Share, , Google Plus, Pinterest,


Posted in:

Why Medical Practices Can’t Use GMail

Much of the new regulatory information coming out of Washington is email-envelope.jpg getting increasingly more difficult to translate into English. I was recently asked whether a medical practice could use Google’s free email service GMail instead of spending money on a mail server and its associated server software. After checking with our own head of IT, I discovered it is a bit more complicated than just picking where you want to store your emails.

Buried deep within the HITECH (Health Information Technology for Clinical and Health) Act’s Sub-Title D is the language on privacy directly related to HIPAA (Health Insurance Portability and Accountability Act). Since most of us (health care providers) are considered “covered entities”, we must ensure that not only our employees and staff abide by these rules but our “associates” do as well.

If we started using GMail for our practice’s communication, there would be patient information located on Google’s mail servers and Google would, in fact, be considered one of our associates. This would require entering into a Business Associate Contract with Google, Inc. What do you think the chances are of Google, or a similar technology firm, signing a confidentiality agreement with perhaps thousands of medical practices across the country? I thought so.

Digital Business Law Group has an analysis of the language found in HITECH’s Sub-Title D – Privacy section that makes it a bit easier to comprehend.


Leave a Reply
  1. While true that GMail will not guarantee any form of HIPAA compliance, there is a bigger issue here….

    Email by its very nature is NOT secure. Even if you utilize an “in-house” email server, any transmission of email outside the company will be “in the open” and insecure.

    I think the better practice would be for all medical professionals to NEVER send patient information through any email account (internal or hosted provider).

    Just a thought…

    • Jack, that is an excellent point. It is unlikely that the typical medical practice would have the expertise or resources to use encryption, so it would be best not to have any patient information on any email, in the event that it gets out into the public domain. A good EMR system should have an internal messaging feature for this type of communication. Thanks for your comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.