Google is one of the world’s most popular email providers. Many businesses choose to utilize Google Workspace for their email communications because of their collaboration tools like Calendar, Docs, and File Sharing via Google Drive. Google Workspace includes basic privacy and security protections, but their security measures are not enough for HIPAA compliance. Even though Google will sign a BAA with HIPAA covered entities, it may not apply to all of the Google apps. Google Workspace has hidden dangers that may lead to a violation of HIPAA rules.
EMAILS SENT FROM GOOGLE CALENDAR ARE NOT ENCRYPTED
Google Calendar is a core service of Google Workspace and is covered by a Business Associates Agreement. The problem is that email encryption is not a standard feature of Google Workspace. That is, although Google supports encrypted messages within its servers, emails sent to other systems are not encrypted.
Google does not even offer a native end-to-end email encryption solution; one has to purchase such services from a third party and integrate it with your Google account.
So, even though Calendar and other core services – including Gmail, Drive, Meet and Google Cloud Search – are covered by the company’s BAA, the emails that Gmail automatically schedules and sends via Calendar are not encrypted.
In addition, it is extremely important to make sure your calendar settings are completely private and that your calendars are not visible to anyone who should not have access to PHI. Many of these settings are public to your organization by default, so make sure you take the time to configure the account properly.
YOU MAY END UP SENDING UNENCRYPTED PHI
HIPAA has a ‘per violation’ penalty, imposing a fine on every email that fails to comply with HIPAA rules. As far as emails go, you can send PHI via email as long as it is secure and encrypted and other requirements are met (i.e., access control, backups, audit trails, etc.). If you think about it, encryption protects PHI in many ways; for instance, if an email containing PHI is sent to the wrong recipient, it cannot be read or used without the keys needed to decrypt it. On the other hand, by choosing to send emails unencrypted, you expose your organization to security, financial and legal risks.
For the record, ‘reasonable cause’ penalties range from $1,000-$50,000 per breached data item, ‘willful neglect (corrected)’ attracts penalties between $10,000-$50,000. ‘Willful neglect (not corrected)’ penalties will cost you a flat $50,000 fine per breached data item.
You can, potentially, send out all kinds of ePHI courtesy of the Calendar-Gmail integration. Examples include:
- Meeting invitations
- Appointment reminders
- Appointment follow-up instructions
- Health-related advice and comments
- Patient satisfaction survey containing identifying information
- Mentions of new or urgent symptoms
- A brief discussion of mental or sensitive health problems
- Details of the patient’s care
- Emailing patient’s details to a colleague
- Information related to test results or prescription refills
Your BAA with Google isn’t very useful if Google Workspace poses a regulatory risk of ePHI breach.
PHI CANNOT BE USED WITH THESE GOOGLE SERVICES
Your BAA does not cover all Google Services. For example, your internal policies should disallow the use of PHI with Google+ and Google Contacts, should you enable these services. To be on the safe side, you also need to set checks and balances for HIPAA-compliant services in Google Workspace. Some other common risks include:
- Files uploaded to Google Drive must not contain PHI in file or folder titles or within team drives. Restrict file and folder sharing to trusted entities.
- Free Gmail accounts pose a big risk of ePHI breach. Gmail does not offer a native encryption solution, and on its own, can never be HIPAA compliant. Free Gmail services do not come with a BAA and as a result do not meet compliance standards.
- Assess the appropriate uses of Google Meet and Chat in relation to PHI and train staff appropriately. The use of messaging apps on mobile devices is one area where violations can occur and potentially stack up pretty quickly.
- You cannot send emails with PHI from Google Workspace, even if you have a BAA with Google. Emails with PHI must be encrypted and using a third-party email encryption service is required to meet compliance standards.
YOU CAN AUTOMATICALLY SECURE ALL OUTBOUND EMAIL FROM GOOGLE WORKSPACE APPS
You can address many common compliance challenges with proper user training and appropriate administrative controls. However, encrypting emails sent from Google requires the use of a third party encryption solution. LuxSci’s SecureLine encryption technology was designed for HIPAA compliance and is compatible with any email program.
SecureLine is a simple system that offers advanced email security. You can choose the encryption method (TLS, PGP, S/MIME or ESCROW), and automatically secure all outbound email from Google Workspace apps. You can continue to receive email from any program or web service.
SecureLine is linked with the SecureSend Portal, our free web-based service that your recipients can access for free in order to send encrypted email.
USE SMART HOSTING TO ADD ENCRYPTION TO OUTBOUND EMAIL
By configuring your Google Workspace account to send all outbound email through LuxSci for processing and delivery, you will not only be adding encryption that secures ePHI but also masking your IP address. By using a third-party connector, you can also add outbound email archival to meet HIPAA requirements.
LuxSci’s Secure Connector is a better option than others because of our always on encryption settings. Administrators can enforce encryption for all users who are likely to be sending PHI via email. Instead of relying on employees remembering to encrypt emails, all of their emails are automatically encrypted via TLS. More on that here: Opt-In Email Encryption is Too Risky for HIPAA Compliance.
Is Google Workspace HIPAA Compliant?
If you still want to use Google Workspace for your business, make sure you take the appropriate steps to secure your accounts. Google Workspace can be HIPAA-compliant, but it does not come automatically configured to meet those standards. Admins must take the time to disable public sharing settings for users with access to PHI and set up clear policies regarding app usage. They must also set up an encryption solution to send emails that contain PHI. Only after these steps are taken, can Google Workspace be HIPAA compliant.
Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization? Contact one of our email security experts today.
