Some health care providers are in need of HIPAA compliant email

Who is currently using Gmail or most of the other publicly free online email clients? They would, of course, like to add HIPAA compliance without changing any of their business processes or habits.

HIPAA Compliant Email - Just About Impossible

For example, some businesses may want to set up an internal HIPAA compliant email system and have those secure messages forwarded to Gmail, where they can access them in their “usual way”.

In general, this is a bad idea,  this will almost always end up to be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.

No one who must abide or be in compliance with the HIPAA law should be accessing a patient’s personal health information through Gmail.

Many commodity email services support SSL for access to their web site and TLS for inbound email transport encryption. These are good things and help the Internet become a more secure place.

However, while these technologies provide the HIPAA-required transport encryption when you access email using Gmail’s web interface and support optional inbound email transport encryption, many features are missing and most will probably never be added to Gmail.

These include:

HIPAA HITECH requires that you have a signed Business Associate Agreement with a vendor (like Gmail or LuxSci) that acknowledges that you are using email with Personal Health Information. Gmail does not sign contracts — you can’t even talk to them on the phone (without paying lots of money, at least).

If you send an email with Personal Health Information to someone using your Gmail account, it will almost certainly go over the Internet to the recipient’s mail servers and folders in an insecure and unencrypted fashion, automatically violating HIPAA. Gmail provides little or no auditing of connections and accesses to accounts.

HIPAA requires that you will:

  • Ensure secure tracking of stored data
  • Ensure secure disposal of used hard drives and other media
  • Ensure secure access to facilities
  • Ensure all employees with access to any data are trained in and abide by HIPAA privacy standards.

Gmail engineers have complete access to user data and do look at it. See Google worker fired for stalking teens. Google would need to follow all of the steps in the HIPAA Compliance checklist and more.

Who owns and where is your data? Google scans all your mail (and ePHI?) to provide ads and other information to you. This data may be stored anywhere and in any format. While the data might not be tracked back to you easily, the data itself is the problem, the privacy of the personal health information cannot be ensured within the Google infrastructure.

What happens to deleted data? Google doesn’t like for you to delete data, ever. They would prefer it sticks around. Personal Health Information, like ePHI, cannot be guaranteed to be removed from their servers even if you delete it from your account. Google doesn’t appear to implement anything in the HIPAA law checklist in a way that would be fully compliant.

Informational Source: LuxSci FYI Blog

Sharing is caring
Recommended Posts

Start typing and press Enter to search

Medical Travel Benefits Package – The Employee Benefits and Business Benefits
Medical Travel Benefits Package – Employee and BusinessBenefits Management, Business, Clients, Consumer Directed Health Care, Employers, Information, Management, Medical Tourism, Medical Travel, Travel
How To Fix Health Care in The United States
How To Fix Health Care in The United StatesBusiness, Education, Healthcare, Management, Providers, Technology