Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can We Abandon Confidentiality For Google Apps?

Posted by kdawson on from the what-price-convenience dept.

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

5 of 480 comments (clear)

  1. Re:The bottom line by spydabyte · · Score: 4, Interesting

    When you don't pay for something, you can't rely on it. Try winning a law suit against a patient because you didn't have the correct medical knowledge because your ISP couldn't resolve a Google DNS one day...

    I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.

  2. Re:The bottom line by Orange+Crush · · Score: 3, Interesting

    And yes, it's lazyness: he's a sysadmin, and he knows the security implications. He just chooses not to care.

    Of course he knows the security implications. His clients don't. And he can't force them to pay the (significant for a small office) costs of doing it "right." They'd simply stop being his clients.

    Don't assume he's lazy, he's trying to do his best for his smaller clients and that's admirable. (I've often found the smaller the client the more of a cheap bastard and whiny high-maintenance client they tend to be)

  3. Re:yes.. by nomadic · · Score: 4, Interesting

    IAAL too and I see nothing wrong with Google apps. Don't know about doctors, but lawyers are perfectly aware that nothing is foolproof once you get online, and we realize that some Google employee has access to our stuff. We're expected to maintain confidentiality in a reasonable matter, not approach it with the paranoia of a computer security expert.

  4. Re:yes.. by chadplusplus · · Score: 5, Interesting

    IAAL too, and I saw nothing in there relating to whether the various state bars have given this the thumbs up. I suspect this would depend greatly upon the relative progressiveness of the pertinent state bar. I'd be interested in seeing an ethics ruling concerning this if you have any citations. (Sorry, I'm not paying Lexis to do a search just to satisfy my curiosity.)

  5. Re:HIPAA compliance is no joke. by TheMCP · · Score: 3, Interesting

    HIPPA non-compliance can not only be expensive, it can lead to jail time.

    This is my understanding based on training I received from a lawyer while working as a secondary IT director for a medical school:

    The IT director for a medical organization is required to certify that the organization is HIPPA compliant. If they are not, the IT director must make them compliant, and that may have to mean simply cutting off everyone's access to computer resources until a plan is in place to allow access in a compliant manner. (Not allowing anyone to access anything is compliant.) If the IT director certifies them to be compliant when they are actually not, the IT director can go to jail, as can anyone who may have coerced them to sign the certification. Medical professionals can also be subject to fines and/or jail time for handling data in a non-compliant manner (such as entering data into a non-compliant system such as google docs), especially if they did so knowingly.

    Were I in anonymous reader's shoes, I would tell my medical clients that I am convinced that because of HIPPA they must not use Google Docs for any medical information. If they press the issue I would tell them that I am so convinced that they must not use Google Docs to handle any medical information that if I find they have done so, I will drop them as a client and report them to relevant authorities at once. No job is worth going to jail for.