The Gmail Shocker-It is Not HIPAA Email Compliant!!
Gmail has established itself as the most preferred individual and organizational email service. While individual Gmail accounts are free, the organizational accounts are very well packaged, providing efficient and affordable, bundled emailing services with a wide array of features. Many covered entities are not clear whether their Gmail accounts are HIPAA compliant. Many of them have simply assumed that Gmail being such a comprehensive provider of email services would obviously meet the privacy guidelines set by HIPAA. However, it would be slightly shocking for such individuals and healthcare organizations to realize that Gmail is not a HIPAA-compliant emailing medium.
Many practitioners and business associates who are on the move and need instant access into their email accounts via smartphones and PC tablets get their emails from HIPAA compliant email systems forwarded into their Gmail accounts. With Gmail being pre-configured in most devices, this seems like the natural thing to do. However, this can have serious consequences as accessing patient health information via Gmail amounts to non-compliance and puts such users at risk of being held responsible for breach or patient data privacy setting. This can lead to HIPAA liability issues and penalties.
Thus, any form of electronic PHI or ePHI should not be accessed via Gmail. Some people might argue that Gmail supports SSL and TLS and thus, it meets the compliance guidelines. It should be noted that many commodity e-mail service providers support SSL. This is done to ensure easier access to their portals. Similarly, using TLS for encryption of inbound emails is a recommended security measure but they don’t guarantee HIPAA compliance. These are ways of securing access and transmission of data via the Internet but they don't have all the features that are required to fully adhere to HIPAA guidelines. This includes lack of critical features like:
No Agreement with Business Associates
HIPAA regulations require that a healthcare facility should have a signed contract with its Business Associate in the form of a detailed agreement. This agreement should clearly state the circumstances under which ePHI will be shared/accessed by the business associate (like vendors) and what precautions are being taken by the associate to ensure privacy of PHI being maintained. Gmail isn't obligated to sign such agreements.
Issues of Outbound Email Encryption
Encryption for emails in Gmail accounts is sorely missing, in direct violation of HIPAA guidelines. If mails containing ePHI are sent via a Gmail account, it will be transmitted via the web. Though Gmail’s security measures are impressive, there are no guarantees that before reaching the recipient's servers the patient data won’t be accessed in an unauthorized manner since there is no encryption.
No Auditing Authority & Data Surveillance
Gmail doesn’t provide any kind of auditing facility and neither this can be requested as a part of availing Gmail's services. Auditing of ePHI being shared among business associates and healthcare facilities is a vital HIPAA mandate. Gmail does provide any facilities that can help the user track his saved data. HIPAA requires PHI-handling entities to be aware about where and how their data is stored. Gmail doesn’t put forth any sort of training facility for gaining familiarity with HIPAA privacy standards.
Issues Related to Deleted Data
Even if data is deleted from a Gmail account, Google's technologies are such that data is often not permanently removed, i.e. it can be retrieved later. Thus, there is chance of patient data being retained on Gmail servers even after being deleted, raising security issues.