You probably know that email is not secure or confidential, unless it’s an “encrypted” email service, like Hushmail. You may have also heard, however, that Gmail uses encryption. Occasionally someone may even use this as reasoning for the argument that Gmail is HIPAA-safe for mental health practitioners.
Unfortunately, that’s not the case.
Here’s the deal: you use Gmail through a website. That website is a tool for reading and writing emails. The Gmail website uses encryption to secure your connection to it. In fact, pretty much all Google websites do that. Those emails that Gmail manages, however, do not enjoy this same security. Here’s what that looks like in diagram form:
So from your computer to the “gates” of the Gmail website, your transmission is secured (encrypted and authenticated) using SSL, the protocol of web page encryption. Gmail doesn’t secure the emails that it transmits and receives behind the scenes, however. This is not necessarily Google being lazy or irresponsible. This is just how standard email works — it’s an old messaging system that wasn’t designed with security in mind.
HIPAA (and general good security sense) requires us to secure any electronic transmissions that contain protected health information*. Standard emails are not encrypted (they don’t use secret codes to hide their contents) or authenticated (there is no way to be sure of exactly who is sending or receiving them.) Thus they don’t make the grade for HIPAA security.
Hushmail is a popular secured email service and is used by many e-therapists for communication with clients. Other healthcare-oriented secure email services exist, as well. The problem with secured email is that it relies on encryption. And as I like to say, encrypted communications are a two-way collaboration. You and your client both have to engage in the secured email process, and most people find that too onerous or technical to do. Thus, the major email providers, such as Gmail and Yahoo! Mail, still do not provide secure email services.
Wait, I Saw a Video On Google That Says They Encrypt My Emails
Yep, I saw it, too! Google says they encrypt the email messages stored in their data centers. This is very good for privacy and certainly improves security. However, those ads you see in Gmail and other Google services still have an uncanny ability to match themselves to the contents of your emails. This is because although Google takes steps to protect your emails from unauthorized employees and intruders, the Google computers, at least, still read them. This is one of the ways in which the business model of most Internet companies doesn’t match well with our ethical mandates.
The intersection of email and HIPAA security can get complex, but it’s clear that Gmail’s security, while helpful, doesn’t cut the mustard for our needs under HIPAA or our ethics codes when it comes to transmitting confidential information. I think it’s a great email service, and Google does a fair amount to protect privacy, but the business model of Google and the technical model of email just don’t play well with our ethical and legal needs.
How can I learn more about Gmail and email in practice?
The topics in this article are covered in our online CE courses: Digital Ethics, Security & Privacy in Psychotherapy Practice Management (4 CE hrs, $39) at the Zur Institute; and HIPAA Security and Privacy in Psychotherapy, Counseling and Mental Health Practices (10 CE hrs, $99), also at the Zur Institute.
*: Here’s a relevant snippet from the HIPAA Security Rule specifically about transmissions of confidential electronic information:
Standard: Transmission security. [Covered entities must] Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(45 CFR, 2006, §164.312 (e)(1))
The Security Rule also defines “encryption” and “authentication” and requires us to use both as part of security measures where necessary:
[A covered entity must] Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
(45 CFR, 2006, §164.312 (e)(2)(ii))
[A covered entity must] Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(45 CFR, 2006, §164.312 (d))