Gmail is one of the most popular email providers, offering a free, convenient way to manage your email. Together with that, it offers decent protection from hackers. However it's not hackers you should be afraid of, but Google itself. No, it doesn't read your thoughts, as many people think. And Google employees don't read your emails as some people think too. So what's wrong with Gmail then? In this article, we'll explore that.
Table Of Contents
- Does Google Read Your Email?
- Can I Stop Gmail From Scanning My Email?
- What Is End-to-end Encryption?
- Does Gmail Support End-to-end Encryption?
- What Is HIPAA Compliance?
- Is Gmail HIPAA-compliant?
- Conclusion
Does Google Read Your Email?
Ok, let's be clear: Google states they don't read or scan your Gmail messages. They do not process email content to serve ads. The personalized ads you see in Gmail are based on your online activity, not emails. So don't worry and write in your emails whatever you want.
However, some Gmail data is used for Smart Features, such as Smart Compose and Smart Reply. These functions provide you with phrase suggestions as you compose your email and show suggested replies. And of course, Google scans your email to make those smart functions work properly. That's why being so useful, they are also a matter of concern for many people who care a lot about privacy and information security. Your data is also used for automatic email filters and categories, to create calendar events, and so on.
But do you trust Google? They scanned your emails for ad targeting up to 2017, they were caught giving third-party developers access to users’ emails in 2018 by The Wall Street Journal. And now they are feeding their AI with your emails!
Can I Stop Gmail From Scanning My Email?
Yes, you can. Open your Gmail account on a desktop and click Settings denoted by a sprocket icon. Then click See all settings. Scroll down the General windows a bit and find the following features:
- Smart Compose
- Smart Compose personalization
- Smart Reply
- Smart features and personalization
- Smart features and personalization in other Google products
All those should be turned off to prevent Google from scanning through your emails.
What Is End-to-end Encryption?
The gold-standard level of security protection is end-to-end encryption (E2EE) — a security technology that ensures only the communicating parties, a sender and an intended receiver, can read the messages. It involves encrypting messages at the sender’s end and decrypting them at the receiver’s end using a private «key». Thus E2EE prevents intermediaries, like your provider, from being able to read the messages.
Does Gmail Support End-to-end Encryption?
Not long ago Gmail didn't support end-to-end encryption. However, in December 2022 this feature was implemented for Google Workspace on the web for registered users. It is called Client-side encryption (CSE), and Gmail ensures that its servers cannot decrypt sensitive data that is part of the body of an email or attachments (including embedded images). However, the email header including subject, timestamps, and recipients lists will not be encrypted.
"With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage", — explains Google.
Gmail CSE is currently in beta testing and available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers who submitted their beta test applications.
Users with personal Google or Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and nonprofit accounts cannot try Google's end-to-end encryption for now.
What Is HIPAA Compliance?
Apart from well-known email security issues such as email tracking and encryption, there is one more topic to discuss here — the support of compliance regulations in multiple industries and guidelines, such as HIPAA.
Health Insurance Portability and Accountability Act (HIPAA) is the federal law that describes standards for how sensitive patient data, or Patient Health Information (PHI), must be protected from access to the general public.
"PHI under HIPAA is any health information relating to an individual's past, present, or future health, health care, or payment for health care when it is maintained or transmitted by a Covered Entity. PHI includes health information about an individual's condition, the treatment of that condition, or the payment for the treatment when other information in the same record set can be used to identify the subject of the health information".
If your business relates to healthcare, you need to clearly understand how PHI is defined and how to protect it. Health organizations that violate HIPAA Privacy and Security Rules are punished, and the fines are quite high.
For instance, in 2023 Banner Health was fined $1,250,000 for risk analysis, reviews of system activity, verification of identity for access to PHI, and lack of technical safeguards. However, Banner Health's fine is nothing in comparison to Excellus Health Plan's. In 2021 they were fined $5,100,000 for multiple violations. But the biggest fine for breaking HIPAA rules is $16,000,000 paid by Anthem Inc in 2018.
Is Gmail HIPAA-compliant?
Well, yes and no. By default, you can't send PHI using Gmail right out of the box. However, Google Workspace users can make their paid Gmail HIPAA-compliant by entering Business Associates Agreement with Google. That agreement proves that Google will protect a patient’s sensitive information with the same high standards required of the health care provider.
Plus, you need to have end-to-end encryption, to make sure that nobody will read an email except of the intended recipient. Since Google's CSE is in beta testing right now, you will have to make use of a third-party encryption vendor, such as Virtu or Egress.
And even if you signed BAA and set up end-to-end encryption, still Google warns you in HIPAA Compliance & Data Protection with Google Apps guide:
Customers are responsible for determining if they are a Business Associate (and whether a HIPAA Business Associate Agreement (BAA) with Google is required) and for ensuring that they use Google services in compliance with HIPAA.
In short, to make heads or trail with that HIPAA stuff and Gmail security is a big deal. And don't forget about other compliance regulations, like CFPB, FINRA, and ESIGN.
Conclusion
So Gmail is one of the most popular email services available. Gmail is extremely easy to use and can be accessed from anywhere with an internet connection. Plus, it works seamlessly with other Google products like Calendar, Drive, and Chat. And for all that you don't have to pay a cent — that's why millions of people around the world adore Gmail.
However, in 2023 there are still some security concerns. If you want to use Smart Features, you'll have to allow Gmail to scan your emails. No end-to-end encryption is available for regular users and the majority of Google Workspace customers. And to make Gmail HIPAA-compliant is not so simple and easy.
Due to those issues, you shouldn't consider Gmail secure enough for business, especially if you are dealing with healthcare.
We at TruVISIBILITY are offering you a Secure Email service that is designed specifically to secure private information. It supports compliance regulations in multiple industries and guidelines, such as HIPAA, CFPB, FINRA, and ESIGN.
TruVISIBILITY's Secure Email allows you to send encrypted HIPAA-compliant emails and email attachments, send secure forms, and sign them without delay or slow downloading.
Health information of patients, private business and financial documents, attorney-client communications — everything is protected with TruVISIBILITY's Secure Email service.
Get a TruVISIBILITY freemium account now and never worry about email security again!
Related articles
Want to receive more articles?
Sign-up for our weekly newsletter to receive info that will help your business grow
