Hi Amber – we don’t have recommendations for a HIPAA compliant texting platform. For HIPAA compliant email, we like Google Workspace! You can check out our e-book to learn how to properly set it up: https://adeliarisk.com/hipaa-playbook-for-google-workspace/

Hey Jamie – great question. Let me preface this by saying that we’re not lawyers, and you should run what I’m about to say past your HIPAA compliance attorney. This is JUST my opinion, not a statement of fact.

My personal opinion is that PHI happens when you combine information about who someone is (e.g., their name) with information about their health information (e.g., symptoms, treatments, insurance numbers, etc.). So my interpretation of Google’s guidance is that it’s OK to put a patient’s name in the title of documents or folders, but you shouldn’t put any information about their symptoms, care, health insurance numbers, etc.

If your attorney has a more stringent view of what defines PHI, then you could certainly create a coding system for patients. I know many doctor’s offices use something like the combination of a patient’s birthdate and the first three letters of their last name to create unique codes, so that may be something to explore as well.

Hope this is helpful!

Sure, you can use it, but it wouldn’t be HIPAA compliant if you did that.

Think of it this way — Google is taking on a LOT of legal liability by signing a BAA with you, and allowing you to store medical information on their servers. That’s why Google (and every other cloud-based service) requires both a contract in the form of a BAA that clearly defines who is responsible for what, and a paid service.

Boy, you’re asking a great (and complicated) question, so let’s pull it apart.

If someone is sending you an email with PHI in it, you’re right — TLS doesn’t magically make you 100% HIPAA compliant. There’s way more that you’d need to do, from securely configuring your computers to securely configuring your email service, and much much more.

If you’re sending an email to someone outside of your company (let’s say to a patient or another medical practice), you’re only responsible for getting it to them securely. It’s on THEM to handle it securely from that point forward. Obviously, another medical practice will have more in place to protect the email than a patient will, but it’s still not reasonable that a medical practice is responsible for ensuring each patient’s safe handling of their own PHI.

But your fundamental question comes down to trust of the cloud providers, like Google or Microsoft. You might be interested in reading through this post on Quora: https://www.quora.com/How-many-Google-employees-can-access-Gmail-data-How-secure-is-Gmail-data-within-Google. It’s fairly old, but I think it does a good job of spelling out the protections that these companies have in place against exactly this situation.

The other thing to keep in mind is that these companies are CONSTANTLY being audited to confirm that they’re actually living up to their information security policy. While nothing is 100% safe, that gives me a lot of comfort that not only do they have the right controls in place, but that independent auditors are validating them.

Lastly, signing a HIPAA Business Associate Agreement is not a decision that a company like Google or Microsoft can take lightly. They only started offering these to medical practices once they were confident that they could live up to all HIPAA requirements.

Hope that helps — great questions!