Regarding the question of whether sending secure email to patients who use Gmail is compliant with HIPAA:
Individuals (i.e. patients) who receive ePHI in their Gmail account are OK. Why? Individuals are not required to comply with HIPAA, so they do not have to worry about the privacy of their personal health information (or that of their friends and family) — as least with regards to the law. They should worry about it and not give it out nonetheless. So, use of Gmail for reading that information and even forwarding it on to others is ‘OK’. Organizations that send ePHI email TO them at Gmail are required to comply with HIPAA. That just means sending ePHI messages to Gmail users in a way that ensures the messages are delivered to these recipients securely. That could be done by using forced TLS for delivery, or by other means like a secure message pickup solution. Once the message is delivered and in the user’s ‘hands’, the responsibility of the sending organization is complete.
(Via LuxSci FYI).
Posted on infosnack.