As it relates to providing HIPAA compliant email service, we originally compared Google Workspace to Paubox in 2018.
In our initial review, we found the Google Workspace business associate agreement did not include the actual transmission of email across the internet as being in scope.
Now that it’s 2023, perhaps Google Workspace has changed its stance or scope on providing HIPAA compliant email service. As such, we’ll revisit the question: What’s the difference between Google Workspace and Paubox for HIPAA compliant email?
See related: Is Microsoft 365 HIPAA compliant? (2023 update)
About Google Workspace
Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity and collaboration tools offered by Google. It includes services such as Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Calendar, Google Meet, Google Keep, and others.
These tools can be used by individuals, teams, and businesses to communicate, store, and manage data and documents, and collaborate on projects.
About Paubox Email Suite
Paubox Email Suite is for healthcare organizations seeking to remove friction from their HIPAA compliant communications. Paubox Email Suite is a cloud-based solution that provides a seamless user experience for both senders and recipients of secure email.
Unlike incumbent solutions that force recipients to login to a portal to read a secure message, the Paubox solution allows the recipient to read a secure email in their inbox, just like a normal message.
Paubox launched in 2015 and currently has over four thousand customers in all 50 states.
Is Google Workspace HIPAA compliant?
There’s a primary item to consider when it comes to Google Workspace and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Google Workspace and its ability to be HIPAA compliant.
In the case of Google Workspace, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.
We googled Google’s site and found their BAA: G Suite HIPAA Business Associate Amendment. From there, we eventually found the Google HIPAA Implementation Guide, which is an informational guide that Google makes available describing how customers can configure and use Google services to support HIPAA compliance.
Google’s HIPAA Implementation Guide
Within Google’s HIPAA Implementation Guide, the first section to pay attention to is called HIPAA Included Functionality.
This page states:
“As of July 21, 2020, The following functionality is Included Functionality under the applicable HIPAA Business Associate Addendum:
Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Apps Script, Keep, Sites, Jamboard, Google Chat, Google Meet, Google Voice (managed users only), Google Cloud Search, Cloud Identity Management, Google Groups, Google Tasks and Vault (if applicable).”
As we can see, Gmail is included in the Google Workspace BAA.
The next section within the Google HIPAA Implementation Guide to pay attention is called:
What to consider for specific Google Workspace Core Services
Scrolling down a bit, we find the sub heading called Gmail. The HIPAA guidance here is vague, as Google only makes two claims about Gmail and HIPAA compliance:
- Intended recipients. “Gmail provides controls to help users ensure that messages and attachments are only shared with the intended recipients.”
- BCC field. “If Gmail is used to email groups of individuals or mailing lists, users are advised to use the ‘Bcc:’ field instead of the ‘To:’ field so recipients of the email are hidden from each other.”
It should be noted there is a complete absence of two basic tenets of HIPAA compliant email:
- How is the email encrypted in transit?
- How is the email encrypted at-rest?
Google’s Best practices and data privacy
In an effort to gain clarity about the ability of Google Workspace to provide encrypted, HIPAA compliant email while it transits the internet, we eventually found a Google Support page called Best practices and data privacy.
From there, we found a page called Security checklist for medium and large businesses. Scrolling down a bit, we found an expandable section called Gmail (Google Workspace only). Once expanded, we found a checkbox labeled Enforce TLS with your partner domains. Bingo. We found the setting we’re looking for:
To learn more about this checkbox, we clicked Require mail to be transmitted via a secure (TLS) connection.
From there, we found several nuggets of useful info:
- Not all email is encrypted. “By default, Gmail always tries to use a secure TLS connection when sending email. However, a secure TLS connection requires that both the sender and recipient use TLS. If the receiving server doesn’t use TLS, Gmail still delivers messages, but the connection isn’t secure.”
- Enforcing strict TLS encryption results in missing email. “Add the Secure transport (TLS) compliance setting to always use TLS for email sent to and from domains and addresses that you specify.” If this setting is enabled, here’s what happens:
- Outgoing email. “Messages aren’t delivered, and will bounce. You’ll get a non-delivery report. Gmail makes only one attempt to send messages over a non-TLS connection.”
- Incoming email. “Incoming messages from non-TLS connections are rejected without any notification to you. The sender gets a non-delivery report.”
- Google allows insecure versions of TLS. “Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3.” As we’ve seen from guidance issued by the NSA in 2021, TLS versions 1.0 and 1.1 are insecure. In fact, NSA is on the record as stating:
- “The National Security Agency (NSA) emphatically recommends replacing obsolete protocol configurations with ones that utilize strong encryption and authentication to protect all sensitive information.”
See related: Paubox eliminates obsolete TLS protocols, follows NSA guidance
Is Paubox HIPAA compliant?
Paubox was built around the Paubox Foundations, three big ideas, and a mission to become the market leader for HIPAA compliant communication.
Paubox provides a BAA for all paid and freemium customers.
In addition, the following solutions are HITRUST CSF certified:
While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. Not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.
Paubox was built using patented technology whereby if a secure connection cannot be established to the receiving mail server, Paubox automatically detects this and then converts the message (plus any attachments) to the Paubox Secure Message Center. The recipient then needs only a single extra click to secure access the message.
In other words, the email is not bounced, rejected, or sent unencrypted, as is the case with Google Workspace’s built-in encryption settings.
In addition, Paubox supports only secure versions of TLS. Following the aforementioned NSA guidance, here’s a list of security protocols supported by Paubox:
- SSL v2 (Not Supported)
- SSL v3 (Not Supported)
- TLS 1.0 (Not Supported)
- TLS 1.1 (Not Supported)
- TLS 1.2 (Supported)
- TLS 1.3 (Supported)
Both Google Workspace and Paubox offer HIPAA compliant email services for organizations.
While Google Workspace provides a wide array of services that fall in scope of its BAA, its encrypted email component falls short in the following areas:
- By default, Google Workspace’s Gmail will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted. This is not a HIPAA best practice.
- While Google Workspace can be configured to require a secure connection, messages to your recipients whose email addresses do not support encryption will not be delivered. They will be bounced or rejected.
- Insecure versions of TLS are allowed. As we’ve covered, Google Workspace supports TLS versions 1.0, 1.1, 1.2, and 1.3. As mentioned however, it’s widely known that TLS versions 1.0 and 1.1 are insecure and should not be allowed.
Paubox Email Suite can be quickly configured to integrate and complement Google Workspace.
The extra layer of security (HITRUST CSF certified), ease of use, and peace of mind are the reasons why thousands of customers choose to Paubox to supplement Google Workspace.