The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards to protect patient privacy and confidentiality. Using HIPAA compliant email services is one way to keep your emails safe.
However, not all email services are HIPAA Compliant Email. Here are some questions you should ask yourself before signing up for a service:
End-to-End Encryption
End-to-end encryption (E2EE) protects users’ data by encrypting it at every step of the communication process. This means that no one else — including Google — can decrypt it.
In contrast, in traditional email encryption, service providers like Google and Microsoft hold copies of the private keys to decrypt messages and files. When this happens, Big Tech can read your private communications and use them to target you with ads.
When Gmail supports E2EE, messages are encrypted by the user’s device before they are sent to a server. Therefore, even if hackers get access to a server, they cannot access the user’s personal information or attachments.
While Google claims that this is an effort to protect your privacy, it is still far from effective. If you want true security, you need to sign up for a fully encrypted Tutanota mailbox.
Business Associate Agreement (BAA) with Google
If you’re using Gmail to communicate with patients or healthcare professionals, you must first sign a Business Associate Agreement (BAA) with Google. This is a legally binding agreement that ensures you’re following HIPAA regulations when handling PHI.
You can request a BAA with Google by signing into an Administrator account for your Google Apps for Business, Education or Government domain. Non-Administrator users or users of the free version of Google Apps are not eligible for a BAA.
This BAA applies to all of the core Workspace services that include Gmail, Calendar and Drive (which includes Docs, Sheets, Slides, Forms and more). If you’re using additional Google products that may not be covered by this BAA, then you should disable them as soon as possible.
Training
HIPAA regulations are meant to keep healthcare professionals and their clients’ sensitive medical information secure. This is why therapists need to ensure that they’re using HIPAA-compliant email services when communicating with their clients and patients over the internet.
The first thing that a therapist or a practice needs to do to be HIPAA compliant is to sign a Business Associate Agreement (BAA) with Google. It’s a relatively simple step, but one that needs to be completed properly to avoid fines.
Another key piece of HIPAA compliance is end-to-end encryption for any email containing PHI sent outside of your organization’s firewall. If you send this information via Gmail, it should be encrypted in order to ensure that no unauthorized parties can see your sensitive data.
In addition, you need to make sure that your users are training on how to use email and cloud storage appropriately. For example, don’t allow employees to leave their computer unattended while they’re composing or sending emails that contain PHI.
Privacy Policies
Privacy policies and in-product notifications are critical tools for developers to inform users about how their applications access, use, store, or share user data. These disclosures should be accurate, comprehensive, and easily accessible.
In addition, if you modify how your application uses Google user data or change how you disclose that use in your privacy policy, you must notify users and prompt them to consent to the change before you may access their Google user data.
While it’s true that third-party email applications need access to Gmail data to provide services, that doesn’t mean you’re giving them permission to read every single message you send. In fact, many people don’t even realize that they are doing so.
Conclusion
This is a serious problem that could have far-reaching implications for the entire tech industry. It could force companies to put into place safeguards on the types of personal data they can collect and use, according to researchers at George Mason University.