Technology & Security FAQ
Cloud, Email & Messaging
Yes. Cloud storage is allowed under HIPAA as long as the right safeguards are in place to protect patient data. Your cloud vendor must sign a Business Associate Agreement (BAA) before storing any ePHI.
A free Gmail account is not HIPAA compliant on its own. Some paid Google Workspace plans can support HIPAA when set up the right way and paired with the right agreements. See our BAA FAQ for details on which vendors require a Business Associate Agreement.
Microsoft Outlook can meet HIPAA rules when the right safeguards are in place to protect patient data both stored and in transit. If you use Outlook with PHI, make sure you have a Business Associate Agreement with Microsoft covering their specific configuration.
Regular text messages are not a safe way to send patient data. Use a secure messaging tool built for HIPAA instead. Your HIPAA policies should define which communication channels are approved for PHI.
Patient data can be sent by email when safeguards like encryption are in place. Your HIPAA policies should document approved email encryption methods and staff should receive training on secure communication procedures.
Remote Work & Device Security
Yes. Remote work is allowed as long as your practice keeps its admin, physical, and tech safeguards in place. Be sure to cover remote work rules in your HIPAA policies and ensure staff complete HIPAA training that covers remote work procedures.
In some cases, yes. Think about encryption, access controls, physical security, remote wipe, and staff policies before letting patient data be viewed on home devices. A Security Risk Assessment helps identify these risks and determine what controls are needed.
Technology Best Practices
Not using encryption on systems, devices, and data when they should. Gaps in encryption are one of the most common findings in a HIPAA Gap Analysis.
Encryption is still the most skipped safeguard in healthcare. Regular workforce training should reinforce encryption requirements, and a gap analysis can identify where encryption is missing across your environment.
Focus on tools that boost visibility, security, and alerts. Even simple tools that flag odd activity can make a big difference. A Security Risk Assessment helps identify which technology investments will have the greatest impact on your organization's compliance posture.
One Guy Consulting helps practices review their tech safeguards as part of the Security Risk Assessment process. Our HIPAA Gap Analysis finds gaps in your tech, admin, and physical safeguards.
Need Help Evaluating Your Technology Safeguards?
Book a free 30-minute intro call. We will review your tech setup, find security gaps, and explain what safeguards you need.
Book Your Free Intro CallMore HIPAA FAQ Resources
- HIPAA compliance FAQ covering basics, risk assessments, training, and policies
- HIPAA audit readiness frequently asked questions
- Business Associate Agreement frequently asked questions
- Security Risk Assessment service details
- Real-world HIPAA compliance case studies
- Full pricing comparison with plan details