1 min read

Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance

Picture of Dean Levitt Dean Levitt April 11, 2023

HIPAA compliant email HIPAA compliance
Paubox blog post title card with blue background

Healthcare organizations often turn to Google Workspace and Microsoft 365 as solutions for secure email communication. While these platforms offer tools for configuring HIPAA compliance, they do not guarantee complete protection for every email sent and received. 

 

The email encryption gap

 

Despite configuring Google Workspace or Microsoft 365 for HIPAA compliance, healthcare organizations may still face encryption gaps due to the recipient's email setup. Secure email communication relies on both the sender's and recipient's email servers supporting Transport Layer Security (TLS). If the recipient's server doesn't use TLS, the connection won't be secure, resulting in a potential HIPAA violation.

 

Undelivered emails and HIPAA violations

Enforcing strict TLS encryption can lead to undelivered or bounced emails when the other party's server doesn't support a TLS connection. If a healthcare organization sends an email containing Protected Health Information and it bounces back or is delivered unencrypted, it can result in a HIPAA violation.

 

Paubox Email Suite

Paubox Email Suite offers a seamless solution for healthcare organizations looking to achieve full HIPAA compliance for their email communication. Paubox encrypts all outbound email, ensuring that sensitive information remains protected. By using Paubox Email Suite, healthcare organizations can have peace of mind knowing their emails are 100% HIPAA compliant all the time.

 

Additional issues with Google Workspace:

According to Google, "If the receiving server doesn't use TLS, Gmail still delivers messages, but the connection isn't secure." While there is a setting to enforce TLS, the email will bounce back if the recipient isn't configured to receive encrypted emails. Google tracks their unencrypted emails here, generally ranging from 2% to 15% unencrypted.

 

Additional issues with Microsoft 365:

According to Microsoft, their encrypted emails work with other Microsoft email clients, but "if the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser." Portals severely disrupt patient communication because accessing an email or attachment requires up to 6 cumbersome steps. You can see the portal's process here.  

 

Go deeper:

Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Person holding smartphone displaying Gmail logo at desk with keyboard

Can you send PHI via Gmail?

Picture of Liyanda Tembani Liyanda Tembani : October 6, 2023

Sending Protected Health Information (PHI) via a free Gmail account is not HIPAA compliant. However, Gmail can be configured for HIPAA compliance...

HIPAA compliant email
Read More
Google logo

Is my Google account HIPAA compliant?

Picture of Kirsten Peremore Kirsten Peremore : June 2, 2023

A Google account provides users with access to a wide range of Google applications and platforms using a single set of credentials. Here's the catch:...

HIPAA compliance
Read More
Person working on laptop at desk

Is it a HIPAA violation to email patient names?

Picture of Dean Levitt Dean Levitt : May 9, 2023

Email is a primary mode of communication, including in the healthcare industry. However, using email for sharing protected health information (PHI)...

HIPAA compliant email
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.