Google Workspace and Microsoft 365 Are NOT Backups

Why ABA Practices Need True Data Redundancy (And How to Build It Without Panic)

Let me start a few things that we hear all the time:

“We use Google Drive. So we’re backed up, right?”

Or…

“Everything’s in Microsoft 365. That’s the cloud. We’re safe.”

Or this one:

“Our practice management system stores everything. The software company handles it.”

I completely understand why people think this way.

Google Workspace feels secure.
Microsoft 365 feels enterprise-level.
Your practice management system feels professional and healthcare-specific.

Your files live “in the cloud.”
They sync.
They autosave.
They have version history.
They have logins and passwords.

It feels protected.

But here’s the hard truth:

Cloud software is not the same thing as a backup.

Whether it’s Google Drive, Microsoft 365, or your practice management system — those are primary systems.

They are built for:

• Collaboration
• Storage
• Documentation
• Workflow

They are not built to be independent, third-party redundancy layers.

And if your mindset is:

“The software company has it. They’re keeping it safe for me.”

You’re placing total trust in a single system.

In healthcare, we’re required to retain PHI and trusting one system without redundancy is an unnecessary risk.

Not because vendors are bad.

But because no single system should ever be your only copy.

The theme here is simple:

Primary system ≠ backup.

But here’s the uncomfortable truth:

Google Workspace and M365 are collaboration platforms, not true backup systems.

And if you’re running an ABA practice that touches PHI (which you are), and you’re required to retain records (which you are), that distinction matters more than most founders realize.

This isn’t about fear.

It’s about architecture.

Let’s break it down.

 

The Myth: “It’s in the Cloud, So It’s Backed Up”

When you use:

• Google Drive
• Gmail
• Microsoft OneDrive
• Outlook
• SharePoint
• Teams

You’re using productivity tools.

They are built for:

• File sharing
• Email communication
• Real-time collaboration
• Workflow management

They are not built to be independent, third-party redundancy systems.

And here’s the core issue:

If something is deleted, corrupted, encrypted by ransomware, or removed due to a disgruntled employee, your “backup” is often just the same system.

That’s not redundancy.

That’s dependency.

 

What True Data Redundancy Actually Means

Your primary system stores your data.
A completely separate third-party cloud-to-cloud backup system stores a copy.

Not synced.
Not mirrored in the same ecosystem.
Not just version history.

A separate, restorable copy.

That’s the difference.

And when you’re legally and ethically required to retain PHI, that difference becomes operational risk.

 

“But Don’t They Have Retention Settings?”

Yes.

Both Google Workspace and Microsoft 365 offer:

• Retention policies
• Version history
• Recycle bins
• eDiscovery tools

Those are helpful features.

But they are not independent backups.

If:

• An admin account is compromised
• A user deletes files permanently
• A ransomware attack encrypts SharePoint
• A sync error corrupts data
• A vendor-side issue occurs

You’re relying on the same ecosystem to save itself.

That’s not risk reduction.

That’s crossed fingers.

 

And It’s Not Just About Google vs Microsoft

Before we go further, let’s address something clearly.

We strongly recommend Microsoft 365 for ABA agencies for structural, security, and administrative control reasons. (You can read the full breakdown here:
👉 https://ebcba.abaimpact.com/blog/google-workspace-vs-microsoft-365-for-aba)

M365 tends to offer:

• Stronger enterprise-grade admin controls
• Better role-based access management
• More robust security configurations
• Clearer audit capabilities

But here’s the key:

Even Microsoft 365 is not a backup solution.

It’s a better primary ecosystem for ABA.

It is still not redundancy.

 

Where ABA Practices Are Most Vulnerable

When founders ask about backup, they often focus only on:

• Google Drive
• OneDrive
• Email

But that’s not where the real risk ends.

Let’s zoom out.

Anywhere you store PHI and are required to retain it, redundancy matters.

That includes:

1. Document Signing Platforms

If you’re using:

• DocuSign
• PandaDoc
• AdobeSign
• Or any intake consent platform

Those signed documents are part of the clinical record.

If they’re stored only inside the signing software?
And that vendor account is compromised?
Or closed?
Or misconfigured?

That’s a retention risk.

This is a powerful story — and it builds credibility without fear. Here’s a clean, emotionally grounded version that fits your tone and keeps it professional but impactful:

Now let me tell you a real story about how Adobe lost all of our documents.

We used Adobe for all of our contract signing and document management.

Every signed agreement.
Every client contract.
Every piece of proof of promised revenue.

It was all in Adobe.

One day we logged in.

And it was gone.

Not “hard to find.”
Not “archived somewhere.”
Gone.

We contacted Adobe.

Their response?

There was nothing they could do.

Redundancy was our responsibility.
They do not maintain independent redundant copies for restoration in situations like ours.

There was nothing to restore.

Let that sink in.

This is Adobe… a massive, reputable, global company.

If something like that can happen with Adobe…

What about:

• Your practice management software?
• Microsoft?
• Google?
• Your billing platform?

It can happen to any of them.

And here’s the part most people don’t want to hear:

At some point, something will happen to one of the systems you use.

Maybe not catastrophic.

Maybe just accidental deletion.
Maybe a sync issue.
Maybe an admin mistake.
Maybe a vendor-side issue.

But something will happen.

The question isn’t if – it’s when.

Do you have a plan?

 

Here’s what our plan looks like.

When a contract gets signed in Adobe:

1. A copy automatically gets emailed to us.
2. Because we use an “everything forever” backup policy inside Cloud Shield (yes we use it ourselves) on our email, that email is automatically backed up to a third-party cloud-to-cloud system.
3. We save a copy inside our CRM.
4. We also save a copy inside a customer folder in SharePoint.
5. SharePoint is also backed up to a third-party backup solution.

So, when Adobe lost our contracts?

It was inconvenient.

But it wasn’t catastrophic.

We had copies.

Multiple copies.

Independent copies.

If we ever lost all of those backups at once, we’re probably dealing with something like a zombie apocalypse or nuclear fallout… and at that point, data retention isn’t the main concern.

The only reason this didn’t hurt us is because we had a documented Data Loss Prevention and Data Redundancy policy in place.

We didn’t put all of our trust in Adobe.

And that’s the real lesson.

Not “don’t trust vendors.”

But:

Never trust a single system to be your only copy.

That’s not paranoia.

That’s leadership.

 

2. Practice Management Systems (PMS)

Your EHR or practice management system stores:

• Session notes
• Assessments
• Treatment plans
• Authorizations
• Billing records

Most founders assume:
“The PMS has it. We’re good.”

But ask:

• Do you have exports?
• Are you backing up stored files?
• What happens if you terminate the vendor?
• What happens during a contract dispute?

If the only copy lives inside the PMS, you’re fully dependent on that vendor.

 

3. Billing Platforms

Billing records often have their own retention requirements.

Claims data.
Payment histories.
Remittance advice.

If you were to change billers or platforms, can you export and preserve records?

 

4. HR & Credentialing Systems

Employee files may contain:

• Background checks
• Immunization records
• Certifications
• Contracts

Those have retention timelines too.

Where are you keeping the copies?

 

The 7-Year Record Retention Myth (And Why It’s Incomplete)

Many ABA founders say:

“We just need to keep records for 7 years because of HIPAA.”

Let’s clarify.

HIPAA requires retention of certain documentation for 6 years.

But HIPAA also says to follow state law when it comes to medical record retention.

And every state is different.

Especially regarding:

• Records for minors
• Timeframes after a minor turns 18
• Specific behavioral health requirements

Some states require:

• 7 years
• 10 years
• Or several years after a minor reaches adulthood

This article is educational, not legal advice.

But here’s the takeaway:

You cannot rely on a generic “7 years” rule.

You must:

• Check your state requirements
• Align with payor contracts
• Ensure your systems can actually retain and restore data for that duration

And that requires redundancy.

 

Why This Connects to Compliance (Without Fear)

Let’s tie this back to the 7 Elements of an Effective Compliance Program in plain language.

True redundancy supports:

1. Written Policies
   You should have a documented data retention and backup policy.
2. Compliance Oversight
   Someone must be responsible for monitoring backups.
3. Training
   Staff need to know where records are to be stored and not to be stored.
4. Monitoring & Auditing
   You should test backups. Can you actually restore data?
5. Corrective Action
   If a system gap is discovered, you update the workflow.

This isn’t about being perfect.

It’s about reducing unnecessary risk.

 

The Real Risk: False Security

The most dangerous scenario is not:

“We have no system.”

It’s:

“We think we have one.”

When founders assume Google or Microsoft equals backup, they stop asking deeper questions.

And that’s where unnecessary exposure lives.

 

What True Redundancy Looks Like in an ABA Practice

Here’s a simple architecture concept:

1. Primary ecosystem: Microsoft 365 (preferred) or Google Workspace
2. All records containing PHI exported automatically into that ecosystem
3. PMS exports routed into structured storage
4. Billing data exported regularly
5. Cloud-to-cloud third-party backup solution backing up M365 or Google

Now you have:

• Collaboration
• Structured storage
• AND independent redundancy

That’s mature risk management when it comes to date redundancy and data loss prevention.

 

Free Stuff First: Data Redundancy Workflow Consult

Before you buy anything…

Before you layer on another tool…

Before you panic about backup…

Here’s what I actually recommend.

Schedule a free Data Redundancy Workflow Consult.

We’ll look at:

• What software you’re currently using
• Where PHI actually lives
• Where records are legally required to be retained
• How your data flows (or doesn’t flow)
• What can automatically export into Microsoft 365 or Google Workspace
• What needs true third-party redundancy

Here’s the link to schedule your free Data Redundancy Workflow Consult: https://meetings.hubspot.com/derreck-ogden/data-redundancy-workflow-consult

Because here’s the truth:

Workflow comes first.
Tool comes second.

If you buy backup software without fixing your data flow, you just create another silo.

This consult is about architecture — not sales.

And if budget is tight right now, at minimum join the free ABA Founders Program.

Inside that program we help you build:

• Mission, vision, and primary aim
• Financial clarity and survivability
• Secure email setup
• Core system structure
• An AI executive assistant to reduce mental load

Plus, we host a live ABA Founders call every Thursday where you can ask real questions and hear how other owners are navigating these same decisions.

You can join that free here:
https://ebcba.abaimpact.com/ebcba-blueprint-foundation

Now…

If you want to implement true redundancy and layered email protection, here’s what that looks like.

 

When You’re Ready: Cloud Shield

We built it for startups and small ABA practices that:

• Don’t have internal IT
• Have tight budgets
• Still need real email security
• Still need real backup
• Still need basic data loss prevention

Cloud Shield is not “full compliance in a box.”

It fills the major gaps in email security and data redundancy, especially for Microsoft 365 and Google Workspace users.

Here’s what’s included:

Email Security & Threat Protection

• Advanced Business Email Compromise (BEC) defense
• Payment redirect scam protection
• Impersonation detection
• Attachment sandboxing for unknown malware
• Predictive URL scanning and blocking
• Smart external email warning banners

Because most breaches don’t start with hackers breaking in.

They start with someone clicking something in an email.

 

Compliance & Data Loss Prevention

• Automated DLP rules for PHI, PII, financial data
• Automatic email encryption when triggered by content
• Audit trails and reporting for incident response

This supports HIPAA’s expectations around safeguarding data in transit and preventing unauthorized disclosure.

 

“Everything Forever” Backup

This is the redundancy layer.

• Automated real-time backups
• Independent cloud-to-cloud storage
• Granular, item-level restore
• Point-in-time recovery
• Message replay and data restoration

This means:

If something is deleted, corrupted, encrypted, or compromised…

You can restore it.

Because if data must be retained…

It must be recoverable.

And recoverability requires redundancy.

Cloud Shield layers on top of your existing Microsoft 365 or Google Workspace setup.

It does not replace it.

It protects it.

It’s $0.49 per user per day.
Onboarding is just $697 one-time to set it up.

Cloud Shield exists because:

• Google isn’t a backup.
• Microsoft isn’t a backup.
• Your PMS isn’t a backup.
• Your document signing software isn’t a backup.

Primary system ≠ redundancy.

Redundancy = leadership.

But there’s a smarter (and cheaper) way to approach this.

 

The Fast-Path (and more free stuff) Option: eBCBA™ Odyssey

If you don’t want to slowly piece this together…

If you want systems, structure, and accountability…

Odyssey is our fast-path option.

For $97/month (Founder’s Rate — increasing soon), Odyssey includes:

• Structured business training across core functional areas
• Weekly live strategy calls
• Templates, SOPs, and system tools
• A bonus 1:1 strategy session
• Everything included in the free Founders Program

Just a heads up: the Founder's Rate of $97/month for a little while longer. It'll increase to $297/month soon when we complete the Systems course, but anyone who joins now keeps the $97/month for life.

Sign up for Odyssey at the Founders rate here: https://ebcba.abaimpact.com/ebcba-odyssey-launch

By the way, there’s a 30-day money back guarantee – if you don’t like it in the first 30 days, we’ll refund you, no questions asked. It’s month to month. There really is no risk in signing up – just missing out if you don’t. Here’s how the Odyssey gives you the best ROI:

Odyssey members get Cloud Shield onboarding waived.

That $697 setup fee disappears.

Plus, Odyssey members receive our Audit Readiness Jumpstart ($997 to non-Odyssey members), which includes:

20-Point Compliance & Security Inspection

Review of administrative, physical, and technical safeguards.

Plan of Action & Milestones (POAM)

Plain-English roadmap of what’s missing and how to fix it.

Corrective Action Roadmap & Tracker (CART)

Track improvements and assign responsibility.

Real-World Threat Simulations

Phishing and ransomware tabletop exercises.

Email Security & Device Hardening Workshop

Live configuration support for M365 or Google — no extra software required.

Partner-Focused Compliance Summary

An audit readiness summary aligned to HIPAA, payer, and state expectations.

This is about system maturity.

Not fear.

Not panic.

Not “buy this because something bad will happen.”

It’s about:

Designing your data architecture intentionally.

 

What Should You Do Next?

You don’t have to solve everything at once.

Think in layers.

Start with clarity.

Step 1: Book the free Data Redundancy Workflow Consult.
Map your current systems. Understand where your data lives. Identify real gaps (not imagined ones).

https://meetings.hubspot.com/derreck-ogden/data-redundancy-workflow-consult

Step 2: Join the free ABA Founders Program.
Strengthen your foundation — secure email, core systems, decision structure, and AI support to reduce your load.

https://ebcba.abaimpact.com/ebcba-blueprint-foundation

Step 3: If you want structured accountability, join Odyssey.
That’s where systems get built faster, with guidance and support.

https://ebcba.abaimpact.com/ebcba-odyssey-launch

Step 4: When you’re ready, implement true redundancy.
That might be Cloud Shield.
It might be another third-party solution.

It doesn’t have to be ours.

But you do need what Cloud Shield represents:

Independent backup.
Email security.
Data loss prevention.
Recoverability.

No single system should be your only copy.

No pressure.

Just design.

Because you worked too hard to build your practice…

To let your data architecture be the weakest link.

Let’s build it right.

Learn more about Cloud Shield: https://meetings.hubspot.com/joshnelson/cloud-shield-discovery

 

Why We Still Recommend M365 for ABA

Let’s circle back briefly.

If you’re building a system designed for:

• Role-based access
• Audit tracking
• Security controls
• Administrative oversight
• Integration pathways

Microsoft 365 tends to offer more structure for healthcare organizations.

We break that down in detail here:
👉 https://ebcba.abaimpact.com/blog/google-workspace-vs-microsoft-365-for-aba

But again:

Even M365 needs redundancy.

Primary system ≠ backup.

 

If you take nothing else from this article, take this:

If your software contains:

• Sensitive PHI
• Signed clinical documents
• Billing records
• HR files
• Anything required to be retained

And you don’t have independent redundancy…

You’re carrying unnecessary risk.

Compliance aside - recovery matters.

You worked too hard to build your practice to let data architecture be an afterthought.

 

You Don’t Need Panic. You Need Design.

Data redundancy is not about paranoia.

It’s about leadership.

You are not “just using software.”

You are building an information ecosystem.

And ecosystems need layers.

Collaboration layer.
Storage layer.
Redundancy layer.

With Human-In-The-Loop oversight.

AI can help you draft policies.
We can help you design workflows.
But final responsibility always stays human.

 

Ready to Fix This the Right Way?

If you want to:

✔ Confirm whether your current setup is truly redundant
✔ Design a workflow that flows into M365 or Google properly
✔ Add independent cloud-to-cloud backup
✔ Reduce long-term retention risk

Schedule your free Data Redundancy Workflow Consult: https://meetings.hubspot.com/derreck-ogden/data-redundancy-workflow-consult

And if you’re ready to implement true third-party backup for Microsoft 365 or Google Workspace, explore Cloud Shield.

Learn more about Cloud Shield: https://meetings.hubspot.com/joshnelson/cloud-shield-discovery

No fear.
No fluff.
Just structure that protects what you’ve built.

Let’s build your data architecture the same way you build treatment plans — intentionally.