free standard support with their Business Starter plan. But as a large tech company, their support may struggle to understand the needs of a small healthcare practice.

Here at Hushmail, we have conversations with our healthcare customers about supporting HIPAA compliance every day. Our plans include full support at no extra cost. You can speak with real people on the phone or online and have unscripted conversations. 

We’ll hold your hand, help you get set up, and answer any questions for as long as you need.

Not built for healthcare users

Gmail was built as an email service for all companies, not just healthcare practices. While this makes it versatile, it does mean that any updates aren’t prioritized with healthcare users in mind. 

What if there’s a new regulation about HIPAA-compliant email? How long might it take them to respond?

No forms with healthcare templates

As a healthcare professional, you need to be able to email forms to your clients.

Google does have an app for creating forms. But unlike Hushmail, it:

• Doesn’t include pre-made healthcare templates such as client intake forms, diagnosis forms, health screenings, etc. 
• Doesn’t include specialist features like body charts (used by patients to indicate points of pain) 
•  Doesn’t give you the ability to electronically sign forms 

Need to buy a domain for professional email

If you don’t have a website domain but want an email address that’s more professional than @gmail.com, then you’ll need to pay for it. Via Google, this is normally an extra $12-$60 per year.

Hushmail includes some professional domains for free like @therapysecure.com, @therapyemail.com, @counselingmail.com, @counselingsecure.com, or yourname@yourpractice.hush.com. 

Need to add third-party encryption 

Gmail can encrypt emails stored in your inbox. However, they can’t control whether your recipient also encrypts the messages they receive in their inbox. This creates a potential security issue.

To get around it, most healthcare professionals buy a separate encryption service for Gmail. But these services are quite expensive, and can be a bit technical.

That’s why Hushmail developed a better solution to this problem: our Private Message Center.

What is a Private Message Center?  A private message center is a secure web page where recipients who don’t have a Hushmail account can read and reply to your emails. The first time they receive a secure email from you, they'll be asked to sign in with an account they already use, such as Google, Microsoft, or Apple. Or they can create a unique password. From then on, they can access your emails on a secure webpage. This prevents the email from getting into the wrong hands!  For more information, read about how the Private Message Center works.

Alternative to Gmail for HIPAA compliant email: Try Hushmail

For all these reasons, Hushmail is the perfect alternative to Gmail if you need HIPAA-compliant email.

¹Google has a feature called “confidential mode”, but it doesn’t support secure replies from recipients unless they also have Gmail.

Does using a HIPAA-compliant email service mean that you’re fully HIPAA compliant?

No! It’s still up to you to ensure you handle your emails in a compliant way. 

That’s why we put together 6 quick tips to ensure your emails are truly HIPAA compliant.

Enter your name and email and we’ll send them to you right away.

FAQ about using Gmail for HIPAA-compliant email

We’ll answer any common questions people ask about using Gmail as a HIPAA-compliant email provider. 

If we’re missing something, contact us.

Is Gmail’s confidential mode HIPAA compliant?

Gmail’s confidential mode has some useful security features. It allows you to set a message expiration date, require a code for recipients to open messages, and remove message access.

However, it has the same downsides as Gmail.  You would still need to follow our guide to sign a BAA with Google (which can only be done after paying for Google Workspace). Plus, you should still follow Google’s HIPAA implementation guide.

Conclusion: So is Gmail HIPAA compliant in 2023?

Gmail isn’t HIPAA compliant. But with a lot of effort, it is possible to make it HIPAA compliant.

Considering the costs, difficult setup, likely need to buy encryption, lack of healthcare forms, and other downsides, it becomes hard to justify.

For most healthcare professionals, it’s much easier and better to use a service like Hushmail instead.