Google vs. Microsoft – Who Is HIPAA Compliant?

by | Published on Jan 1, 2014 | Resources, Articles, Medical Billing (A) | 0 comments

Share this:

Health Insurance Portability and Accountability Act (HIPAA) has introduced certain rules to ensure the security of medical documents. The email provider that meets the regulations specified in this act is ‘HIPAA Compliant’. Being the top leading competitors, let us see whether Google or Microsoft is HIPAA Compliant.

HIPAA Requirements While Using Email

  • Ensure Strong Security: As per Section 164.314(a) of HIPAA, the health care provider should ensure that everyone who handles confidential and personally identifying information complies with the safeguards specified by HIPAA laws. Hence, it is necessary to ensure extra security for email used for sending medical documents.
  • Consent from Client: A new rule named ‘Omnibus Final Rule’ was released under HIPAA on March 18, 2013. According to this rule, clients must be informed about the risks associated with sending confidential health reports through email. The authorization for communication via email should be signed only after getting consent from the clients who got the risk information. Healthcare providers usually have consent forms that clients are required to fill out before they give the authorization.
  • Business Associate Agreement: Most of the healthcare providers seek help from a third party provider for email. HIPAA refers to such firms as ‘Business Associates’ and insist that it is the responsibility of the Business Associates to sign an agreement that states they assure the protection of patients’ confidential medical documents maintaining the same high standards as required of the healthcare provider.

How Google and Microsoft Deal with HIPAA Requirements

When we compare the HIPAA compliancy of Google and Microsoft, it is necessary to consider their recent endeavors namely Google Apps and Microsoft Office 365 which provide more efficient email facility along with certain services.

Google Apps include almost all types of Google services for business including Gmail, Calendar, Drive, Sheets, Sites and more. All these services can be accessed with Gmail account and are free, convenient and secure. Hence, it is well-suited for creating healthcare reports and documents and sending them via Gmail to the relevant professionals. Microsoft Office 365 is the latest product from Microsoft which provides enterprise-grade and business email facility using Microsoft Outlook. It can connect with the healthcare ecosystem by making use of robust security technologies. Single user interface is there for data sources to access more than one clinical or informational system at a time.

Here is the comparison of both products regarding HIPAA requirements. The consent requirement is not discussed in this comparison as it is managed by your own office.

Google Apps

Microsoft Office 365

  • Pre-programmed Gmail facility with Google Apps on handheld devices can provide the provision to download e-mail messages out of office, which can cause serious security breach.
  • The Gmail account of Google Apps provides two-step authentication. In this type of authentication, verification code sent through text, mobile app or voice call is also verified along with username and password which adds an extra layer of security for Gmail account. But, this facility needs to be added by Google Apps Administrators in their domain.
  • Google is not ready to sign the Business Associate Agreement. The company states that Google Apps’ Terms of Use agreement meets all the HIPAA requirements.
  • Microsoft Office 365 offers five layers of security for data which include actual data, application data, host data, data in network and physical data. It even restricts production server from accessing critical operation. Exchange Online facility can transmit confidential content more securely.
  • Custom security administrative packages are available for adding more security features to Outlook with Office 365.
  • Microsoft states that Office 365 supports Business Associate Agreement and is willing to meet the compliance requirements wherever applicable.


Lack of Business Associate Agreement is the major bottleneck associated with handling healthcare documents using Gmail facility from Google. Healthcare providers using Gmail to communicate with patients are in fact violating HIPAA terms. Without a second thought, now we can say that Microsoft is HIPAA Compliant compared to Google.

Outsource Strategies International.

Being an experienced medical billing and coding company in the U.S., OSI is dedicated to staying abreast of the latest industry guidelines. Our services provide comprehensive support for the success of your practice.

More from This Author

Related Posts