HIPAA Compliance in Google Apps vs. Hosted Desktops

Posted by John Feucht on Aug 26, 2014 6:00:00 AM

Google_AppsCan you trust Google Apps with your healthcare organization’s data?

Google products are known for their power, usability, and low cost, so it’s no wonder so many small businesses, fed up with the hassle and headache of maintaining their own IT systems, have migrated onto Google’s popular suite of cloud-based productivity apps.

But compliance has always been a sticking point for businesses considering a move to Google Apps, especially for businesses in the healthcare field, beholden to the rules of the Health Insurance Portability and Accountability Act (HIPAA).


Google’s BAA

Many healthcare businesses are concerned about how seriously Google takes securing protected health information (PHI) (data that reveals the identity of an individual, their health status, or their payment records). These businesses are worried that using Google Apps would expose them to the risk of HIPAA fines and data breaches.

Eager to gain more healthcare customers, Google announced in September it would be willing to sign a Business Associate Agreement (BAA) with any customer in the healthcare field. This agreement states that Google will secure its partners’ PHI according to HIPAA regulations.

Has Google removed the final block preventing healthcare organizations from migrating the entirety of their IT systems to Google Apps? Not quite.

While it’s heartening to see major cloud providers like Google taking HIPAA compliance seriously, all the BAA means is that Google agrees to keep PHI safe within its own network. Healthcare organizations that use Google Apps, BAA or no BAA, are still responsible for ensuring HIPAA compliance on their end. In other words, Google Apps isn’t really the “turnkey” HIPAA compliance IT solution most healthcare businesses are looking for.

Here are four ways Google Apps falls short of a complete HIPAA compliance solution:


1. The BAA Doesn’t Cover All of Google’s Services

According to Google, its BAA covers only its Gmail, Google Calendar, Google Drive, and Google Apps Vault services. You cannot, for example, share a patient’s health status via Google+ and expect it to be secure up to the standards of HIPAA.


2. Free Gmail and Google Apps Accounts are Not HIPAA Compliant

Google will only agree to sign a BAA for customers that pay for its premium Google Apps for Business service (the current rate is $5 per user per month or $50 per user per year). Google will not sign a BAA for customers that are still on its free Google Apps service (which is no longer offered to new customers) or those who use the free consumer version of Gmail (anyone with an @gmail.com address).

In addition to that, even if you pay for a Google Apps account, you won’t receive encrypted email (a key requirement of HIPAA) without paying extra.

By default, Gmail encrypts all email messages between its users and its servers. But once those messages leave Google’s servers (on their way to their final destination) all bets are off. A doctor’s office cannot discuss treatment with a patient via Gmail, for example.

For true “end-to-end” email encryption using Gmail, healthcare organizations will have to pay extra for Google Apps Message Encryption (GAME), which currently costs $35 per user per year.


3. Google Apps Does Not Provide Data Backup

One of the requirements of HIPAA is that businesses “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.” Healthcare organizations should be backing up their data often enough that they can continue to function after an emergency data restore. Google Apps does not do this.


4. Google’s Logs are Hard to Work With

Keeping records of when users access protected health information and what they do with it is another key provision of HIPAA. Google Apps does indeed collect this kind of information, but it is not easily searchable. Auditing it is a manual process of digging through the logs to find the exact events you’re interested in.


A Better (Complete) Solution

Google never meant Google Apps to function as a complete HIPPA compliance solution. Thanks to Google’s willingness to sign a BAA, Google Apps could be part of a HIPAA compliance solution, but it would only really be part of a larger, cobbled-together solution, using a handful of other vendors to fill the gaps.

Modern healthcare organizations require much more than Google Drive and Gmail to get their work done. Why not look for a HIPAA compliance solution that encompasses everything you do?

A hosted desktop solution from a provider that specializes in HIPAA compliance would ensure that everything you need for your business—email, storage, applications—is up to the security standards of the latest HIPAA regulations and rulings.

Learn more about how such a solution would work in our free guide, “HIPAA Compliance in the Cloud.”

Download the free whitepaper - HIPAA Compliance in the Cloud

Topics: HIPAA