HIPAA is designed to protect patient confidentiality. It’s widely misunderstood, not least because of the scary fines for violations. I think on balance it’s a good law, but it needs regular adjustment.
Happily in 2013 a major adjustment was made. Rule makers allowed use of conventional email applications, perhaps without robust encryption, for patient communications if informed consent is given and recorded. I recently put together a set of references on this:
https://personcenteredtech.com/2013/10/06/clients-have-the-right-to-receive-unencrypted-emails-under-hipaa/
Covers the 2013 final rule changes.http://blog.securitymetrics.com/2014/05/hipaa-email-encryption.html
Pretty good discussion of implicationshttp://www.austinmedclinic.com/hipaa-and-email.pdf
Example of a patient consent to receive unencrypted emailhttp://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf
HIPAA language is on page 5634 (I didn’t confirm this, just copied from the Austin Med Clinic consent form.
I’d still worry about risks associated with using Gmail (though communication is now actually well encrypted for most users) — the message will be both sender and receiver’s server forever unless it’s deleted. Tricky business!
Still, it’s encouraging to see this clarification. I hope the HIPAA rules continue to be adjusted. Having robust encryption built into laptops helps — at least until the FBI forces backdoors which will, of course, be widely exploited by hackers.