A Google account provides users with access to a wide range of Google applications and platforms using a single set of credentials. Here's the catch: when using these applications, your Google account handles protected health information (PHI). HIPAA compliance is, therefore, a necessary consideration before continuing to use them.
Google and Business associate's agreements
HIPAA compliance and your Google account can be perplexing. You have to look closer at which services access PHI and therefore need to be HIPAA compliant. HIPAA requires that any third-party providers like Google, who offer services to covered entities (your medical practice) and are involved in handling your patients' sensitive information, sign a Business Associate Agreement (BAA).
This agreement lays out the details of the relationship between you and Google, ensuring HIPAA compliance. On its website, Google states that it "ensures that the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report."
Google only provides BAAs to paid users of Google Workspace, excluding free Gmail accounts. This means that healthcare organizations must subscribe to the paid version if they require HIPAA compliance.
Related: Business associate agreement provisions
HIPAA compliant functionality in Google
Google's HIPAA compliance only applies to specific products:. These products listed on their website include:
- Gmail
- Calendar
- Drive (including Docs, Sheets, Slides, and Forms)
- Apps Script
- Keep
- Sites
- Jamboard
- Google Chat
- Google Meet
- Google Voice (managed users only)
- Google Cloud Search
- Cloud Identity Management
- Google Groups
- Google Tasks and Vault (if applicable).
There are limitations to the compliance of these products. Gmail, for example, has several issues relating to HIPAA compliant email. For instance, if the recipient's email server does not have TLS configured or does not support TLS connections, the email may still be delivered by Gmail, but the connection won't be secure.
Although Google offers an option to enforce TLS, it can be a complex process leaving emails to bounce back to the sender if not sent correctly, resulting in delivery failures and potential disruptions in communication. Gmail also tracks unencrypted emails, typically ranging from 2% to 15%.
This suggests that there may be instances where Gmail delivers emails without encryption, potentially exposing sensitive information. This is a concern for healthcare organizations aiming for strict compliance with HIPAA regulations.
Related: Ultimate Guide to Gmail: Is Gmail HIPAA compliant?
Email encryption solutions
Third-party email encryption services, like Paubox, offer a powerful solution for enhancing the security of your email communication. With advanced encryption protocols, they encrypt all emails by default, ensuring HIPAA compliance.
These services seamlessly integrate with Google Workspace, eliminating the need for workflow changes. You can encrypt emails without hassle or using cumbersome portals. Sending and receiving encrypted emails becomes a breeze, even for non-technical users.
Conclusion
Your free Google account is not HIPAA compliant. Once you pay for Google Workspace and sign a BAA, it can be compliant. Note the limitations of Gmail can be easily addressed by using a third-party email encryption service.
Related: Why Google Workspace and Microsoft 365 aren't enough for complete HIPAA compliance
Kirsten Peremore
