Thursday, November 7, 2013

Why do Gmail and Google Apps not meet HIPAA standards and what is punishment for not being HIPAA compliant?

When the Health Insurance Profitability and Accountability Act (HIPAA) of 1996 was passed it developed regulations protecting the privacy and security of certain health information. The Privacy Rule developed standards for privacy of individually identifiable health care information. The Security Rule developed the standards for the protections of electronic information. Since then the HITECH Act of 2010 has implemented new provisions to the Security Rule called the Obnibus Rule to further strengthen security protections. Companies that send e-PHI like know these new rules and have taken the steps to follow them.
Gmail and Google Apps are NOT HIPAA compliant. Even forwarding an electronic HIPPA compliant message of electronic protected health information (e-PHI) to Gmail or Google Apps is almost always not compliant. Gmail or Google Apps are not compliant because HIPPA required features are missing. Despite not being HIPAA compliant many doctors use Gmail or Google Apps when sending e-PHI. is HIPAA compliant but also provides a better way to receive and track referrals. Below is a list of missing features that make Gmail or Google Apps non-HIPAA compliant.

• A signed Business Associate Agreement is required and Google does not sign contracts
• Gmail outbound servers are insecure and unencrypted which is automatic violation of HIPAA
• Google provides very limited auditing of connections and access to accounts
• Google rarely follows steps for HIPAA Secured Business Policies which require:
o Ensure secure tracking of stored data
o Ensure secure disposal of hard drives and other media
o Ensure secure access to facilities
o Ensure employees with access to any data are trained in HIPAA standards
• Google says users “have no real expectation of privacy” and owns data in messages which is used to provide ads and other information which is not HIPAA compliant
• Deleted data is not guaranteed to be removed from servers
• There is no guarantee where your data goes after account is closed
• There is no HIPAA penalty for Google if data is used or disclosed improperly

Punishment for not being HIPAA compliant can range from civil money penalties to criminal prosecution. The Obnibus Rules strengthen the government’s ability to enforce the law and have made harsher penalties for not being HIPAA compliant. If the covered entities of compliance are not met civil penalties can range from $100 to $50,000 per violation with a maximum fine of $1,500,000 in a calendar year. Factors that vary the civil penalties include whether the covered entity knew of their failure to comply and if this was due to willful neglect. Criminal penalties are imposed if person knowingly obtains or discloses e-PHI it could result in a $50,000 fine and 1-year imprisonment. If wrongful conduct involves false pretenses it could result in a $100,000 fine and 5 years imprisonment. If wrongful conduct involves intent to sell or transfer for commercial or personal gain or malicious harm it could result in a $250,000 fine and 10 years imprisonment.
With services like you know your e-PHI is HIPAA compliant. Referring a patient is something almost all doctors do. Many don’t know the follow the Obnibus Rules of e-PHI or know how severer the punishments can be. Use HIPPA compliant services like and let us make sure you are HIPAA compliant.