Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. The suite includes services such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Keep, and others.
Individuals, teams, and organizations use these tools to communicate, store, and manage data and documents, and collaborate on projects. While these services are useful for many businesses, healthcare organizations must meet HIPAA requirements when using them to handle protected health information (PHI).
Is Google Workspace HIPAA compliant? Yes, based on our research, Google Workspace can be HIPAA compliant but how does it compare to Paubox for HIPAA compliant email?
Will Google Workspace sign a business associate agreement (BAA)?
Yes, Google Workspace will sign a business associate agreement, which can be reviewed here.
What does the Google Workspace BAA cover?
The Google BAA covers the use and disclosure of protected health information (PHI), stating, “All users can access this subset of Core Services for use with PHI under the BAA as long as the health care organization configures those services to be HIPAA compliant: Gmail, Calendar, Drive, Gemini for Google Workspace, Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice, Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault."
However, while Google Workspace can be used in a HIPAA compliant manner, there are limitations and signing the BAA does not make Google Workspace fully HIPAA compliant on its own. The main issue lies in email encryption. Although Gmail attempts to use TLS to secure emails in transit, the connection isn’t always secure if the recipient’s server doesn’t support TLS. In such cases, Gmail may deliver the message unencrypted—a clear risk for organizations handling PHI. Google does offer a setting to enforce TLS, but this can result in bounced emails if the recipient’s server doesn’t comply, disrupting communication.
Additionally, Google Workspace supports older versions of TLS, like 1.0 and 1.1, which are no longer considered secure. This poses another challenge for organizations trying to maintain HIPAA compliance.
Be fully compliant with Paubox Email Suite
Paubox Email Suite is specifically designed for healthcare organizations looking to simplify HIPAA compliant communications. Unlike other email solutions that require portals for secure messages, Paubox delivers encrypted emails directly into the recipient's inbox, maintaining a seamless user experience.
Paubox provides HITRUST CSF certified solutions, ensuring that email encryption is handled seamlessly. If a secure connection cannot be established, Paubox automatically reroutes the message to its Secure Message Center, ensuring no message is sent unencrypted or bounced.
Paubox supports only secure versions of TLS, further ensuring that your communications meet modern security standards. This ease of use, combined with an extra layer of security, is why many healthcare organizations rely on Paubox to complement their existing Google Workspace setups.
Conclusion
While Google Workspace offers a BAA and attempts to secure email communications, it falls short in several areas, including encryption in transit and at rest. For organizations that need to ensure full HIPAA compliance, Paubox offers a solution that seamlessly integrates with Google Workspace and eliminates the risk of sending unencrypted emails.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQS
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in big fines and penalties for covered entities.
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Farah Amod
