Google Apps – specifically the paid versions of Gmail, Google Drive, and Google Calendar — has started offering the precious HIPAA Business Associate contracts we health care folks need for our HIPAA compliance. This is a significant paradigm shift and one that heralds many more, I’m sure. Before the 2013 HIPAA Omnibus Rule, you could barely find a producer of consumer-level software who was willing to sign a HIPAA business associate contract.
HIPAA Business Associates are third parties who handle your protected health information on your behalf. Examples are billing services and cloud-based electronic health record providers. If you use such a company without a Business Associate contract, that’s a HIPAA violation. (Need more? See “What is a HIPAA Business Associate Agreement?”)
Many clinicians have long been using Gmail to trade emails with clients. The transmission security issues of emailing with clients can be addressed by informed consent, with some caveats. (Huggins, 2013) (See our article on client consent to receive email for details.) However, even clinicians who acquired this consent may have been in violation of the Business Associate rule because the emails and contact information stored on Google’s servers are accessible to Google, thus causing Google to become the clinician’s HIPAA Business Associate. The fact that Google will now offer us a Business Associate contract is a significant coup for American health care professionals.
Notable Limitations to the Agreement
One way that Google defines the specifics is to limit the Business Associate contract to only Gmail, Google Drive, and Google Calendar. When you sign Google’s agreement, you agree not to use any of the other Apps services with your account. This means you couldn’t use Google+ or a bevy of other useful services with your health care business account.
Update 11/19/2013: Seth Krieger points out in the comments that Google Docs is a part of Google Drive. So effectively you can get the BA contract for Google Docs, as well. See Google’s info on Drive here.
So the Paid Versions of Gmail, Drive, and Calendar are HIPAA Compliant Now?
It is very important to remember that products and services are never “HIPAA compliant.” Rather, you are compliant or not compliant. For more, I recommend Rob Reinhardt’s article, Your Software and Devices Are Not HIPAA Compliant.
In this case, I’m not just being pedantic. If we try to apply the label of “HIPAA compliance” to the paid versions of Gmail, Drive, and Calendar – even with the new offering of Business Associate contracts – I would be forced to deem them not “HIPAA Compliant.” I will discuss more details below, but an important point to consider is that none of these services currently seem to secure the information on Google’s servers using encryption. Additionally, an errant click of a button can cause protected health information kept in Drive or Calendar to be shared with other Google users who do not have Business Associate contracts with Google.
Can you avoid those problems by intentional planning around how you use Gmail, Drive, and Calendar? You sure can! That is why compliance rests on you, and it’s a good thing that it does. If it didn’t, we would probably be stuck being unable to use even these enhanced Google services.
HIPAA requires that we conduct a risk analysis and, based on that analysis, create a risk management plan and policies for keeping our clients’ confidential information secure. The fact that Google will now give us a Business Associate contract for the paid version of Apps means that such a risk management plan can reasonably include Gmail, Drive and Calendar.
How Much Does The Paid Service Cost?
At the time of writing, the basic Apps for Business service is $5/month for each user account. The Premium version is $10/month for each user. The premium version includes Google Vault, which is a service that helps you make sure you can retain old data that you’ve had in your Apps account. It also allows administrators some extra empowerment for managing the way the Apps account is used by staff.
Why Would I Want the Premium Service?
The premium service includes something that provides a great boon to your HIPAA compliance efforts: audit trails.
HIPAA requires that we be able to track “security incidents” in the software we use to handle protected health information. Many of us gloss over this requirement because of the financial and skills-based costs involved. For an extra $5/month, however, you can have audit trails in your Google Apps account.
The desirability of audit trails is best illustrated through a scenario:
Sam is a therapist who communicates with clients via Gmail. He accesses Gmail on his Android smartphone and on his home computer. One day, Sam’s phone is stolen. After some stressful hours, he is able to determine that it has been lost for good. However, he was prepared ahead of time and the phone has an app that allows him to delete the phone’s contents remotely. So he activates this feature, and the phone’s contents are deleted, rendering all the information on it inaccessible to the thief.
But what about those few hours before he wiped the phone when the thief had it in his possession? Did the thief read Sam’s emails? If he did, then Sam will be required by the HIPAA Breach Notification Rule to inform all his clients and the federal government that his phone was stolen and their confidentiality may have been breached.
Once again, Sam was prepared ahead of time. He has the premium version of Gmail for business, and is able to get a full log of all the times that anyone logged in to and viewed his Gmail account. He can see from the log that no one viewed his Gmail account during the time that the phone was lost. So he can say with confidence that there was no breach of protected health information. If he had not been able to prove that no breach occurred, the Breach Notification Rule would have required him to report the phone’s loss.
To be sure, Sam’s relieving outcome in the above scenario is predicated on the idea that access to his Gmail account is the only protected health information on his phone, and that none of his emails are stored on the phone itself.
Update: We are building a workbook to gently and thoroughly guide mental health clinicians through the risk analysis process. See more information about the HIPAA Security workbook here.
So Google Will Sign a BA Contract, But Are These Services Actually Secure?
The HITECH Act of 2009 made Business Associates legally required to comply with the HIPAA Security and Privacy Rules just like HIPAA covered entities are required to do. The 2013 HIPAA Omnibus Rule only added more teeth to this requirement. So one could say that Google’s Apps service had better be secure or they could find themselves in a world of trouble if security breaches start happening.
We don’t have to leave it there, however. Google claims that they hold a number of well-respected security certifications, (Google, HIPAA Compliance with Google Apps, n.d.) and their Data Processing Amendment to the Google Apps Enterprise Agreement lays out a number of ways in which they promise to protect the information held in Google Apps against security breaches. (Google, Data Processing Amendment to Google Apps Enterprise Agreement, n.d.)
In the end, however, Google is only promising to do what they are required to do: protect the data within its network. There are still ways that security breaches could result if the Apps, especially Gmail, are misused by a clinician or the clinician’s staff or helpers. This is why purchasing services like Google Apps for Business cannot replace the required Risk Analysis standard of HIPAA. It can certainly provide a good solution for your risk management plan and useful tools for implementing your security and privacy policies, however.
What Do I Need To Know About Each Apps Service?
There are some vulnerabilities in these services that I believe should be pointed out. Once again, all these can be dealt with through proper risk analysis and security policies and procedures. Also, the manner in which you use each of these services could create more vulnerabilities or even ameliorate the ones I mention below. Please use the following examples as a starting point for your own analysis of the risks in each of these services.
The main point of this article is that a significant sticking point in using Google Apps has classically been the Business Associate relationship. Google’s willingness to sign BA contracts has cleared that sticking point and represents taking responsibility for their side of the security equation, leaving us with the flexible and useful process of analyzing security vulnerabilities and managing risks.
One thing that is common to all the Apps is the fact that Google supplies a secured Internet connection to you when you are interfacing with these services. This protects your data while it is traveling across the dangerous hinterlands of the Internet en route between you and Google’s data centers. That security is only for the travel (called “transport”) of the data, however, like an armored car that drops its cargo off once it arrives at the destination. It does not mean anything about how the data is protected after that point.
Gmail
It is very useful that Google is taking on responsibility, through signing a BA contract, of safeguarding the emails and contacts kept in their Gmail servers.
The rub is that Gmail is still plain old email. So even though Gmail gives you a secured connection for when you interact with the Gmail software, the emails you send to other people are still sent through the same old unsecure email network. For details, see our article Is Gmail HIPAA Compliant?.
Update: We also offer our sample Consent for Nonsecure Communications (e.g. email) forms to our newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.
So not only are the emails that you send to your clients left without security through the Internet hinterlands, but they also land in your clients’ Inboxes, where you cannot guarantee their security.
All is not lost, however. Clients who wish to receive email from their therapists, and still wish to receive them after being informed of the risks, can consent to receiving them. (Huggins, 2013) See our article on email and consent for important details and caveats. If solid consent is in place, and all caveats to that consent are covered, the big issue that typically remains is the Business Associate relationship with Google. Since we can now get that BA contract from Google, that issue can be dealt with.
One important note: I would still not advise anyone to use Gmail as a tool for an email-based telehealth practice. For email therapy, it is highly advised that you use an encrypted email system or other secure messaging system.
Google Drive
Google Drive is a cloud-based storage system that is similar to Dropbox in many ways. It allows not only backups of data but also sharing of the data you keep in Drive.
At present, my understanding is that data kept in Drive is not encrypted. So long as Google keeps safeguarding the network, this could be acceptable. Bruce Gale, PhD also notes that clinicians can encrypt their files using a number of software packages before uploading to Drive. That would provide additional protection for the files.
Another concern is the wonderful-but-potentially-risky feature of Drive wherein users of Drive can share files with each other and collaborate on Google-created documents. Personally, I have many shared folders in my Drive account and I can barely keep track of which Drive account each file originally comes from. I imagine that sharing files from your BA contracted Drive account with a non-BA contracted Drive account could create a HIPAA violation. If you have anyone working for your practice, this is one to specially look out for in security policies and employee training.
Google Calendar
I see the vulnerabilities here as being similar to those of Drive. Once again, my understanding is that the contents kept on Calendar are not encrypted. Once again again, this could be acceptable so long as Google keeps protecting the network.
Also, Calendar allows extensive sharing of calendar items. For example, I can synchronize many people’s Google calendars in my iPhone’s calendar software. Be cautious of how you use this sharing service, as a misuse of this feature by clinicians is not something Google is promising to safeguard against.
Privacy Issues
The free version of Gmail uses the emails that pass through it to gather data about how to target advertising at Gmail’s users. Many have pointed out that this is a privacy concern for therapists. My understanding is that the paid version of Gmail does not have advertising and does not mine your emails for data.
There are also questions of Google providing data to government intelligence agencies. Rumors are going around that Google may start encrypting the contents of Drive in order to help ameliorate this concern. (Yirka, 2013)
Resources
- Google Apps for Business
- “HIPAA Compliance with Google Apps”
- Roy Huggins’ Consulting Services, which includes Risk Analysis consulting
- Update: We are building a workbook to gently and thoroughly guide mental health clinicians through the risk analysis process. See more information about the HIPAA Security workbook here.
References
- Google. (n.d.). Data Processing Amendment to Google Apps Enterprise Agreement. Retrieved Nov 17, 2013, from Google Apps: https://www.google.com/intx/en/enterprise/apps/terms/dpa_terms.html
- Google. (n.d.). HIPAA Compliance with Google Apps. Retrieved Nov 17, 2013, from Google Apps Documentation & Support: https://support.google.com/a/answer/3407054?hl=en
- Huggins, R. (2013, October). Clients Have the Right to Receive Unencrypted Emails Under HIPAA. Retrieved October 17, 2013, from Person-Centered Tech: https://personcenteredtech.com/2013/10/clients-have-the-right-to-receive-unencrypted-emails-under-hipaa/
- Semel, M. (2013, Oct 15). HIPAA Business Associate Avoidance and Google Update. Retrieved Nov 17, 2013, from HITECHAnswers: http://www.hitechanswers.net/hipaa-business-associate-avoidance-google-update/
- Yirka, B. (2013, Jul 19). Google reportedly working on encrypting user files on Google Drive. Retrieved Nov 17, 2013, from Phys.org: http://phys.org/news/2013-07-google-reportedly-encrypting-user.html
You include Google Docs in the other services that are not covered by the new Google BAA. There is no longer a Google Docs product per se. The old Docs functionality has been incorporated into Google Drive, so that functionality would, in fact, be covered by the BAA. Try it yourself by navigating to docs.google.com. You will find that you are automatically re-directed to drive.google.com.
Seth, you are quite right. Thanks so much for catching that. The article has been updated.
thanks for the article. by the way you dont need Google Apps to check for last account activity, its available for any gmail inbox.
https://support.google.com/mail/answer/45938?hl=en
Hi Nathan,
Yes, indeed, you can see *recent* activity with the free account. For security audits, you may need to be able to look further back.
Thanks for commenting!
In defining who is one’s BA you might use the phrase ‘non-employee” who receives one’s Protected Health Information and uses it for one’s benefit.
Just and idea.
Hi Ed,
Thanks for the suggestion. I do like the simplicity of your phrasing. I tend to be a perfectionist about these things, however. :) There are a number of non-employees who receive PHI that are not necessarily BAs, such as a contractor who works in your office. Also, the description doesn’t really cover the conduit exception, which is a very important one for many analyses of BA status.
Of course, my description doesn’t really cover the conduit exception, either, so I guess that’s a wash. :)
Anyone have thoughts/experience with CipherCloud? It looks promising, but also maybe cost prohibitive for small practices…
Besides Google Hipaa compliant email program, what other Hipaa compliant email programs are available for Health Providers to look at?
Is Google the best of all the offerings? Please advise.
We are a small radiology practice. So we are looking for a company that is not cost prohibitive
Micorsoft 365 offers similar services to Google Apps for Business.
I also have a list of secure email services here: http://zurinstitute.com/hipaasecurity_resources.html#email
If you need further assistance, I do offer short and long consultation services: https://personcenteredtech.com/web-consulting-services-and-fees/consulting-for-mental-health-professionals/
Roy, this is a great article. I really appreciate you researching this and writing about it for all of us non-techies. I have been debating for the last month or whether or not to register for a business account through google apps.
Does anyone have any complaints yet? I have been thinking about using the calendar function (since I got a new cell phone) to sync between devices. Does anyone know if the calendar will email clients to remind them of their appointments?
I don’t believe it does that, no.
We have been using Google Apps for Business since 2009 and love it. Nevertheless, the Google product is meant for internal communication. There are companies like Televox that handle appointment reminders, based on appointment information that you send to their system each day. That would most likely come from your practice management system. I can’t see Google Apps taking the place of such software.
– Seth Krieger, Ph.D.
President, Synergistic Office Solutions, Inc.
http://www.sosoft.com
Google announced that they will now require connections to Gmail and between Google data centers to be encrypted (https). Does this mean that you can be HIPAA compliant using the free Gmail?
Hi Greg,
A Business Associate Agreement would still be required, because Google can still view the emails. You need the business version of Gmail for that.
I have seen your consent forms for “Transmission of Protected Health INfo by Non-Secure Means”, which covers email and phone texting. Do you have a separate consent form for video conferencing with patients using a secure product like Vsee ?
Hi David,
No, I don’t. What you’re looking for there is documents for informed consent for telehealth. That’s a more complicated affair.
Thank you so much for the article. It was very helpful.
Thank you for this article. Does that mean that my addresses are not protected? How do I protect them as i have client contact information in my address book on my i-phone
Hi Mary,
I can’t really answer your question without more details, and it sounds like you need a more formal consult?
This article could be helpful: https://personcenteredtech.com/2013/08/iphones-ipads-and-hipaa-compliant-practice-locking-down-your-apple-device/
I also do short or long consults to help answer questions like this one: https://personcenteredtech.com/web-consulting-services-and-fees/consulting-for-mental-health-professionals/
You may also find my monthly webinar series to be useful: https://personcenteredtech.com/training/ce-program-offerings/heart-centered-hipaa-and-ethical-security-for-client-and-clinician-protection-level-i-ii/
Seth, I agree with you. I doubt GAB will become a practice management solution on par with the various dedicated solutions out there.
I also see what you mean when you say GAB is meant for internal communication. With the way Google’s network is setup, it is well suited to that. It can still be leveraged for external communication with the right precautions, however, and for organizations that don’t need something heavier duty (e.g. solo mental health private practices.)
Does this apply to Google Voice at all? I use a google voice phone number for my business, but need to make sure I can still be HIPAA compliant while doing so.
BTW, thank you for this information! I am so relieved that it is possible to use gmail and be HIPAA compliant!
-Jocelyn
Unfortunately, the BAA doesn’t cover Google Voice. Sorry.
Is there anyway to use Google Voice in an appropriate way or is it something we should rule out altogether? How is it different from using a typical cell number? Currently, I do not use it for texting with client and the e-mails generated go to my GAB account. Is it a risk that can be managed through informed consent? Thank you for your help!!
~Amanda
Google Voice isn’t covered by the BAA, and you would probably need one because Voice is a VoIP service. So Google Voice is largely out for use with protected health information if you’re a HIPAA covered entity.
Would I be HIPPA compliant if I use Google Drive with a BAA to store client progress notes and other clinical documentation?
Thank you in advance.
Not by itself. You absolutely could no be compliant if you *didn’t* have the BAA, but having the BAA alone is not the whole compliance picture.
I deeply recommend reading these discussions at our LinkedIn group. This questions has been discussed at length there:
A lot of these problems are solved by using a comprehensive EHR program that is HIPAA compliant. We just switched over to one and no longer use any of the aforementioned apps (and even when we did we made sure to expunge identifying information!!!)
That is very true. Many practice management systems these days are doing a great job of providing things like secure messaging with clients. Those systems aren’t ideal for every practice, tho!
On page 141 of his book Boundaries in Pyschotherapy, Ofer Zur (of the Zur Institute referenced earlier) gives an example of an informed consent paragraph that I think would be very clear to any client.
Yes, I know the one! There is a challenge for professional counselors, however, in that the ACA code of ethics requires that we counsel clients regarding risks of email. Even a very clear risk statement is not sufficient for us to do our ethical duty in this case.
Roy, I recently upgraded to the paid version of Google Apps for business. I’ve reviewed and signed Data Processing Amendment, EU Model Contract Clauses and the HIPAA Business Associate Amendment. I’ve received acceptance for each agreement.
Is there anything else I should know as far as security goes? I’ve been looking at Simple Practice and TheraNest. However, I’ve chosen to use Google Drive for Business for now. I do want to make sure I’m doing everything necessary to assure security and reliability.
Any suggestions you have will be appreciated.
Thanks!
Chuck
Hi Chuck,
Well, that’s a lot to pack into a blog comment. :) The basic stuff I have to say about it is all in this article. For further exploration, I’d need to talk through with you what you’re doing. I assume you know about our subscription-based guidance service?: https://personcenteredtech.com/person-centered-tech-support/
Roy, I notice you have a $45 every three month service. Is that the service you are referring? It would be easier to talk through. Let me know which of the subscription services would be most helpful. Thanks, Chuck
Yep, that service has the quarterly and yearly membership rate. That’s the one I’m talking about. If you want to also do 1-1 consulting, the yearly membership will get you a pretty large discount on 1-1 consulting. We might be able to get your questions answered through Office Hours, tho, without 1-1 consulting.
It looks like this audit feature is covered in the basic Google Apps for Work account now, right? From the home page, go to Reports > Audit
Yep!
Got it. So security-wise, you’re not seeing any added benefit to upgrading the plan then, right?
Actually, there is a security advantage to upgrading to the plan with Vault.
Thanks!
OK. That seems to be a good feature too. So Vault retains copies regardless of whether a user deletes a file, email, chat session, etc.?