Google Workspace is not HIPAA compliant on its own

Many healthcare organizations rely on Google Workspace to run their business and communicate with patients. While Google signs a business associates agreement (BAA), what most practices don’t know is that even with a BAA, sending email through Google Workspace is not HIPAA compliant. 

The limitation of Google’s BAA

According to Google's HIPAA implementation guide, "customers are responsible for determining if they are a Business Associate (and whether a HIPAA Business Associate Agreement with Google is required) and for ensuring that they use Google services in compliance with HIPAA." In a nutshell, it is the responsibility of the customer to use Google's services in a HIPAA compliant manner.

Google protects data and information at rest within its ecosystem, meaning that data housed in Google Drive is protected and HIPAA compliant.

However, it does not fully protect data that is in transit to recipients outside of Google Workspace. The issue lies with Gmail's email encryption. Gmail will attempt to send emails encrypted but if it cannot establish a secure connection, it may deliver the email unencrypted.

This means there is no guarantee that emails sent with PHI via Google are fully HIPAA compliant.

What HIPAA regulations require for email

The HHS says that HIPAA "allows covered health care providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so."

Email must be encrypted in order to be protected in transit to the recipient. Google does not guarantee that every email sent will be encrypted, and in fact, up to 10% of mail traffic sent via Google is unencrypted.

Failing to encrypt 100% of the emails sent containing protected health information (PHI) is a violation of HIPAA regulations and could lead to a breach and costly penalties.

Related: The definitive guide to HIPAA compliant email

A disclaimer doesn’t make email compliant

Some practitioners mistakenly believe that they can include a disclaimer in their email and be HIPAA compliant. Having a written disclaimer in an email does not satisfy the HIPAA requirement that emails must be protected in transit to the recipient.

Disclaimers alone aren’t enough—sending PHI without proper encryption can result in a HIPAA violation.

The solution

Add a service like Paubox to guarantee that sent email is HIPAA compliant.

Paubox automatically encrypts all outgoing emails, including calendar invites, file shares, and attachments. It seamlessly integrates with Google Workspace, making it easy to use Google’s features while remaining HIPAA compliant.

Using Google Workspace without the added security of HIPAA compliant email leaves healthcare organizations at risk of being non-compliant and subject to costly fines. With Paubox, organizations can eliminate that risk.

Related: HIPAA compliant email for small practices