In this episode of the HIPAA Vault show, we’ll explore Google Gemini, a large language model that can assist users with writing, design, and organization tasks. We’ll discuss whether Gemini is HIPAA compliant. We’ll also discuss how Gemini compares to ChatGPT in terms of usability and from a compliance standpoint.We’ll also have a little chat about how Gemini compares to ChatGPT in terms of being user-friendly and from a compliance point of view.

Breach of the week

Google HIPAA Functionality

Join our Facebook group!

Facebook

X

Linkedin

Transcript:


Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine. I’m joined, as always, by CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil!


Gil
Hey, Adam. Doing well today. I got a little snow here. I see you have sunshine where you’re. 


Adam
Yeah, yeah, couldn’t be more of a contrast. Snowing where you are and completely blue skies where I am. And yeah, summer is here in the California desert already. Fun times. So this week we’re going to go through our breach of the week, and then we’re going to be talking about Gemini Gil and specifically Gemini and HIPAA compliance. So stay tuned for that. So we’ll start with the breach of the week and the breach of the week. I’m just going to pull it up here on screen. A little bit different this week. It’s actually hHS office for Civil rights report. And so the HHS Office for Civil Rights released two reports to Congress on HIPAA compliance and breaches. The summary of it is that OCR office for civil rights received over 3000 complaints in 2022. Sorry, over 30,000 complaints and resolved over 32,000. 


Adam
So obviously that’s more because they were resolving them from previous years. So 30,000 complaints received and then resolved over 32,000. They resolved 17 complaint investigations with settlements totaling $802,500. And one of them with a $100,000 penalty. OCR completed 846 compliance reviews requiring corrective action or penalties in 80% of cases. And hacking it incidents and network servers were the most common types of breaches. So hacking incidents on network servers, most common type of breaches. Gil, what are your thoughts on these reports? 


Gil
Well, first thing I want to say is the office of Civil Rights is kind of an interesting name. When I first came across that, it didn’t strike me as the department of the government that would be doing these kind of penalties, but that’s what it is. So OCR is not a mistake. That’s actually the right designator for these. You know, they get a ton of complaints. And what the funny thing is, Adam, is that we, as HIPAA Vault, we get a lot of calls from people that are complaining about their data. And the reason we get a lot of calls is because people mistype the word compliant. We are doing HIPAA compliant work. They type in HIPA complaint, and so our phone rings off the hook. We get people all the time calling us, and these people, Adam, are calling us about very strange things. 


Gil
One quick example. Somebody called me. I answered the phone. They said, hey, I was in the doctor’s office, out in the lobby with my mom, sitting there waiting for our appointment, our turn. And the doctor came out, or not the doctor, but the assistant came out and called the person’s name to come up and asked. They said something about their condition, which obviously is not a good thing, where everyone could hear that was sitting there in that medical office lobby, and she called all upset. She’s like, somebody said whatever she had, so other people heard it. I understand that. I understand that. I wouldn’t like it if it were my appointment, if somebody said something out loud. 


Gil
But my point of this is that imagine the number of phone calls that these people get about everything imaginable under the sun, from a little case to big ones. So these people at OCR, they have to go through all this data, all these complaints that are pouring in and really look for the ones that are meaningful, where there was a significant amount of data that was leaked out and they don’t have time to go after everything. So they have to be very selective, like, which ones are they going to make a big case out of and sue for? Like, you had $800,000 or millions of dollars and all that. They have to really scrutinize them because they’re just pouring in. 


Adam
Yeah, definitely. And I think one of the things that they do to help figure out whether it’s a serious complaint or not is they ask the person if they’re calling in to fill out a complaint form, an official form, so that kind of whittles down the number and allows them to really focus on the more serious ones. But, yeah, definitely there’s a lot of confusion, let’s say, in the public as to what constitutes HIPAA complaint. 


Gil
Yeah, and we’re not discouraging people from calling your local state department of call if you have a complaint or, you know, someone that has a complaint, we always redirect people to their local state department of Health and then from know, they probably recommend what to do next. But it’s legitimate. If you have a legitimate complaint, but there are a lot of complaints, so don’t expect there to be some kind of resolution just because you call in. These people are inundated. So it’s not something they’re going to. They’re not solving that many of these because they can’t. They’re just picking and choosing the ones they want to deal with. 


Adam
Absolutely. Okay, well, that’s it for the breach of the week onto our main topic for the week, Gil, and that is Gemini HIPAA compliant. So I think probably good place to start would be Gemini, right? Yeah, Google Gemini. 


Gil
So are you talking about Gemini, the bitcoin where you can buy bitcoin? 


Adam
No, I’m talking about Google Gemini. Now, some listeners may be familiar with Google’s AI large language model. It was previously, when it was first rolled out, called Bard. Bard, and they’ve recently changed the name of it to Gemini. So it’s a large language model and that uses artificial intelligence to help what users with writing, design and organizational tasks. 


Gil
I used bar when it first came out, Adam, and I didn’t like it as much as chat GPT at the time that I used it because Chat GPT had been out longer and I think was more robust. And then I tried Bard, and I didn’t think Bard was that great. Now it’s probably gotten a lot better. I would. 


Adam
Chat GPT came out first. It had that head start and it stayed ahead of the game. Now the advantage, and I’ve had a chance to play around a little bit with Gemini and use chat GPT as well, and it’s pretty comprehensive. The main advantage is that by design, it sits inside Google workspace. So if you’ve already got a Google workspace set up within your organization, then it’s going to plug in very quickly to that. And then the second advantage, as far as I can see, is they’ll sign a baa. But we’ll get into Adam. 


Gil
I did want to clarify something for the audience because Google Workspace is a newer name. It started off as G suite. Google suite. 


Adam
Right. 


Gil
And then I think it may have had another name, even the beginning. So just to make sure everybody knows what we’re talking about, Google Workspace is the name that Google uses for their collection of their office suite. So just like Microsoft has office 365, that has their word and Excel and all that, Google has the same thing. They kind of call it workspace. So that includes Google Drive, Google Docs, Google spreadsheets, what else? Their gchat, Gmail. I mean, it’s a whole bunch. But all of that office productivity tool set is what they refer to as Google Workspace. And now they are allowing you to use AI alongside that, just like Microsoft has know that’s a big deal, right? Copilot can assist in any kind of productivity work you’re doing within the Microsoft productivity suite. Now you can do the same thing with Google, right? 


Adam
Answering the question, is Gemini HIPAA compliant? Yes, conditionally. And we’ll link this in the description. But if you look at the Google Workspace public HIPAA included functionality page, you’ll see Gemini listed under the apps within Google workspace that are covered by their business associate. I think we should maybe elaborate on what a business associate agreement is for the new listeners. 


Gil
Just very briefly. The business associate agreement is what two companies have to sign when they’re sharing responsibility for the patient health information. The Phi. It’s essentially what it’s doing, right? 


Adam
Exactly. So Gemini is included under the HIPAA business associate agreement from Google Workspace. However, there’s a caveat here that it’s not including access to Gemini via Gemini google.com. I’ll share my screen on the Gemini. Google.com. That’s what this looks like. So they’re saying that it’s not HIPAA compliant when you use it through this. However, it is HIPAA compliant when, for example, you’re in a Google Doc and then you go and you say, help me write. And then you say, write a poem. Write a funny poem. And then when you use it from here, supposedly it is covered under the Baa gil. Any ideas why that might be? I mean, I know it is cut an edge in terms of the release of this, so maybe that’ll change. 


Gil
Well, I just think generally speaking, that other tool is meant to be public facing anyone’s. It’s like going to a Google search or anyone in the world and type in a Google search. Whereas these tools that we’re looking at here on the screen, these are tools that are private tools. You have to use two factor authentication to log in, and that’s probably the reason why you have to authenticate. And when you’re using the other open and public facing tool, there’s no authentication anyone, you just type in Google and start searching, or in this case, Gemini, google.com. So I think that’s probably one of the main. 


Adam
Definitely, because HIPA does have stringent requirements when it comes to knowing who accessed what data, when they accessed it. So a login is required. That makes sense. The other thing I think, I’m not sure if we touched on is that chat GPT currently, to date, isn’t offering Baas, or at least isn’t willingly offering them just on sign up. I think there is some discussion about you emailing them and then letting them know why you need a BAA and then them reviewing it and everything. But to the general standards public, they’re not offering business associate agreements. So that might be another reason why Gemini would be advantageous, I have to say. And this is just from using it for a couple of days. And at this point, I think chat GPT still is the leader at this point. 


Adam
Not saying that can’t change, and there’s a lot that can be developed, but just in terms of intuitive engagement with the interface, I like it a lot more. 


Gil
I guess my thinking is, for our listeners, how would you get Phi data? So right now, you’re looking at, on that screen you had up, you had a Google document, so you could, for example, let’s say you’re a therapist and you need to explain something to one of your patients about the condition they have. So you could start asking Gemini to write it for you. You just tell them, hey, I need to send a message to a patient that they need to come in for appointment because the results just came in. It looks like they may have condition ABC, some medical condition. So Bard could write that very well for you, and you could even say, I’m sorry, Gemini, you could say, make it very sympathetic. So it adds words like, oh, Mr. 


Gil
Smith, we know this is hard news for you and your family, blah, blah. So therapist might want to use it because it’s a big time saver, right? You don’t have to sit there and write it. It writes it for you, and then you just copy paste it into the Gmail. Or you could do this directly in Gmail. You can ask Gmail right in there. So this is how you could mix Phi medical records, medical data in to an application that’s using AI. I mean, this is how we get here. So once you understand that’s how you’re generating new content that’s appropriate to you and your patients, then you’re really going to like it. You say, wow, this is so efficient. I could do 510 times the amount of emails that used to take me an hour a day. 


Gil
Now I spend five minutes a day, and that’s 45 minutes a day times ten days. You do the math. That’s like a month’s worth of work in a year. So it’s a pretty big deal. Pretty big deal. So you just have to be cautious, because here, this is new technology and you don’t want Gemini to start throwing in facts. So that same example, let’s say therapist writes the email, but Gemini went overboard and started saying, hey, make sure you only take 2 grams of that dosage instead of four. And therapist didn’t bother reading it carefully. They didn’t realize that Gemini changed the dosage or something. All of a sudden you got a big problem. 


Adam
Yeah. 


Gil
So you have to at least read through and you have to be careful that you don’t let it take over and give advice that it shouldn’t be and all of that, it should just be creating the general content, not giving specific medical advice. So I think that’s one issue. But as far as it leaking out, I mean, they’re brand new, right? So we don’t have all the answers. We have more questions and answers. I don’t know how it would leak out in the sense that you type something into Gmail or Google Doc and then suddenly someone on the other side of the world has access to that. I don’t see that as a real. 


Adam
And if you dig into the privacy policy, it does mention that anything you input in here isn’t going to be then taken and used to retrain the AI model. So you’re good on that side. 


Gil
Okay. 


Adam
And maybe that’s why the Gemini, google.com isn’t part of the VA as well. 


Gil
Thinking about it, yeah, I think you’re right. So the training data set is going to come from the public using Gemini. But you’re right. I think you’re right from here, whatever you type in is not going to be used for training it. That means it’s not going to be included in some big data set that Google has. I guess what I would say just based on this brand new, again, just came out. So we’re just exploring it. But it seems like on the surface this is a safe tool to use in terms of your Phi data being accessed by unauthorized individuals. I think from that perspective it’s safe. I don’t think you have to worry about who’s going to see your data. I think we’re safe there. 


Gil
But you do have a bigger, or not bigger, but you have a different risk, and that is that Gemini may give false information. Remember, these large language models are new and they still can generate erroneous. It sounds good. Don’t forget, it’s going to sound very professional, it’s going to sound very authoritative. But when you really do a fact check, you’ll say, hey, this is inaccurate. And that’s happened to me. I’ve done that. Where then I go fact check something and it’s, no, that’s not right. 


Adam
Yeah, there’s a big disclaimer at the bottom on the Gemini prompt screen. It says, your chats aren’t used to train our models. Gemini may display inaccurate info, including about people. So double check its responses. 


Gil
That’s their, you know, still, I think it’s very beneficial in the long run because this is getting better and more accurate and stronger by leaps and bounds. So I wouldn’t poo this and say, well, I’m not going to use it. No, you definitely want to use this. It’s going to save you a lot of time. You just have to be like anything new in technology. You have to be cautious and make sure you’re aware of what’s going on, believe me. And if you decide, well, I’m still not going to use it. Keep in mind that if you make that decision, your competitors, they are using it and they will get ahead of you because they’ll be more productive, they’ll have more efficiency. And in business, productivity, efficiency is everything. 


Gil
If your competitors are more productive and efficient, they win the race and you lose the race. So it’s not just a matter of I choose not to use it because I don’t feel good about it. Your competitors are definitely leaning into this and using it, so you’re almost obligated to really think about this. 


Adam
Yeah. Self fulfilling in a sense, isn’t just you have to use it because everyone else is using. Yeah. On that. If you’re an existing Google workspace user and you’re not sure about how to set Google Workspace up for HIPAA compliance, reach out to us and we can help you with that. If you’re already a customer and you use a Google workspace managed by us, then you can also reach out to us and we can help set you up with the appropriate Gemini licensing as oh, one thing I would be interested in hearing back from the listeners and the viewers is have you used Google Gemini? Have you used chat GPT? Maybe you use both. Let us know what your thoughts are on each one and which one you prefer in the comments below. 


Adam
And Gil, was there anything that we wanted to mention while we got them about the HIPAA woocommerce that’s coming out soon? 


Gil
Well, yeah, the HIPAA woocommerce is exciting because there’s a lot of following, a lot of developers. They really like woocommerce. Woocommerce is a shopping cart. And so there are a lot of healthcare sites that are made in WordPress, and when they want to sell some of their medical wares or whatever it is they’re selling, then a lot of times woocommerce comes up. So we’re excited because we’re launching the woocommerce for WordPress. It’s a plugin and we can make it so that it is HIPAA compliant and I think that’s very exciting and really looking forward to working with that new product. 


Adam
Fantastic. Okay, well, that’s it for this episode of the HIPAA vault show. Please do, like, share, subscribe, and until next time, thanks for stopping by.