Is Gmail's Confidential Mode HIPAA Compliant?

Let's take a closer look at Gmail's confidential mode and compare it to tried and true secure cloud fax service alternatives.

Gmail icon on laptop with lock icon next to itGmail has built up an enormous user base, largely on account of its flexibility and ease of access. In fact, it’s the most widely-used e-mail platform on the planet, accounting for over one-third of all e-mail opens globally. Consequently, when Google announced a new feature called “confidential mode” back in 2019, it garnered quite a bit of attention.

For healthcare providers and other covered entities governed by HIPAA, confidential mode attracted interest right away, naturally prompting questions about the level of privacy and security it affords.

For covered entities affected by HIPAA, it all comes down to the question of whether the technology adequately safeguards patients’ “protected health information” (PHI). If medical records are shared with patients, providers, and business associates using Gmail, will companies remain HIPAA compliant? And how does it stack up relative to HIPAA Compliant fax? Let’s take a closer look at Gmail's confidential mode and compare it to tried and true secure cloud fax service alternatives.

What is Gmail Confidential Mode?

Confidential mode adds a technology called “Information Rights Management” (IRM) to Google’s popular e-mail product. In a nutshell, confidential mode makes it impossible for a user to forward, copy, download, or print messages. This dramatically reduces the risk that your e-mail recipient might accidentally forward the confidential information you send to an unauthorized third party.

Confidential mode also allows senders to add expiration dates to a message, revoke access to a message after it is sent, or require the reader to provide text message authentication before viewing an e-mail. This latter feature adds a powerful new layer of protection; even if your recipient’s e-mail is accessed by an unauthorized party, that person will be unable to see the information contained in your message.

If a recipient is determined to share information, there are still ways to accomplish that. Confidential mode has no way to prevent a user from taking screenshots or photos, then forwarding those to an unauthorized party.

Is Gmail Confidential Mode HIPAA Compliant?

Is Gmail’s confidential mode enough to protect you from falling afoul of HIPAA, though? As most covered entities know, HIPAA violations are a very serious matter. Financial penalties can be quite high, and reputational damage can also be severe. In 2020, a large health insurance carrier in the Pacific Northwest agreed to pay $6.85 million to settle potential HIPAA violations related to a cybersecurity breach. Although most penalties for HIPAA violations are not as high as that, – they nevertheless pose a serious financial risk to covered entities.

Consequently, the question of HIPAA compliance and Gmail confidential mode is critically important. Providers, insurers, and business associates must therefore perform careful due diligence to determine whether Gmail’s new confidential mode really meets HIPAA compliance standards.

In order for any technology to be HIPAA compliant for sending and receiving electronic protected health information (ePHI), information must be secured at all times, whether it is “in transit” or “at rest”. All messages must be encrypted. As a sender, you can’t guarantee encryption of your Gmail messages at the receiving end of the transmission.

Furthermore, you would need to have a signed business associate agreement (BAA) with Google. This is true of any third party who might potentially have access to PHI or ePHI that has been entrusted to you.

According to TotalHIPAA -

Google's confidential mode, while a great step toward a stronger data privacy system, is not strictly HIPAA compliant. It should not be viewed as a replacement for other safeguards that your organization may already be implementing to ensure that organization data remains safe.

How to Ensure HIPAA Compliant Communications, Every Time

The inherent gaps in e-mail security are precisely why most medical offices still trust fax technology to exchange information with other providers, as well as with insurance carriers, business associates, and other covered entities.

Fax is proven to be safe from unauthorized access, provided that covered entities adhere to best practices such as using an appropriate cover page with a printed HIPAA disclaimer. If a fax is inadvertently made available to an unauthorized person in the receiving office, this will protect you from liability. A good HIPAA Compliant cloud fax provider will make it easy to attach a cover page as part of their standard workflow for outgoing faxes.

For incoming faxes, many medical offices try to make do with a dedicated phone connected to a multifunction fax/printer/scanner kept in a secure location. Even that poses some risks, though. If an incoming fax is not retrieved right away, or if printed documents are disposed of improperly, a HIPAA violation could occur. It also results in a lot of trips back and forth to that dedicated fax machine, wasting time and money.

The safest option by far is to go with a cloud-based HIPAA Compliant fax. A secure cloud fax service combines the proven rock-solid security of fax technology with ultimate flexibility. Users can send and receive faxes from their desktop computer, or potentially even from a mobile phone. As noted previously, the best HIPAA Compliant fax services also automate the process of adding a cover page with a HIPAA disclaimer. Secure cloud fax also maintains a record of every document you send or receive, giving you a clear audit trail that’s safe from unauthorized access.

Secure cloud fax continues to be a reliable solution for covered entities of all sizes. Barry Clark, President and Founder of WestFax comments:

“Over the years we’ve seen various seemingly secure document transport platforms, but our customers appreciate the tried-and-true method of HIPAA Compliant Secure Cloud Fax to ensure HIPAA compliance”

Look for a HIPAA Compliant fax service that offers a BAA for fax. A business associate agreement (BAA)protects you in the event that a third party whom you entrust with PHI fails to safeguard it properly. By signing a BAA for fax, your cloud service provider is assuming responsibility for protecting your patients’ confidential information in accordance with HIPAA.

Ask potential fax vendors about their own security. WestFax, for example, maintains its servers in access-restricted data centers that offer 24/7 security, video surveillance, and biometric access control. Not all cloud fax providers offer that. WestFax’s servers are monitored and protected 24x7 by a dedicated security team.

Are you ready to make the switch to HIPAA-Compliant Secure Cloud Fax Service?

Contact WestFax today to discuss your needs.

Discover more