Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Free Gmail is not HIPAA Compliant

Let’s state it for the record: there is no possibility of HIPAA compliance with free Gmail accounts. Google only offers the possibility of HIPAA compliance for paid Google Apps customers with their own domain name.

As of now, Google Apps costs $5/user/month. It’s not free, and it’s not especially cheap either.  And this price does not include any of the optional features that Google offers to its business customers, such as email archival, filtering and encryption.

Email Encryption is NOT included

Paid Google Apps accounts do not come with any kind of email encryption.  Google supports forced TLS outbound to email providers that support encryption and Google allows opportunistic TLS inbound and outbound, but this does not at all ensure that your communications are secured in general or that your email messages are HIPAA compliant.  What you need is a mechanism that will:

  1. Ensure that messages you send to anyone are encrypted during transport (at a minimum)
  2. Allow correspondents at non-compliant hosts to send secure messages to you

There is no such mechanism with a paid Google Apps account. If you sign up for Google Apps, request and sign their BAA, then start sending emails out, you could very quickly be in violation of HIPAA and in breach.

Their Business Associate Agreement is very cursory and merely states that they will do the needful things in a reasonable time frame to ensure the privacy and security of the data that they hold.  All the rest is your responsibility, which also means not sending ePHI-laden email to people unless you take extra steps for extra costs to ensure the messages are secure.  Also (and they don’t tell you this), Google provides no guidance in what you should or should not do for compliance.

Google does not offer any email encryption service.  Period.  All email encryption services that work with Google Apps are provided by third-party companies.  Even “Google Apps Message Encryption” (a.k.a. GAME) is an encryption add-on provided by ZixCorp. GAME itself costs about $35/year/user and has a 100-user minimum that can make it quite expensive for smaller organizations.   GAME provides a simple mechanism akin to LuxSci’s SecureLine Escrow service that allows sending secure messages to anyone by requiring them to pick up these messages from a secure web portal.  It also provides a means, like LuxSci SecureSend, that allows others to send secure messages to you.   It does not include generalized forced-TLS, PGP, or S/MIME options, like LuxSci SecureLine does.

LuxSci itself works perfectly as a G Suite outbound email encryption gateway.

Not All Google Services are Covered by their BAA

The Google Apps Business Associate Agreement currently only promises HIPAA compliance for email, calendar, drive, and apps vault.  Any other services are not compliant, and any use of these services that exposes the data in a non-compliant way is not covered.

What this means is that if you don’t buy an add-on to send email securely, use of email is actually non-compliant.  While email stored on Google’s servers may be technically HIPAA compliant, you sending email without encryption is considered your choice, and thus your own action has breached security… no concern of Google’s.  In your BAA with Google, you agree to take “appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI.”  That is all they say on the subject in their BAA; essentially, you’re on your own do to the right things and to know what those are.

LuxSci takes the opposite stance.  We make sure that the things you do with email, contacts, and calendars are secure and compliant, and that you’re fully informed of what is and is not within the scope of HIPAA compliance.  Our compliance accounts favor an opt-out model rather than an opt-in one, as we fully believe that opt-in encryption (that is, forcing the customer to choose when to encrypt a message) is far too dangerous under HIPAA Omnibus.  Google, Microsoft, and other providers put the onus on the customer and all end users to always make the correct decision about when and what to send securely.

We believe that is a recipe for disaster. Google services are not fully compliant even after signing their BAA.  Did you know that you have to purchase and setup additional services?  Did you know that finding information on their Encryption Services is almost as difficult as trying to order it?  What about calendars?  Under what circumstances is that data compliant?  It’s clear that calendar data is compliant when it sits unused on their servers, but what about when it’s synced to some third-party app on a mobile device?  Is that secure? Are the emailed alerts and notifications of appointments compliant?  Such alerts can easily contain ePHI, but are their calendar notice emails encrypted with their optional (and expensive) email encryption add-on?  What if you don’t have that particular add on?  What other uses of their services are not properly encrypted?  Who can you ask to clarify how these services work?

These are all things you need to think about if you’re considering Google services for HIPAA compliance.

Quick Compare Checklist

Google Apps LuxSci Shared LuxSci Dedicated
Compliant Email? With Encryption Add On With SecureLine With SecureLine
Compliant Calendars? Yes, to some extent Yes Yes
Compliant Documents? Yes, to some extent Yes Yes
Compliant Task Lists? No Yes Yes
Compliant Address Books? No Yes Yes
Compliant Password Storage? No Yes Yes
Compliant Internal Blogs? No Yes Yes
Compliant Web Hosting? No Yes Yes
Compliant MySQL Hosting? No Yes Yes
Compliant Form Processing? No With SecureForm With SecureForm
Compliant Email Marketing? No With Premium High Volume With Premium High Volume
Price/user
Includes Filtering
$5/user/mo $2.50/user/mo $2.50/user/mo
Email Encryption with GAME $3/user/mo (100 user minimum) $3/user/month
(1 user minimum)
$3.00/user/mo(great value for accounts with many users)
Email Archival 10 yr $5/user/mo $3.50/user/mo $3.50/user/mo
Disk Space 30 GB/user Basic: 50GB/account
Premium: 25G/account
10GB-10,000GB+
Extra space not available Basic: $0.75/GB/mo
Premium: $1/GB/mo
Basic: $0.75/GB/mo
Premium: $1/GB/mo

Basic and premium refer to LuxSci Basic and Premium shared and dedicated environments.

What does this all mean?

  1. On a per-user basis, Google Apps is more expensive than LuxSci — much more expensive in many cases, and especially as the number of users increases.
  2. Google includes a huge chunk of disk space with each $5 user because most users never use anywhere near this amount of space.  We have found that the average power user (e.g. IMAP and mobile user) might use 1 or 2 GB of disk space, with only a few outliers using 5GB or more.  But Google makes up for this by charging $5/user (whereas LuxSci only charges $1/user).  So, once you start adding users, the cost of a Google account quickly swells.
  3. LuxSci gives a reasonable amount of space (15-30G) for your whole account and allows you to pay for more space as needed, so you can save by paying for what you actually need.  We don’t shoehorn the cost of the disk space into the per-user price.
  4. LuxSci’s SecureLine encryption service includes more features than Google’s Email Encryption service and is easier to use.
  5. LuxSci’s services are designed to help you meet and maintain your compliance, and our BAA was carefully constructed to encompass everything that your compliance will entail. We lock down your accounts and ensure that you have the services and settings that you need.  We also document what you should and should not do in our Account Restrictions Agreement.  No ambiguity, no room for error.
  6. LuxSci allows you to white label our services so you can preserve your brand when interacting with your customers.
  7. LuxSci encourages cost effective dedicated server solutions for enhanced privacy.
  8. If you still like Google, you can purchase LuxSci as well and use it for encrypting outbound email sent from Google.

10/2014 Update …

We recently checked in on Google Apps and HIPAA just to see if the landscape had changed since we first assembled the above information over a year ago.  What we found was disappointing…

  1. Google Apps says it supports HIPAA compliance, but there is no mention of encryption anywhere, unless you explicitly search for “Google Message Encryption” 
  2. Google’s published link to its “Security White Paper” is now dead and returns a 404 page not found error.
  3. The link to “Google Apps Security Site” now just takes you to a home page for their enterprise solution, which does not mention anything about security

So — not much has changed in a year, except that their site has become more inconsistent and it appears that it is harder to find the information needed to be compliant.  One may presume that without the help of someone who has done the research, setup these kinds of accounts, and vetted the ins and outs of all of their features and searches, one would be at very high risk of doing things in a non-compliant way.

6/2017 Update ….

Google still does not offer their own encryption solution.  In fact, the only significant changes we see revolve around increases in prices for G Suite services due to service bundling.