You probably know that email is not secure or confidential, unless it’s an “encrypted” email service, like Hushmail. You may have also heard, however, that Gmail uses encryption. Occasionally someone may even use this as reasoning for the argument that Gmail is HIPAA-safe for mental health practitioners.
Unfortunately, that’s not the case.
Here’s the deal: you use Gmail through a website. That website is a tool for reading and writing emails. The Gmail website uses encryption to secure your connection to it. In fact, pretty much all Google websites do that. Those emails that Gmail manages, however, do not enjoy this same security. Here’s what that looks like in diagram form:
So from your computer to the “gates” of the Gmail website, your transmission is secured (encrypted and authenticated) using SSL, the protocol of web page encryption. Gmail doesn’t secure the emails that it transmits and receives behind the scenes, however. This is not necessarily Google being lazy or irresponsible. This is just how standard email works — it’s an old messaging system that wasn’t designed with security in mind.
HIPAA (and general good security sense) requires us to secure any electronic transmissions that contain protected health information*. Standard emails are not encrypted (they don’t use secret codes to hide their contents) or authenticated (there is no way to be sure of exactly who is sending or receiving them.) Thus they don’t make the grade for HIPAA security.
Hushmail is a popular secured email service and is used by many e-therapists for communication with clients. Other healthcare-oriented secure email services exist, as well. The problem with secured email is that it relies on encryption. And as I like to say, encrypted communications are a two-way collaboration. You and your client both have to engage in the secured email process, and most people find that too onerous or technical to do. Thus, the major email providers, such as Gmail and Yahoo! Mail, still do not provide secure email services.
Wait, I Saw a Video On Google That Says They Encrypt My Emails
Yep, I saw it, too! Google says they encrypt the email messages stored in their data centers. This is very good for privacy and certainly improves security. However, those ads you see in Gmail and other Google services still have an uncanny ability to match themselves to the contents of your emails. This is because although Google takes steps to protect your emails from unauthorized employees and intruders, the Google computers, at least, still read them. This is one of the ways in which the business model of most Internet companies doesn’t match well with our ethical mandates.
The intersection of email and HIPAA security can get complex, but it’s clear that Gmail’s security, while helpful, doesn’t cut the mustard for our needs under HIPAA or our ethics codes when it comes to transmitting confidential information. I think it’s a great email service, and Google does a fair amount to protect privacy, but the business model of Google and the technical model of email just don’t play well with our ethical and legal needs.
How can I learn more about Gmail and email in practice?
The topics in this article are covered in our online CE courses: Smooth and Secure Use of Phone, Text, Email, and Video to Meet Modern Clients Where They Are: Legal-Ethical and Real-World Considerations (3 CE hours) ; and HIPAA Security and Privacy in Psychotherapy, Counseling and Mental Health Practices (10 CE hrs) at the Zur Institute.
FOOTNOTES
*: Here’s a relevant snippet from the HIPAA Security Rule specifically about transmissions of confidential electronic information:
Standard: Transmission security. [Covered entities must] Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(45 CFR, 2006, §164.312 (e)(1))
The Security Rule also defines “encryption” and “authentication” and requires us to use both as part of security measures where necessary:
[A covered entity must] Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
(45 CFR, 2006, §164.312 (e)(2)(ii))
[A covered entity must] Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(45 CFR, 2006, §164.312 (d))
Learn more about the services and tools we recommend in your practice:
This is Step 1: Service Selection of the PCT Way.
Build your tech stack without fear. Learn More.
I was reading your post here and i went right away to Hushmail… i created tree accounts, i was very happy… when i went back to my Thunderbird services to open all these… i realized that it was impossible (?) Thunderbird do not allow me to move these account into… m’i doing some thing wrong?
Thanks for your comment, Alfonso. You should contact the support staff at Hushmail to ask about this. Remember that Hushmail is a web-based secure email service.
If I email from a gmail account TO a gmail account, is it more secure than lets say if I emailed to hotmail or yahoo? Is it within the encypted and secure Google server? Thank you.
Hi Heather,
There’s a danger in this question, which is assuming that the Google server is “secure.” For clinician purposes, and especially under HIPAA, the Google servers are not secure because Google employees and systems are not authorized to view our clients’ protected information, but they can see the contents of emails on those servers. But to answer your question: Gmail-to-Gmail emails might not have to be transmitted over the Internet (I don’t know the details. Google does have data centers all over the world, of course.) Not having to transmit the email over the Internet and then into yet another company’s information systems would mean not having to add even more risk to the email transmission. However, if you use Gmail to send protected health information, Gmail by itself already introduces enough vulnerabilities to make your risk of harm (through liability, if nothing else) significant enough to worry about.
I just paid for getting on google apps for business and they said it was hippa compliant for e-mail, google drive, calendar…not contacts. They are sending me a BAA. when I found out it wasn’t encryped i was offered Macaffee? encryption for e-mail for a cost. Do you think that will work? I am so far in now. can i have them back up my computer on google drive?
Hi Mary,
I feel like there must be a misunderstanding around contacts. My understanding is that contacts are part of Gmail.
Gmail is not an encrypted service. The advantage of Google Apps for Business is that they will give you the BAA. That makes it legal for you to store client emails and info in those accounts. You’ll still need client informed consent to actually send them ordinary emails, however.
Hushmail can offer actual encrypted email. Encrypted email through Gmail is very expensive.
I wouldn’t use Google Drive for computer backups — it probably doesn’t offer enough space, anyways. If you want to back up to an online service, consider Carbonite, SOS Backup, Crashplan, or any other company that specifically does online backup and offers a BAA.
It may help to make an overall plan regarding which services you’ll use before purchasing services. That way you can make sure your needs are all covered before committing to purchases.
BTW, here are articles that explain some of my convo with Mary:
Google Apps for Business and HIPAA: https://personcenteredtech.com/google
Clients’ Rights to Receive Emails: https://personcenteredtech.com/emailrights