Google’s e-mail, calendar, and productiveness tools (just lately renamed to “G Suite”) are completely incredible. They’re straightforward to use and really reasonably priced.
G Suite can also be extremely safe, but there are very particular things that you simply need to do to make G Suite / Gmail HIPAA-compliant. Listed here are some huge ones…
Disclaimer: we aren’t legal professionals. It is best to seek your personal legal advice in deciphering laws like HIPAA. We are sharing lessons that we’ve discovered from our work with different practices for informational purposes solely.
- 1 1) Turn out to be a Google Buyer
- 2 2) Sign a HIPAA Business Associate Settlement
- 3 3) Get Affected person Consent
- 4 Four) Use your e mail signature.
- 5 5) Rigorously plan how you’ll use PHI in e-mail
- 6 6) Warn your sufferers about insecure e mail
- 7 7) Safe connection between Gmail and your pc
- 8 8) Practice Your Employees
- 9 9) Phishing and Hackers
- 10 10) Practice your employees about phishing
- 11 11) Ensure each pc and system is safe
- 12 12) Be sure your Gmail password is totally distinctive
- 13 13) ALWAYS use two-factor authentication in your e-mail
- 14 14) Configure enterprise sender id administration
- 15 15) Restrict file sharing permissions.
- 16 16) Monitor consumer exercise.
- 17 17) Finally, RTFM
- 18 What do you have to do next?
1) Turn out to be a Google Buyer
Sadly, solely the paid model of Gmail can be utilized for handling PHI, and provided that it’s set up the fitting method. Why? Listed here are a couple of reasons:
- Google will solely signal a HIPAA BAA with paid clients
- Google’s computers scan emails for advertising
- Google’s staff can (although often don’t) see your emails
- A affected person may discover you’re using insecure e mail and complain
Right here’s what Google says of their HIPAA implementation information:
In case you are absolutely, utterly, 100% sure that you will never have PHI anyplace in Google (not in Gmail, not in Google Drive, not in video convention, or some other service), you then shouldn’t have any points continuing to use your free @gmail.com account.
Nevertheless, it’s very straightforward to make a mistake if you’re busy and coping with sufferers and insurance corporations. There’s additionally a chance that a vexed buyer will file a grievance in the event that they’re fearful about your use of insecure e-mail. Learn on for other choices.
2) Sign a HIPAA Business Associate Settlement
When you’re a buyer, Google has a quite simple course of for executing a HIPAA BAA. You are able to do it proper online, with no varieties to fill out. It’d be nice if every vendor made it this easy!
Right here’s an article that explains how to do it: https://support.google.com/a/answer/3407074
3) Get Affected person Consent
Affected person consent is very really helpful. In case you’re in a healthcare follow, get written consent out of your sufferers earlier than you talk with them by way of e mail or text messages. It’ll save you a world of pain down the road in the event you get a grievance.
Here’s an incredible article that explains how and why.
Four) Use your e mail signature.
Add an automated e mail signature that reminds those that e-mail is insecure, and to delete e mail not meant for them.
Listed here are some nice examples you can edit.
Once you sign up for Gmail, they’ve a function where your administrator can add a signature routinely to all outbound emails. It’s referred to as “Appending a Footer.” Right here’s an article that describes how to do that:
5) Rigorously plan how you’ll use PHI in e-mail
In case you are completely, utterly, 100% sure that you’ll never have PHI anyplace in Google (not in Gmail, not in Google Drive, not in video convention, or another service), you then shouldn’t have any issues continuing to use your free @gmail.com account.
This implies you’ll never ship an e mail that would tie a patient to healthcare knowledge (like insurance numbers, social safety numbers, and so on.) or medical information (like diagnoses, lab results, prescriptions, and so forth.).
In case you do need to e-mail patients, insurance corporations, and other providers (or in case you just don’t need to have to worry about it), you’ve got choices.
We advocate a superb secure e-mail service to our shoppers. It additionally offers advanced safety for both inbound and outbound emails.
Whereas we have been researching secure e-mail, we additionally wrote an article about this referred to as “HIPAA Compliant Email: 7 of the Best Ways to Email PHI.” We examined seven totally different providers, ranging from free to premium, to work out which of them worked greatest.
6) Warn your sufferers about insecure e mail
Right here’s a method you’ll be able to e mail with patients using a free account, but it’s going to take time and a number of attention.
In truth, even in the event you use safe e-mail (ours or a service from another provider), it’s a good idea to do that anyway.
Take a look at this sentence from the Dept. of Well being and Human Providers website:
The best way many practices interpret this is that it’s OK to talk with sufferers by way of insecure e mail IF you recognize that the sufferers perceive the danger. Some practices have sufferers sign an insecure e mail consent type to get their permission to communicate by way of unsecured e-mail.
There are a few downsides of this strategy. First, you’re going to need an ironclad method to make positive you don’t by chance e-mail with a patient who hasn’t signed this kind. It’s a little bit of a problem. Second, this wouldn’t apply to your emails with insurance corporations, companions, or other medical suppliers.
7) Safe connection between Gmail and your pc
Should you access Gmail in your browser (using Chrome, Internet Explorer, Safari, Firefox, and so forth.), then you have already got this coated. A safe connection is all the time on by default.
In the event you’re curious, right here’s how you can inform. Search for the green lock and the “https.”
Nevertheless, numerous individuals use different packages to verify their e mail. For example, you could be using:
- Apple Mail
- Microsoft Outlook
- Mozilla Thunderbird
- Home windows Mail
- Your iPhone or Android telephone
- Your iPad or Android tablet
You want to make positive that the connection between Gmail and every single system you own is secure.
This isn’t onerous to do, however you need to rigorously comply with directions. Attempt looking for “how to set up secure Gmail on ” for instructions.
For our shoppers, we’ll assist make positive it’s set up the suitable approach. Even if you already have G Suite, we’ll completely examine it over and make positive every part is about up correctly.
8) Practice Your Employees
In case you have any staff (even one), you want to have a clear policy and practice them on your expectations of utilizing e-mail and SMS.
Particularly, practice them completely on how to determine PHI, and your expectations of how they should deal with PHI in e mail and SMS.
You also needs to practice them on how to determine and handle:
- Emails with viruses
- Emails with tough links
- Emails with uncommon attachments
- Emails from individuals they don’t acknowledge
Extra on these arising.
9) Phishing and Hackers
Finally, HIPAA is about preserving medical knowledge from being stolen.
Nowadays, you want to be fearful about getting hacked. Hackers are going after small companies, and medical data are extremely useful on the black market.
Hackers are utilizing phishing messages (pretend emails) to attempt to trick you. How?
Gmail does a reasonably good job here. Actually, it’s undoubtedly the most effective free service that we’ve discovered (and it’s what we use for our personal e mail accounts).
You don’t get any further protection between the free model and the paid G Suite buyer with Google.
Truthfully, that’s not enough.
Our service consists of a further layer of security to all of our shoppers. We layer on superior e mail antivirus, to shield computers towards ransomware, viruses, and phishing.
10) Practice your employees about phishing
Regardless of how good your e mail scanner is, extremely focused attacks can nonetheless get via. That’s why it’s tremendous essential to practice your employees about phishing.
Listed here are three utterly free web sites that can each train customers how to spot a phishing assault AND check whether or not they would get fooled or not:
Most corporations we meet have good intentions, however shortly get too busy and overlook to do these phishing trainings. That’s why we put it on autopilot as part of our service and ship each consumer a enjoyable monthly video and quiz to train them about phishing and cyber security.
11) Ensure each pc and system is safe
To be HIPAA compliant, it’s not sufficient to just worry about e-mail. Each pc, mobile phone, and tablet you employ must even be secure.
Making you “fully secure” is a posh matter, undoubtedly outdoors the scope of this brief checklist.
Nevertheless, to get you started, we’ve put collectively a few guides that you simply may find helpful.
Should you’re a Mac consumer:
Listed here are 5 ideas to get you began.
Here’s a terrific evaluate of antivirus packages for Mac customers (yes, Mac customers need antivirus too).
When you’re a Home windows consumer
We also wrote an article “5 Free Cyber Security Tips for Windows Users.”
Antivirus MUST be put in on every pc that receives emails. Right here’s a evaluation of Home windows antivirus packages.
12) Be sure your Gmail password is totally distinctive
According to the Id Theft Useful resource Middle, virtually 900 million data have been concerned in safety breaches. That’s virtually 3 times the population of the US.
Fashionable breach-tracking website HaveIBeenPwned has an inventory of three.Eight billion usernames and passwords which were breached. And people are only those we find out about.
Hackers know that most individuals reuse the identical password time and again. Once they get a password, the very first thing they do is to go to other websites and check out the username and password to see if they will get in.
If someone gets ahold of your e mail, they own you.
They will send emails to sufferers in your behalf.
They will reset the password on your EMR system.
They will e-mail your financial institution.
Ensure that your e mail password is completely distinctive.
Here’s a enjoyable trick (the “correct horse battery staple” technique) for making up robust passwords which might be straightforward to keep in mind: https://xkcd.com/936/
In the event you discover passwords confusing, do what we do — use a password manager like Dashlane or LastPass to manage your passwords.
Then you definitely solely want to keep in mind one password, ever.
13) ALWAYS use two-factor authentication in your e-mail
You recognize these codes that get despatched to your telephone once you attempt to go online to some sites?
That’s referred to as “two factor authentication,” and it’s incredibly necessary to hold your knowledge protected and your organization HIPAA compliant.
Gmail makes it tremendous straightforward to use and turn on, and it’s obtainable to everybody
All you’ve gotten to do is comply with these directions: https://support.google.com/accounts/answer/185839?hl=en
It’s important to turn this on (go do it now!). Even when a hacker steals your password, they gained’t have the ability to get to your e mail or your PHI until they steal your telephone too.
14) Configure enterprise sender id administration
Truthful warning — this one is essential, but pretty technical.
It is super straightforward to send an e-mail and make it seem like it got here from another person.
Don’t consider me? Attempt it yourself: http://deadfake.com/Send.aspx
If it’s this straightforward for you and me, a hacker can make it appear as if an e-mail is coming from anybody.
Even from someone inside your company.
That’s truly how “whaling” assaults happen — they send emails that seem to come from your CEO. Companies have lost $5.2 billion to this type of attack.
There are a couple of totally different technologies to be sure that hackers can’t “spoof” your e mail tackle. The three principal technologies are referred to as SPF, DKIM, and DMARC. Listed here are articles on how they work:
(a) DKIM help, (b) SPF Data, and (c) DMARC help
15) Restrict file sharing permissions.
You need to use Google Drive (the doc system that comes with G Suite) to retailer and edit information that include PHI. Nevertheless, you’re still very much answerable for ensuring that no one accesses PHI that isn’t needed for his or her job.
The opposite factor you want to handle is to make positive that your users don’t by accident share PHI with the public.
The stakes are very high. Right here’s a follow that was fined $218,000 as a result of they messed this up:
That is the world where we most commonly see corporations making huge errors once we first assist them get arrange.
We advocate that you simply set pretty stringent file sharing permissions. Google makes this very straightforward. Listed here are instructions:
16) Monitor consumer exercise.
It’s incredibly essential to monitor the usage of your Gmail system to watch for any indicators of hacking or breaches.
Fortunately, Google gives some extremely strong capabilities for this. Probably the most helpful reviews that they provide are:
- Exterior Hyperlink Shared Information — any information which are publicly accessible
- Exterior Apps – any externally linked apps, which may pose a danger
- Verification in 2 Step Enrollment – making sure users are on 2FA
- Full e mail audit log – a full audit log of all emails despatched
When you’re a paid Gmail consumer, log in at the very least once a month and verify these reviews for weird or uncommon conduct.
17) Finally, RTFM
“RTFM” is a extremely technical term meaning “Read the Freaking Manual.” Your selection of gerund might differ.
These 17 ideas ought to be enough to get you began, but there’s way more to making Gmail and G Suite HIPAA compliant than what we’ve reviewed here.
Thankfully, Google has put together a website to assist paying clients absolutely and utterly use Gmail and G Suite in a HIPAA-compliant trend.
It’s referred to as “HIPAA Compliance & Data Protection with G Suite.”
Particularly, you need to click on the link that says “G Suite HIPAA Implementation Guide.”
That may deliver you to a 19-page PDF (pictured at proper) that’s chock filled with belongings you need to do to make G Suite HIPAA compliant.
For those who’re good with computer systems and have Four-Eight hours to spend reviewing your whole G Suite and Gmail settings, then you possibly can completely deal with it by yourself.
If you would like assist, we might help you.
What do you have to do next?
- Get our free “17-Step Guide on Gmail and HIPAA Compliance” to study more about retaining your e mail protected.
- Know someone who may like this article? Share it!
- Have questions or one thing to add? Let us know in the comments under!