Healthcare Information Security

Cloud News

Gmail privacy questions raise healthcare security concerns

By Patrick Ouellette

- Though Google has professed a disinterest in contractually engaging healthcare organizations, the cloud email service giant continues to be a polarizing figure in the data privacy conversation. A recent Google court filing stated that those sending email to Google’s Gmail users have no “reasonable expectation” that their data will be private.

“Google has finally admitted they don’t respect privacy,” said John Simpson, Consumer Watchdog’s privacy project director, according to NPR. “People should take them at their word; if you care about your email correspondents’ privacy, don’t use Gmail.”

The article mainly referenced the questions surrounding the National Security Agency’s (NSA) relationship with Google, but also served as a reminder that this relates to healthcare as well. It was very recently that Oregon Health and Science University (OHSU) had to announce that it had stored 3,044 patients’ data in Google storage that was not accompanied by a business associate agreement (BAA). OHSU can’t be the only healthcare organization to have done this, as Google’s affordable storage/email pricing is a sensible option for many organizations. A cloud service provider reviewing email correspondence, even for marketing or business purposes, is disconcerting when you consider how many organizations’ employees have external email communications.

From a legal viewpoint, though vowing to take our users’ privacy and security seriously with strong technical protections, Google has been extremely open about communications being processed by the recipient’s ECS [electronic communications service] provider. In theory, a healthcare organization’s internal monitoring program should be able to weed out any issues in this area. But how many organizations have a strong product at their disposal as well as an expert to make good use of the data.

In its motion to dismiss the case, Google said the plaintiffs were making “an attempt to criminalize ordinary business practices” that have been part of Gmail’s service since its introduction. Google said “all users of email must necessarily expect that their emails will be subject to automated processing.” In other words, these practices are and have been business as usual for years.

From these questions to Google’s unwillingness to sign BAAs with healthcare organizations, the company’s cloud and email storage remains on the periphery of healthcare IT (especially after Google Health flopped) and a concern for security administrators.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...