Yeah, I'm familiar with HIPPA issues- had to research it for my Dad's medical practice.This issue hits me from the opposite side in my line of work. I deal with a lot of clients who tend to form networks of providers. Many of those providers are small practices using yahoo or some other free email service and have no IT staff to speak of.
HIPAA requires online communication to be encrypted in transit. SSL for web sites is trivial. Email is the ugly duckling. If you don't set up TLS on your email server and confirm TLS is setup on the destination, then HIPAA say you can't email those medical records because the data is not encrypted in transit. Yahoo and Google are adding TLS, but prior to last year for sure, none of these populat free email sites had TLS and thus everybody using them for medical work was violating HIPAA.
Furthermore, HIPAA requires Business Associate Agreements with the entities you transfer data with. To get a BAA means reviewing the other guy's security and signing paper that you accept their good or crappy level of security. In the instances where a BAA is not literally required, the same level of dilligence is expected, even without a formal BAA. Thus, when you put your medical records onto gmail, you put Google at risk of violating HIPAA because they didn't specifically know you were using them for that (and thus setup controls to better protect that data).
So from my vantage point, court cases aside, these users had no business using Gmail or Yahoo because they were invoking an unwitting 3rd party into handling Protected Health Information (PHI). Thus, it was never an issue about the snooping by google's bots, because it was inappropriate to run your medical business through an email system you didn't control or have contracts with.
The thing is, it isn't just from the practitioner's side that we have concerns. If the patient somehow sends you an email that isn't secured or encrypted, and it reveals otherwise private/privileged info, the issue arises.
And as you well know, most people don't have secure or encrypted accounts.
That means an email from a patient or potential patient using a gmail account may legally be no more protected by privilege than talking to a doctor face to face with the building janitor sitting in the room.
Last edited: