Are individuals receiving PHI via Gmail flouting HIPAA guidelines?

If patients receive ePHI via their Gmail accounts they are not flouting any HIPAA guidelines. The reason for this is simple-patients are not mandated by HIPAA to ensure security of PHI. They are not a covered entity and are not required to ensure HIPAA compliance. Yes, they should adopt the best practices to secure their personal health information but they don’t face any legal or financial penalty upon not doing so.

Healthcare organizations and business associates sending ePHI via Gmail to patients must ensure HIPAA compliant email privacy. These covered entities are required to ensure maximum security patient data being delivered to any recipient (another covered entity or a patient) in coherence with HIPAA Privacy Rule settings. This includes enforcing TLS for delivery of mails containing PHI. If the recipient individual doesn’t cooperate in this regard, the liability of sending ePHI without taking due precautions will be on the covered entity exclusively.

Only covered entities are liable for breaching patient data privacy whether patient data is being sent to Gmail or any other email account. Gmail too doesn’t share responsibility if a covered entity is transmitting patient data without ensuring compliance with HIPAA’s patient data transmission/sharing/accessing/retrieving guidelines.