



Google Accounts allow users to access various Google applications and platforms using one set of credentials. Here’s the problem. When you use these applications, your Google Account processes Protected Health Information (PHI). Therefore, HIPAA compliance should be considered before continuing to use them.

Agreement between Google and Business Associates

HIPAA compliance and Google accounts can be complicated. I’ll have to dig into which services access PHI and therefore he should be HIPAA compliant. HIPAA requires third-party providers, such as Google, who provide services to covered entities (medical practices) and are involved in handling sensitive patient information, to sign a Business Associate Agreement (BAA). increase.

This agreement details your relationship with Google and ensures your HIPAA compliance. Google says on its website that it “ensures that Google products covered by the BAA meet his HIPAA requirements and comply with ISO/IEC 27001, 27017, 27018 certifications and SOC 2 reports.” .

Google only provides BAAs to paid users of Google Workspace, excluding free Gmail accounts. This means that if a healthcare provider wants his HIPAA compliant, he must subscribe to the paid version.

Google’s HIPAA Compliant Features

Google’s HIPAA compliance applies only to certain products. Products featured on the website include:

Gmail Calendar Drive (including Docs, Sheets, Slides, and Forms) Apps Script Keep Sites Jamboard Google Chat Google Meet Google Voice (managed users only) Google Cloud Search Cloud Identity Management Google Groups Google Tasks and Vault (if applicable).

There are limits to compliance for these products. For example, Gmail has some issues related to HIPAA-compliant email. For example, if the recipient’s email server doesn’t have TLS configured for her, or doesn’t support TLS connections, the email could be delivered by her Gmail, but the connection is not secure. .

Google offers the option to force TLS, but this can be a complicated process, with emails bounced back to the sender if not sent correctly, resulting in delivery errors and communication interruptions. There is likely to be. Gmail also tracks unencrypted emails, typically in the 2%-15% range.

This suggests that Gmail may deliver emails without encryption, potentially exposing sensitive information. This is a concern for healthcare organizations seeking strict compliance with HIPAA regulations.

email encryption solution

Third-party email encryption services such as Paubox offer powerful solutions for enhancing the security of your email communications. With advanced encryption protocols, all emails are encrypted by default to ensure HIPAA compliance.

These services are seamlessly integrated with Google Workspace, so you don’t have to change your workflow. Encrypt your emails without the cumbersome portals and hassles. Even non-technical users can easily send and receive encrypted email.

Conclusion

Free Google accounts are not HIPAA compliant. Pay for Google Workspace and sign the BAA to be compliant. Please note that Gmail’s limitations are easily overcome by using a third-party email encryption service.

