Why You Shouldn't Use a Free Gmail Account and What To Do If You Are
Why You Need to Care About Your Emails
Are you an International Board Certified Lactation Consultant (IBCLC) working in the United States? Then you are obligated to comply with the Health Insurance Portability and Accessibility Act. This basically means that you must be very, very careful in how you store your clients' information and how you communicate with them--and you may have no idea how some of the practices you take for granted may be putting Protected Health Information (PHI) at risk.
Free Gmail isn't HIPAA compliant
If you are using a free Gmail or Hotmail or Yahoo account to communicate with your clients, you are exposing their PHI. The issue isn't so much that a hacker is going to get into your email and steal your clients' identities. The bigger issue is that free email is free because the providers are combing your email for search words so that they can target advertising to you. In other words, if you use a free Gmail account, Google is reading your email--and storing data they pull from those emails. If Google gets hacked (the way Equifax was hacked), then you will need to tell each and every one your clients that their PHI was potentially exposed in the hack because you were using Gmail.
Correcting this violation and bringing your email practices into compliance involves paying for your email through a service provider that will sign a Business Associate Agreement (BAA) with you. Essentially this means that they are assuring you that they understand that you will be transmitting PHI and will be using the highest possible security in order to keep it protected per HIPAA standards.
Free email is like leaving the key in the ignition when you park your car in one of those garages where they park your car for you. There are signs everywhere that say that the garage and attendants are not responsible for your personal items (including your car). You're basically assuming that nothing is going to happen to your car, but there's always the possibility, however faint or improbable, of some version of the parking garage scene from Ferris Bueller's Day Off.
A paid email provider with a BAA is more like what my gaffer husband has to do when he parks his cube truck filled with 3 tons of lighting gear. He can't just park it in a driveway or even in a paid parking lot. He had to sign an agreement with a bonded parking lot that promise 24/7 security and takes responsibility for any loss or damages that occur while his truck is on the premises or being operated by one of the attendants. In other words, there's a formal relationship that holds the parking lot and its employees accountable for violations.
What can I use instead of free Gmail?
Best practices for email include implementing the following steps to ensure client confidentiality:
My book goes into greater detail on optimizing your email for secure, HIPAA-compliant use in your private practice, but these are good first steps that you can take today. My Toolkit also includes a Communications Services Comparison Chart, and a guide to secure messaging to help you implement HIPAA-compliant practices with your clients.
(I am not an attorney, so please don't take any of this as legal advice.)
About the Author
Annie Frisbie, MA, IBCLC is the creator of the IBCLC Private Practice Essential Toolkit, a collection of books, resources, legal forms, training manuals, and workbooks aimed at helping private practice lactation consultants build a private practice that’s ethical, profitable, sustainable, and enjoyable.