At the end of 2017, Google estimated that 1.2 billion people use Gmail for countless personal and business uses.  However, healthcare providers may be putting themselves at risk by using Gmail for any message that contains Protected Health Information (PHI).  This can include even the smallest bits of health information, such as patient names and appointment times.

You may have read that Gmail - and other large services for everyday email - have HIPAA-compliant servers. Unfortunately, this is only one very small part of the entire picture required for your use of Gmail to be HIPAA compliant and secure.  Before you press “Send” on that next email, you should be sure you can confidently answer the following five questions:

1. Do you have a HIPAA Business Associate Agreement (BAA) signed by Google? It is your responsibility as a customer to acquire BAA’s from your vendors.^[1]Google offers BAA’s only to those people paying to use G Suite. The BAA itself does not ensure HIPAA compliance, but it is one necessary component.
2. Will Google verify the identity of other healthcare provider recipients before sending Electronic Protected Health Information (ePHI)?  In order to be compliant with HIPAA regulation §164.312(d), fully HIPAA-compliant email exchanges verify a recipient doctor’s identity through professional credentials and other information sources.  They employ safeguards such as the federal government’s recommended DIRECT protocol.^[2]  Gmail does not employ the DIRECT protocol.
3. Have you increased message encryption to the highest level? Google provides varying encryption levels.  However, they state that the functionality of their encryption depends on each customer’s software configuration.^[3]  Some HIPAA email exchanges for health professionals provide end-to-end (person-to-person) security and 2048-bit encryption without the need to perform custom configurations.
4. Has Gmail definitively stated in writing that it will not search or scan the body of your email or its attachments?  Fully HIPAA-compliant email exchanges do not read, scan or access the content of your emails for data gathering, marketing or advertising functions.  HIPAA regulation §164.312(a)(1) requires no unauthorized access of ePHI.
5. If you are audited, will Google provide a comprehensive audit trail of all access to ePHI?  How? In order to be fully HIPAA-compliant with regard to regulation §164.312(b), an email exchange must be able to produce a highly detailed audit trail of every exchange of ePHI.  It is also important that you be able to receive this audit trail when needed.  Some HIPAA email exchanges for health professionals provide a phone number that allows you to speak with an actual healthcare support specialist who can provide exactly the audit trail you need in a matter of minutes.

To learn more about HIPAA compliance requirements and options for dental professionals, visit www.iCoreConnect.com/vda.  iCoreConnect is endorsed by VDA Services for secure messaging in dental practices.  VDA members receive an exclusive discount off standard monthly pricing. iCoreConnect can be contacted at 888-810-7706.

Robert McDermott is Chief Executive Officer and President of iCoreConnect.  iCoreConnect creates communication and practice management software that allows professionals to share information at the highest levels of security, backed up with real customer service.