Healthcare data contains some of the most sensitive information about a person, which is why it’s protected by HIPAA (Health Insurance Portability and Accountability Act) in the U.S. HIPAA is a set of regulations that aim to protect the privacy and security of patients' personal health information (PHI).
But, too often, professionals in the medical field assume that standard email and file-sharing platforms like Google Workspace and Microsoft Office 365 are safe enough to transmit PHI and other HIPAA-related information. But this may not be true: While both Google Workspace and Microsoft Office 365 offer many features that are useful for businesses, they may not be sufficient to comply with HIPAA data privacy regulations.
There are four key reasons why your Google Workspace or Microsoft Office 365 email may not be HIPAA compliant:
- Limited HIPAA Compliance Features
- Lack of Business Associate Agreements
- Limited Control Over Data
- Non-Compliant Third-Party Apps
Here are several important things to consider if you want your Google Workspace and Microsoft 365 platforms to be compliant.
Is Email HIPAA Compliant? It Depends.
While both Google Workspace and Microsoft Office 365 offer some HIPAA compliance features, such as data encryption and access controls, they may not provide all the necessary safeguards required by HIPAA regulations. For example, while most modern mail platforms use TLS (Transport Layer Security) encryption by default, this may not guarantee encryption across the full lifecycle of the data. TLS requires recipients to be able to “support” an encrypted message, and if they are not able to, the message containing PHI may not be encrypted (or sent at all), which could result in slowing down important communication or even worse, a HIPAA violation. These limited HIPAA compliance features can cause significant issues for healthcare organizations if they don’t put additional safeguards in place to secure patient data.
A benefit — and potential risk — of Google Workspace and Microsoft 365 is that they provide a broad set of tools and storage options. Beyond email, you have documents, spreadsheets, PDFs and other records that may be stored in numerous locations, on Google Drive or Sharepoint, and transmitted both internally and externally. You’ll need to assess the full scope of your organization’s data sharing across these platforms, and whether your current environment is truly secure enough to handle PHI.
You Need a Business Associate Agreement (BAA) for HIPAA Compliance.
HIPAA requires that covered entities and business associates enter into a Business Associate Agreement (BAA) to ensure that PHI is protected in accordance with HIPAA regulations. Google Workspace and Microsoft Office 365 do offer a BAA, but only for certain services and features. If you need to use a service or feature that is not covered by the BAA, you won’t be able to use it to process PHI. Lack of a Business Associate Agreement (BAA) for your email service can put your organization at risk.
HIPAA Compliant Data Storage Should Emphasize Control.
With Google Workspace and Microsoft Office 365, you are essentially entrusting your data to a third-party service provider. While they offer some security measures, you may have limited control over data — particularly how it’s secured and who has access to it. This could potentially put your PHI at risk, especially if the service provider experiences a data breach or security incident. That’s why advanced encryption for Google and Microsoft are best practice for organizations sharing PHI via email or other cloud apps.
As you dial up data control in Google and Microsoft, it’s also important to consider the user experience: You don’t want to introduce hurdles to a provider who needs to share patient data with an insurance company, or make it difficult for a patient to access their own health information. Some advanced client-side encryption offerings, including S/MIME, require cumbersome processes for recipients to access your messages, not well suited for the average user, patient, or customer. Ease of use is essential to effective user adoption.
Only Use HIPAA-Compliant Apps and Integrations.
Both Google Workspace and Microsoft Office 365 allow you to use third-party apps and integrations, but many of these apps may not be HIPAA compliant. This means that if you use a non-compliant third-party app to process PHI, you could be violating HIPAA regulations, even if you are using a HIPAA-compliant platform like Google Workspace or Microsoft Office 365.
The software supply chain can be tricky to navigate — but when it comes to protecting your patients’ data, a thorough review of all apps and integrations is essential. Compromising patient data can be damaging, not just to the individual, but to your business or practice.
How to Make Microsoft and Google HIPAA Compliant
In summary, while Google Workspace and Microsoft Office 365 offer many useful features, they may not provide all the necessary safeguards required by HIPAA regulations. If you are a covered entity or business associate that needs to process PHI, it is important to carefully consider the risks and limitations of your particular package on these platforms and seek out additional HIPAA-compliant solutions as needed.
Compliance regulations like HIPAA have many components, and while no one tool can guarantee full compliance, you can take fast, simple steps to strengthen HIPAA compliance and bring advanced security to your Google Workspace or Microsoft 365 environment with Virtru. Virtru is easy for users (including patients or anyone outside your organization), it’s fast to deploy, and it’s cost-effective for small businesses and enterprises. More than 8,000 organizations trust Virtru, and hundreds of happy customers have left excellent reviews on G2 — so you’ll be in good company.
Virtru can help you bring HIPAA-compliant data protection to your favorite collaboration tools. We’d love to talk with you about your compliance needs and how we can make it as easy and affordable as possible for you to meet your security goals. Contact our team today to schedule a demo and see Virtru in action.
