A common question people have when using Google Workspace as an EHR is whether Google Vault is something they need to have (and what it even does). Let’s dig into this a bit and get a basic understanding of what we’re dealing with.
Your HIPAA Considerations
Part of our HIPAA requirements is to make sure we can tell who is accessing our information. If someone is looking at your protected health information (PHI) without authorization, that is bad. And if you can’t tell if someone is looking at your PHI without authorization, that is also bad.
This is why it’s critical for every user to have a separate account to access your systems: if Bob and Frank share an account, and then information from that account shows up on the 5 o’clock news, you don’t know whether Bob or Frank is the one that gave it to them. Moreover, Bob probably shouldn’t be seeing personal information about Frank’s clients (unless there is a valid therapeutic reason for that), but if Bob and Frank use the same account, you’ll never know if Bob is accessing Frank’s records to read the juicy gossip on his clients.
(This is why you should sooner plunge your face into a bowl of boiling pudding than give out your passwords to other people. Giving your password to somebody – especially the passwords to your accounts containing PHI – is the digital hygiene equivalent of sharing a toothbrush with the person next to you in the airport bathroom. If you give your password to someone and they see information they are not authorized to see, that is already a breach, to say nothing of the ramifications of them taking that information and sharing it elsewhere.)
You not only want to have separate accounts for separate users, you want to know who is logging in when so you can make sure that only authorized users are accessing your stuff. If someone is logging into your system from China, and none of your staff members are living or vacationing in China, that is something of which to take note.
Vault allows you to track this kind of thing and see who is accessing what. If someone logs in from China, you can investigate that. If there is a breach of information, you can see who was logged in at the time. You also have a lot more control of your information with this kind of tool (called DLP – Data Loss Prevention, but it gets pretty technical and it’s beyond our scope for now).
Maintaining Your Data
Another important feature of a tool like Vault is that it allows you to maintain archives of all the data from all your past and present users, which is an important part of maintaining the availability of your PHI. If Bob leaves your practice, you need to make sure that you have records for his clients even after he’s gone. It would not be good if Bob’s client called up the week after Bob left and asked for his medical records, but you, having (correctly) closed Bob’s account in whatever EHR you are using, could no longer access them.
You may be asking, “Wait, does this mean that if I am a solo practitioner, I don’t need Google Vault?”
Yes. That is what it means.
This is good news, because Vault only comes with the highest tier of Google Workspace (Business plus), which costs $18/month. (Of course, if you’re a solo practitioner, the extra few dollars a month won’t kill you. But why spend money if you don’t need to, amiright?) Google used to allow you to buy Google Vault separately even if you have a lower tier, but I spoke to the sales department on the phone in April 2022 and they said that is no longer being offered.
Actually, even if you run a group practice, you still do not need Vault. You do need something, though, to perform these functions for you. And what you need is Spin.
Why You Need Spin
Disclaimer: when I wrote this post I did not realize that they now require a 10-license minimum. So this makes Spin markeldy less useful for probably most of the people who are reading this. I am trying to get them to provide smaller offerings, because the service is really needed. But for now, the minimum cost is actually going to be about $25/month (this would include any number of users up to 10).
Spin does everything that Google Vault does and more - and it costs less ($3/month per user). It will provide you access logs for your users and archive their data when they leave.
(Note that maintaining an archived user account costs a few dollars per month on both Vault and Spin. However, I am not convinced that this is strictly necessary, because when you delete a user in Google Workspace, you have the option of transferring all of the data from that account into another account – such as your own, and thus you can hang onto it so long as you hang on to your own account.)
Spin also backs up all the data in your Workspace system without you having to do a thing. This is also not strictly necessary – Google also has backups in case something goes wrong – but personally I kind of like having an extra backup in a system that is not Google. But Spin does offer extra protections on your data.
For example, if you accidentally delete a file from your Google Drive, you can retrieve the old version on Spin. Workspace does keep old versions of your file, but once you delete it, all of that disappears after spending a month in the trash folder; Spin keeps it indefinitely. Or let’s say you save a PDF file to Drive, then overwrite it with a new version. Google treats this as an updated file and reverting to a previous version is not always possible. With Spin versioning, you can go back to 100 previous versions.
(As I was preparing to go to print with this blog post, an issue came up on a related Facebook group in which one of our colleagues found herself locked out of her account by Google for unspecified account violations. In an infuriating Kafkaesque fashion, they are refusing to tell her what she allegedly did wrong. While this is terrible in its own right, having a Spin backup account would allow you access to all your files in the event that this were to happen, thus saving you from a Very Big Problem. I am not trying to scare you into anything – I think this kind of thing is probably very uncommon – but having a backup like this is good and inexpensive insurance against crazy incidents like this one.)
Why Else You Need Spin
Another feature I have found useful is the ability to see your users’ emails. As a Google Workspace admin you can do this without Spin, but that would require changing the user’s password to access their account, then giving them a new one. With Spin you can just peek into their inboxes without bothering them – and without them even knowing, which is useful in the unfortunate case where you are concerned one of your staff members might be doing something improper, like telling patients to send them payment directly (which in fact happened to me).
But wait, there’s more! Spin provides the nifty feature of ransomware protection. (This costs another $2/month per user.) One of the tricks bad guys like to use is hacking into your system and then locking it so you can’t get into your information unless you pay them a ransom (this is bad). They may also threaten to post the information publicly unless you pay up (this is worse).
Spin has a system that monitors for large amounts of files being locked or copied and shuts off access if such a thing were to happen. So that’s cool. To be clear, this feature is definitely not required for HIPAA compliance. How important is it? Hard to say. I have heard that hackers do in fact try to target small guys like you and me because we are vulnerable. I am not aware of any cases of it happening though (although that’s not a great indicator of whether it does or doesn’t happen with any frequency). You’ll have to make your own decision as to whether the risk justifies the cost.
In sum, if you’re in a group practice, you do need some kind of DLP system. (and it’s not a bad idea for solo practitioners either, especially considering the catastrophe story my colleague is going through with Google locking her out). If you’ve already got the highest tier of Google Workspace, you’re in good shape with Google Vault. Otherwise, you either need to upgrade to Business Plus, or go with Spin. Spin gets my vote!
To sign up for their service, or for more information, head over to Spin. (That there is an affiliate link. I get a small kickback for referring people.) There’s a 15-day free trial, and a 15% discount with that link. Hope this helps!
My gratitude to the late Roy Huggins and his team, who taught me virtually everything I know about HIPAA.