Gmail has amassed a vast user base due to its versatility and ease of use, becoming the world’s most widely-used email platform, responsible for more than one-third of global email openings. Consequently, when Google introduced a new “confidential mode” feature in 2019, it garnered significant attention.
This feature immediately piqued the interest of healthcare providers and other entities governed by HIPAA (Health Insurance Portability and Accountability Act), sparking questions about its privacy and security capabilities.
For HIPAA-covered entities, the critical question revolves around whether confidential mode sufficiently safeguards patients’ “protected health information” (PHI). If medical records are shared via Gmail with patients, providers, and business associates, can these organizations remain compliant with HIPAA regulations? How does Gmail’s confidential mode compare to the tried-and-true secure cloud fax services regarding HIPAA compliance? Let’s delve deeper into Gmail’s confidential mode and compare it to secure cloud fax alternatives.
What is Gmail Confidential Mode?
Confidential mode introduces a technology called “Information Rights Management” (IRM) into Google’s popular email platform. In essence, it prevents users from forwarding, copying, downloading, or printing messages, significantly reducing the risk of unauthorized sharing of confidential information.
Additionally, the confidential mode enables senders to set expiration dates for messages, revoke access to a message after it is sent, or require text message authentication before viewing an email. This last feature adds a robust layer of protection, ensuring that even if an unauthorized party gains access to the recipient’s email, they cannot access the message’s contents.
However, it’s worth noting that if a recipient is determined to share information, confidential mode cannot prevent them from taking screenshots or photos and forwarding them to unauthorized parties.
Is Gmail Confidential Mode HIPAA Compliant?
The question of whether Gmail’s confidential mode is HIPAA compliant is of paramount importance. HIPAA violations carry significant financial penalties and reputational damage, making it crucial for providers, insurers, and business associates to assess whether Gmail’s confidential mode meets HIPAA compliance standards.
To be HIPAA compliant for sending and receiving electronic protected health information (ePHI), information must remain secure “in transit” and “at rest,” and all messages must be encrypted. Gmail cannot guarantee encryption at the recipient’s end, and a signed business associate agreement (BAA) with Google is necessary whenever third parties have access to PHI or ePHI entrusted to you.
According to TotalHIPAA, Google’s confidential mode, while a valuable step towards stronger data privacy, is not strictly HIPAA compliant. It should not be considered a replacement for other safeguards that organizations may already have to protect their data.
Ensuring HIPAA Compliant Communications
Due to inherent gaps in email security, many medical offices still rely on fax technology to exchange information with other providers, insurers, and covered entities. Fax has a proven safety track record from unauthorized access, provided that best practices like using appropriate cover pages with printed HIPAA disclaimers are followed.
The most secure option is a cloud-based HIPAA compliant fax service. Such services combine the security of fax technology with flexibility, allowing users to send and receive faxes from various devices. They also automate the addition of HIPAA disclaimers, maintain an audit trail, and offer BAAs to ensure compliance with HIPAA regulations.
When choosing a HIPAA-compliant fax service, you can just ask about their security measures, such as access-restricted data centers, surveillance, and biometric access control. This diligence helps protect patients’ confidential information and ensures compliance with HIPAA standards.