Gmail is exceedingly popular among email users for both personal and business purposes — and for good reason. It’s the second most widely-used email platform, after Apple Mail. It’s well run, user friendly, and quick to address any issues that arise. So it’s no surprise that when this powerhouse email platform announced a new “confidential mode,” quite a buzz was created.
Covered Entities, and other organizations that are obligated by law to maintain HIPAA compliance, naturally have been curious as to whether they can use Gmail’s confidential mode to share sensitive data. How confidential is it, actually? And is it an effective, secure alternative to HIPAA compliant fax or efax protocols? Let’s get into it.
What exactly is Gmail Confidential Mode?
According to Google, with Gmail confidential mode, users can help protect sensitive information from unauthorized or accidental sharing. Confidential mode messages don’t have options to forward, copy, print, or download messages or attachments.
Confidential mode lets you:
- Set a message expiration date
- Revoke message access at any time
- Require a verification code by text to open messages
Messages cannot be scheduled for sending with confidential mode, and it prevents recipients from accidentally sharing messages, but it cannot keep recipients from taking screenshots or photos of the message or attachments.
How confidential is it, really?
While it’s great to see major platforms like Gmail taking data privacy concerns seriously, covered entities would not be doing their due diligence if they did not dig deeper to ask questions about what Gmail’s new confidential mode means for HIPAA compliance.
Jason Halloran — who is a HITRUST Certified CSF Practitioner, HITRUST Quality Professional, and serves as a Senior Auditor for SOC 1 and SOC 2 audits — sheds light on this subject:
“In my opinion Google Confidential Mode does NOT satisfy HIPAA. The features in GCM add enhanced controls on what the recipient can do with the email (print, forward, copy, etc.). While these features enhance data loss prevention they do not ensure that the information being shared is kept secure through encryption at rest and in transit. CEs and BAs still need to ensure that messages are encrypted end-to-end. The only way to do this is with a validated encryption messaging platform. Some will argue that ALL email transmissions through major carriers are encrypted, but that isn’t satisfactory either. Those systems can fail back to unencrypted messaging if the remote host can’t negotiate a secure channel correctly at the time of message delivery.”
What do we recommend?
Gmail’s confidential mode, while a great step toward a stronger data privacy system, is not strictly HIPAA compliant. It should not be viewed as a replacement for other safeguards that your organization may already be implementing to ensure that organization data remains safe.
PHI should still only be sent via secure methods, like HIPAA compliant efax, messaging, email encryption, or whatever provider your organization has designated in your HIPAA Policies and Procedures, and signed a Business Associate Agreement with. If you don’t have proper procedures in place for securely transmitting PHI, we recommend getting in touch with our team to implement a more robust plan that will keep your organization compliant.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.
Our HIPAA compliance services help ensure that your business follows the basic HIPAA rules and guidelines to protect sensitive patient information. Our team of experts is dedicated to providing affordable rates and personalized solutions to help you become HIPAA compliant. We understand that navigating the complex requirements of HIPAA can be challenging, which is why we offer a comprehensive range of services to meet your unique needs. From risk assessments to employee training, we have the tools and expertise necessary to help your business achieve and maintain HIPAA compliance. Contact us today to learn more about how we can help you protect your patients, your employees, and your business.