Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

1 min read

Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

Healthcare organizations often turn to Google Workspace and Microsoft 365 as solutions for secure email communication. While these platforms offer tools for configuring HIPAA compliance, they do not guarantee complete protection for every email sent and received. 


The email encryption gap


Despite configuring Google Workspace or Microsoft 365 for HIPAA compliance, healthcare organizations may still face encryption gaps due to the recipient's email setup. Secure email communication relies on both the sender's and recipient's email servers supporting Transport Layer Security (TLS). If the recipient's server doesn't use TLS, the connection won't be secure, resulting in a potential HIPAA violation.


Undelivered emails and HIPAA violations

Enforcing strict TLS encryption can lead to undelivered or bounced emails when the other party's server doesn't support a TLS connection. If a healthcare organization sends an email containing Protected Health Information and it bounces back or is delivered unencrypted, it can result in a HIPAA violation. This highlights the importance of a secure email solution with safeguards and fallbacks for these instances.


Paubox Email Suite: HIPAA compliant email made easy

Paubox Email Suite offers a seamless solution for healthcare organizations looking to achieve full HIPAA compliance for their email communication. Paubox encrypts all outbound email, ensuring that sensitive information remains protected. By using Paubox Email Suite, healthcare organizations can have peace of mind knowing their emails are 100% HIPAA compliant all the time.


Additional issues with Google Workspace:

According to Google, "If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure." While there is a setting to enforce TLS, the email will bounce back if the recipient isn't configured to receive encrypted emails. Google tracks their unencrypted emails here, generally ranging from 2% to 15% unencrypted.


Additional issues with Microsoft 365:

According to Microsoft, their encrypted emails work with other Microsoft email clients, but "if the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser." Portals severely disrupt patient communication because accessing an email or attachment requires up to 6 cumbersome steps. You can see the portal's process here.  


Go deeper:

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.