Google Apps – specifically the paid versions of Gmail, Google Drive, and Google Calendar — has started offering the precious HIPAA Business Associate contracts we health care folks need for our HIPAA compliance. This is a significant paradigm shift and one that heralds many more, I’m sure. Before the 2013 HIPAA Omnibus Rule, you could barely find a producer of consumer-level software who was willing to sign a HIPAA business associate contract.
HIPAA Business Associates are third parties who handle your protected health information on your behalf. Examples are billing services and cloud-based electronic health record providers. If you use such a company without a Business Associate contract, that’s a HIPAA violation. (Need more? See “What is a HIPAA Business Associate Agreement?”)
Many clinicians have long been using Gmail to trade emails with clients. The transmission security issues of emailing with clients can be addressed by informed consent, with some caveats. (Huggins, 2013) (See our article on client consent to receive email for details.) However, even clinicians who acquired this consent may have been in violation of the Business Associate rule because the emails and contact information stored on Google’s servers are accessible to Google, thus causing Google to become the clinician’s HIPAA Business Associate. The fact that Google will now offer us a Business Associate contract is a significant coup for American health care professionals.
Notable Limitations to the Agreement
One way that Google defines the specifics is to limit the Business Associate contract to only Gmail, Google Drive, and Google Calendar. When you sign Google’s agreement, you agree not to use any of the other Apps services with your account. This means you couldn’t use Google+ or a bevy of other useful services with your health care business account.
Update 11/19/2013: Seth Krieger points out in the comments that Google Docs is a part of Google Drive. So effectively you can get the BA contract for Google Docs, as well. See Google’s info on Drive here.
So the Paid Versions of Gmail, Drive, and Calendar are HIPAA Compliant Now?
It is very important to remember that products and services are never “HIPAA compliant.” Rather, you are compliant or not compliant. For more, I recommend Rob Reinhardt’s article, Your Software and Devices Are Not HIPAA Compliant.
In this case, I’m not just being pedantic. If we try to apply the label of “HIPAA compliance” to the paid versions of Gmail, Drive, and Calendar – even with the new offering of Business Associate contracts – I would be forced to deem them not “HIPAA Compliant.” I will discuss more details below, but an important point to consider is that none of these services currently seem to secure the information on Google’s servers using encryption. Additionally, an errant click of a button can cause protected health information kept in Drive or Calendar to be shared with other Google users who do not have Business Associate contracts with Google.
Can you avoid those problems by intentional planning around how you use Gmail, Drive, and Calendar? You sure can! That is why compliance rests on you, and it’s a good thing that it does. If it didn’t, we would probably be stuck being unable to use even these enhanced Google services.
HIPAA requires that we conduct a risk analysis and, based on that analysis, create a risk management plan and policies for keeping our clients’ confidential information secure. The fact that Google will now give us a Business Associate contract for the paid version of Apps means that such a risk management plan can reasonably include Gmail, Drive and Calendar.
How Much Does The Paid Service Cost?
At the time of writing, the basic Apps for Business service is $5/month for each user account. The Premium version is $10/month for each user. The premium version includes Google Vault, which is a service that helps you make sure you can retain old data that you’ve had in your Apps account. It also allows administrators some extra empowerment for managing the way the Apps account is used by staff.
Why Would I Want the Premium Service?
The premium service includes something that provides a great boon to your HIPAA compliance efforts: audit trails.
HIPAA requires that we be able to track “security incidents” in the software we use to handle protected health information. Many of us gloss over this requirement because of the financial and skills-based costs involved. For an extra $5/month, however, you can have audit trails in your Google Apps account.
The desirability of audit trails is best illustrated through a scenario:
Sam is a therapist who communicates with clients via Gmail. He accesses Gmail on his Android smartphone and on his home computer. One day, Sam’s phone is stolen. After some stressful hours, he is able to determine that it has been lost for good. However, he was prepared ahead of time and the phone has an app that allows him to delete the phone’s contents remotely. So he activates this feature, and the phone’s contents are deleted, rendering all the information on it inaccessible to the thief.
But what about those few hours before he wiped the phone when the thief had it in his possession? Did the thief read Sam’s emails? If he did, then Sam will be required by the HIPAA Breach Notification Rule to inform all his clients and the federal government that his phone was stolen and their confidentiality may have been breached.
Once again, Sam was prepared ahead of time. He has the premium version of Gmail for business, and is able to get a full log of all the times that anyone logged in to and viewed his Gmail account. He can see from the log that no one viewed his Gmail account during the time that the phone was lost. So he can say with confidence that there was no breach of protected health information. If he had not been able to prove that no breach occurred, the Breach Notification Rule would have required him to report the phone’s loss.
To be sure, Sam’s relieving outcome in the above scenario is predicated on the idea that access to his Gmail account is the only protected health information on his phone, and that none of his emails are stored on the phone itself.
Update: We are building a workbook to gently and thoroughly guide mental health clinicians through the risk analysis process. See more information about the HIPAA Security workbook here.
So Google Will Sign a BA Contract, But Are These Services Actually Secure?
The HITECH Act of 2009 made Business Associates legally required to comply with the HIPAA Security and Privacy Rules just like HIPAA covered entities are required to do. The 2013 HIPAA Omnibus Rule only added more teeth to this requirement. So one could say that Google’s Apps service had better be secure or they could find themselves in a world of trouble if security breaches start happening.
We don’t have to leave it there, however. Google claims that they hold a number of well-respected security certifications, (Google, HIPAA Compliance with Google Apps, n.d.) and their Data Processing Amendment to the Google Apps Enterprise Agreement lays out a number of ways in which they promise to protect the information held in Google Apps against security breaches. (Google, Data Processing Amendment to Google Apps Enterprise Agreement, n.d.)
In the end, however, Google is only promising to do what they are required to do: protect the data within its network. There are still ways that security breaches could result if the Apps, especially Gmail, are misused by a clinician or the clinician’s staff or helpers. This is why purchasing services like Google Apps for Business cannot replace the required Risk Analysis standard of HIPAA. It can certainly provide a good solution for your risk management plan and useful tools for implementing your security and privacy policies, however.
What Do I Need To Know About Each Apps Service?
There are some vulnerabilities in these services that I believe should be pointed out. Once again, all these can be dealt with through proper risk analysis and security policies and procedures. Also, the manner in which you use each of these services could create more vulnerabilities or even ameliorate the ones I mention below. Please use the following examples as a starting point for your own analysis of the risks in each of these services.
The main point of this article is that a significant sticking point in using Google Apps has classically been the Business Associate relationship. Google’s willingness to sign BA contracts has cleared that sticking point and represents taking responsibility for their side of the security equation, leaving us with the flexible and useful process of analyzing security vulnerabilities and managing risks.
One thing that is common to all the Apps is the fact that Google supplies a secured Internet connection to you when you are interfacing with these services. This protects your data while it is traveling across the dangerous hinterlands of the Internet en route between you and Google’s data centers. That security is only for the travel (called “transport”) of the data, however, like an armored car that drops its cargo off once it arrives at the destination. It does not mean anything about how the data is protected after that point.
It is very useful that Google is taking on responsibility, through signing a BA contract, of safeguarding the emails and contacts kept in their Gmail servers.
The rub is that Gmail is still plain old email. So even though Gmail gives you a secured connection for when you interact with the Gmail software, the emails you send to other people are still sent through the same old unsecure email network. For details, see our article Is Gmail HIPAA Compliant?.
Update: We also offer our sample Consent for Nonsecure Communications (e.g. email) forms to our newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.
So not only are the emails that you send to your clients left without security through the Internet hinterlands, but they also land in your clients’ Inboxes, where you cannot guarantee their security.
All is not lost, however. Clients who wish to receive email from their therapists, and still wish to receive them after being informed of the risks, can consent to receiving them. (Huggins, 2013) See our article on email and consent for important details and caveats. If solid consent is in place, and all caveats to that consent are covered, the big issue that typically remains is the Business Associate relationship with Google. Since we can now get that BA contract from Google, that issue can be dealt with.
One important note: I would still not advise anyone to use Gmail as a tool for an email-based telehealth practice. For email therapy, it is highly advised that you use an encrypted email system or other secure messaging system.
Google Drive is a cloud-based storage system that is similar to Dropbox in many ways. It allows not only backups of data but also sharing of the data you keep in Drive.
At present, my understanding is that data kept in Drive is not encrypted. So long as Google keeps safeguarding the network, this could be acceptable. Bruce Gale, PhD also notes that clinicians can encrypt their files using a number of software packages before uploading to Drive. That would provide additional protection for the files.
Another concern is the wonderful-but-potentially-risky feature of Drive wherein users of Drive can share files with each other and collaborate on Google-created documents. Personally, I have many shared folders in my Drive account and I can barely keep track of which Drive account each file originally comes from. I imagine that sharing files from your BA contracted Drive account with a non-BA contracted Drive account could create a HIPAA violation. If you have anyone working for your practice, this is one to specially look out for in security policies and employee training.
I see the vulnerabilities here as being similar to those of Drive. Once again, my understanding is that the contents kept on Calendar are not encrypted. Once again again, this could be acceptable so long as Google keeps protecting the network.
Also, Calendar allows extensive sharing of calendar items. For example, I can synchronize many people’s Google calendars in my iPhone’s calendar software. Be cautious of how you use this sharing service, as a misuse of this feature by clinicians is not something Google is promising to safeguard against.
The free version of Gmail uses the emails that pass through it to gather data about how to target advertising at Gmail’s users. Many have pointed out that this is a privacy concern for therapists. My understanding is that the paid version of Gmail does not have advertising and does not mine your emails for data.
There are also questions of Google providing data to government intelligence agencies. Rumors are going around that Google may start encrypting the contents of Drive in order to help ameliorate this concern. (Yirka, 2013)
- Google Apps for Business
- “HIPAA Compliance with Google Apps”
- Roy Huggins’ Consulting Services, which includes Risk Analysis consulting
- Update: We are building a workbook to gently and thoroughly guide mental health clinicians through the risk analysis process. See more information about the HIPAA Security workbook here.
- Google. (n.d.). Data Processing Amendment to Google Apps Enterprise Agreement. Retrieved Nov 17, 2013, from Google Apps: https://www.google.com/intx/en/enterprise/apps/terms/dpa_terms.html
- Google. (n.d.). HIPAA Compliance with Google Apps. Retrieved Nov 17, 2013, from Google Apps Documentation & Support: https://support.google.com/a/answer/3407054?hl=en
- Huggins, R. (2013, October). Clients Have the Right to Receive Unencrypted Emails Under HIPAA. Retrieved October 17, 2013, from Person-Centered Tech: https://personcenteredtech.com/2013/10/clients-have-the-right-to-receive-unencrypted-emails-under-hipaa/
- Semel, M. (2013, Oct 15). HIPAA Business Associate Avoidance and Google Update. Retrieved Nov 17, 2013, from HITECHAnswers: http://www.hitechanswers.net/hipaa-business-associate-avoidance-google-update/
- Yirka, B. (2013, Jul 19). Google reportedly working on encrypting user files on Google Drive. Retrieved Nov 17, 2013, from Phys.org: http://phys.org/news/2013-07-google-reportedly-encrypting-user.html