When it comes to providing cloud software for businesses, Google’s suite of applications is massively popular. Earlier this year, Google Marketplace—which encompasses Gmail, Google Docs, Google Sheets, and other productivity tools — surpassed 2 billion monthly active users, put it in a solid second place behind business software behemoth Microsoft.
While most people are familiar with the browser-based versions of Google tools, however, Google also offers deeper integration of its servers through the Google Workspace API, also known as the G Suite API.
UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post.
What is the Google Workspace API?
An API is an Application Programming Interface, and it provides software developers with the ability to connect Google’s software directly to their own. This allows for the consolidation of services through a single interface, rather than requiring users to log into different websites to use different tools.
The Google Workspace API supports Gmail, Google Docs, Google Drive, Google Calendar, and Google Sheets, Slides, and Tasks.
Much of Google’s own software, provided to and accessed directly by healthcare professionals, can be HIPAA compliant. But what about external programs that use the API?
Is the Google Workspace API HIPAA compliant?
For healthcare facilities and companies with their own software development teams, the Google Workspace API is a compelling option. The fewer systems that employees need to access, the fewer security endpoints there are to be exposed and exploited.
Given the information that hospitals, clinics, and healthcare workers handle on a day-to-day basis, HIPAA compliance is a must to ensure data and systems are kept as secure as possible.
The closest record we could find suggesting the Google API is compliant is a Digital Marketplace entry provided by the UK government, which simply says “Yes” for the Google Workspace API, its documentation, and its test environments.
Unfortunately, Google itself does not expressly describe the G Suite API, or Google Workspace API, as HIPAA compliant in its documentation.
Indeed, Google has a simple page to summarize HIPAA Included Functionality for its services, As of July 21, 2020, it lists “Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Apps Script, Keep, Sites, Jamboard, Hangouts (chat messaging feature only), Google Chat, Google Meet, Google Voice (managed users only), Google Cloud Search, Cloud Identity Management, Google Groups, Google Tasks and Vault.”
The G Suite API, or Google Workspace API, is not mentioned.
Because Google does not expressly list its API among the HIPAA compliant functions it provides, it is prudent to assume that the Google Workspace API is not HIPAA compliant.
Software developers looking for an API to plug into HIPAA compliant email systems built specifically for covered entities should instead consider the Paubox Email API, which has already been implemented by many healthcare businesses.
The Paubox Email API allows healthcare applications to send transactional emails at scale. The HITRUST CSF certified product allows patients to receive encrypted emails directly to their inboxes—no passwords or portals required. It’s also easy to implement with clear documentation for software developers.