When migrating your data and your day-to-day business IT operation to the cloud, as an organization that handles sensitive health-related information of patients and customers, your concern about the data falling into wrong hands is legitimate. HIPAA Compliant applications can go a long way toward providing you the needed security.
Although Google enables you to make your Google Workspace account HIPAA Compliant, it is not something that you can turn on and off. You need to do much more. Here is what you need to know about HIPAA compliance in Google workspace.
Thinking of shifting your IT infrastructure to the cloud, preferably Google Workspace?
Are you planning to migrate from another cloud service such as Microsoft 365 to Google Workspace?
Is the information you deal with classified as Protected Health Information (PHI)?
This brings us to the question: are Google Workspace and its various services HIPAA (Health Insurance Portability and Accountability Act) Compliant?
Can you make Google Workspace HIPAA Compliant?
Yes, you can.
But it is not HIPAA Compliant out-of-the-box.
You need to understand that HIPAA compliance is not a feature you can switch on or off.
Just because you have let Google know that you want to be HIPAA Compliant doesn’t mean that all your medical records will be automatically protected.
You will need to put in place checks and balances. You will need to use certain technologies to encrypt and restrict data. You may need to educate your staff.
What makes Google Workspace compliant with HIPAA is that it allows you to use technologies and other checks and balances to protect user data.
It has the features. It easily facilitates compliance. How you comply depends on what your IT administrators can achieve for you.
There are certain conditions you must first meet before your Google Workspace account becomes HIPAA Compliant:
- A paid version of Google Workspace.
- Signing a Business Associate Agreement (BAA) with Google.
- An Enterprise account (in some cases).
Do these prerequisites alone make your Google Workspace HIPAA Compliant?
According to Google, no.
Google says that as a customer, you are responsible for making your operations HIPAA Compliant.
Google gives you the tools. How you use those tools is completely up to you.
We will learn more about that.
Core Google Workspace services that can be made HIPAA Compliant
All Google Workspace core services must be configured by a qualified IT administrator to be fully compliant with the PHI conditions.
The following core services need to be configured if you want to make them HIPAA Compliant:
- Drive (this includes Google Docs, Sheets, Slides, and Forms)
- Hangouts classic (only the chat messaging feature)
- Google Chat
- Google Meet
- Google Keep
- Google Cloud Search
- Google Voice (managed users only)
- Google Sites
- Google Groups
- Cloud Identity Management
- Google Apps Script
Compliance features are not present in Google Contacts so your Google Workspace users need to make sure that they don’t store any PHI-related information in Google Contacts.
As a Google Workspace user you can also use non-core services such as YouTube, Google Photos, Chrome Web store, Google Classroom, Blogger, Google Analytics and Google Ad Manager (just to name a few) but for full compliance with HIPAA, you may want to disable these services for your users because PHI-related safety is not available with these non-core Google services.
Now that we know whether Google Workspace is HIPAA Compliant or not, let’s explore further how you can use Google Workspace if your business needs to be HIPAA Compliant.
Why is it important to make your Google Workspace account HIPAA Compliant?
You want to protect the medical records of your clients, or even your employees and business associates.
By mistake, your staff may share sensitive information and breach PHI. They may respond to an email they shouldn’t respond to or click a link they shouldn’t click.
Health information is personal and sensitive. By law you are required to protect the data that you have.
This data may belong to your clients, patients, business partners, and employees.
Health data cannot just be used for targeted advertising, it can also be used to cause harm to individuals.
There are four ways unauthorized individuals get access to your sensitive health records:
- Carrying out a data breach.
- Making/tricking your employees into sharing the information.
- Making/tricking your patients/customers into sharing the information.
- Physically stealing the information from laptops and mobile phones.
According to this HIPAA Journal report, millions of individuals are affected every year by healthcare data breaches.
Businesses and organizations may have to pay penalties between $100-$1.5 million per year, per breach, depending on the degree of negligence on your part.
Businesses that need to activate HIPAA compliance when using Google Workspace
The following types of businesses need to comply with HIPAA:
- Healthcare providers – clinics, therapists, hospitals, and private practices.
- Healthcare plan providers – health insurance companies and other entities providing healthcare plans.
- Businesses, individuals, and associations handling PHI records.
How do you make Google Workspace HIPAA Compliant?
Here are a few steps you can take to make your Google Workspace setup HIPAA Compliant:
1. Upgrade to a paid account
As mentioned above, to be able to activate HIPAA compliance you need a paid version of Google Workspace.
2. Sign a Business Associate Agreement
These are the steps involved:
Sign into your Admin console.
Go to Account Settings.
Within Account Settings there is a section titled "Legal and compliance" – click the drop-down menu on the right.
Keep scrolling down until you come across "Security and Privacy Additional Terms".
At the bottom there is a blue hyperlink "Google Workspace/Cloud Identity HIPAA Business Associate Amendment" – you can read it if you want.
Beneath that there is a "Not accepted" hyperlink that appears grey. Click it.
The subsequent steps are visually explain.
It is activated and appears as "REVIEW AND ACCEPT"
There is a series of screens that ask various questions about the nature of your business or whether your business requires you to be HIPAA Compliant.
Once you click “I ACCEPT” you have signed the BAA.
These are important steps, but they themselves don't make your Google Workspace HIPAA Compliant. Once you have signed the BAA, you can take further actions such as...
3. Set up alerts
Want to know if an unauthorized person accesses one of your Google Workspace accounts or one of your employees logged into your Google Workspace account from another device?
There are 20 out-of-the-box alert rules that you can set in Google Workspace. Whenever an event triggers one of these rules, you will get an email notification.
4. Set up strong passwords
If you leave it on your employees, they may set up weak passwords that are easy to hack or easy to guess.
You can instruct your IT administrator to create longer, more complicated passwords that are difficult to hack even with hacking software.
Discourage your employees from defining passwords that are too short. The longer the password, and the greater the variation of characters, the harder it will be for hackers to hack into your Google Workspace account.
5. Activate two factor authentication
This is one of the most important HIPAA compliance requirements.
When two factor authentication is not activated, you can log into your Google account simply by entering username and password.
When you activate two factor authentication an OTP (one-time password) is sent to your mobile phone and even if you have entered your username and password, you cannot log into your Google account without entering the OTP.
A designated Google Workspace consultant can help you more with making your Google Workspace account HIPAA Compliant.
Here you can read more about HIPAA compliance in Google Workspace.
Is Google Workspace Gmail HIPAA Compliant?
Your employees will be sharing lots of sensitive health-related information when using Gmail, which is an integral part of Google Workspace.
There are multiple ways you can make Gmail comply with HIPAA conditions. You need to keep in mind that only the paid version of Google Workspace features HIPAA compliance.
You can define "rules" within your Google Workspace setup to check if the outgoing messages contain PHI -related information; those messages can either be stopped, or further actions can be assigned (such as rejecting the email, modifying it, sending into quarantine, or sending a notification to the administrator).
You can set up DLP (data loss prevention) rules to scan incoming and outgoing messages to stop certain messages from being relayed.
You can either use Google S/MIME encryption, Google Workspace client side encryption or even use third-party encryption add-ons with the help of your IT administrator so that your email messages are not intercepted on their way to the recipients.
As such, Gmail doesn't by default come with HIPAA compliance but you can establish certain practices and rules to protect sensitive data, and Google provides plenty of features to achieve that.
Can you achieve 100% surety of compliance when using email?
Take for example encryption. Within the Google ecosystem (Gmail to Gmail) Google can provide you impenetrable encryption, but you cannot say the same for other email clients.
Your organization may use Google Workspace email but many of your customers and clients may be using other email clients such as Outlook, Yahoo mail, some custom domain email, or another service.
Is Google Docs HIPAA Compliant?
Google Docs definitely appears in the list of Google Workspace apps that can be made HIPAA Compliant.
But just like any other service under Google Workspace, it depends on how you use Google Docs and what precautions you take.
Within its environment, Google uses 128-bit Advanced Encryption Standard (AES) to secure data during transit as well as storage. For compliance, since data needs to be encrypted in transit and storage, to that extent, Google Docs is compliant.
You need to further educate your users so that Google Docs files are not synced with unsecured devices if the documents contain ePHI data. There must be a strict policy on what type of documents can be uploaded to Google Docs.
Is Google Meet HIPAA Compliant?
Google Meet is extensively being used for telemedicine. If you’re worried about the confidentiality of your clients and patients, you must be wondering whether it is safe to use Google Meet.
Yes, it is safe to use Google Meet, though, you need to finetune it a bit.
First of all, go to Meet Settings within your Administrator console and make sure Google Meet is the default. To check that,
Log into your Google Workspace admin account.
Go to Apps >> Google Workspace >> Calendar
In the “Sharing settings”, refer to the “Video conferencing” section.
The steps are explained below:
Make sure that both “Make Google Meet the default video conferencing provider when available” shows “ON”.
If this option is not “ON”, hover the cursor over the section and you will see a pencil icon
– click it.
If the checkbox in front of “Make Google Meet the default video conferencing provider when available”, check it.
Additionally, employees must be discouraged from sharing any PHI information in Google calendar and Google Meet.
To make Google Meet HIPAA Compliant, you can make all your invites private. All the PHI in this way will be masked when the invitations appear in Google Calendar of the invitees. This also restricts access to Google Meet recordings that are saved in Google Drive by default. You can also control whether the participants can record the ongoing Google Meet session.
Other than that, as a service provider or a healthcare professional, it is up to you to keep health information private and secure. Google Meet gives you the right tools for HIPAA compliance.
Is Google Drive HIPAA Compliant?
You can see above that Google Drive is included in the core functionalities with HIPAA compliance. Just as is the case with all other apps in Google Workspace, to make Google Drive HIPAA Compliant you need to establish some practices that restrict access to PHI data.
In Google Drive, your data is protected by Transport Layer Security (TLS) encryption.
You can restrict file sharing, especially with third-party entities of organizations outside of your domain.
You can use strong and unique passwords.
You can also activate two factor authentication for accessing Google Drive.
You can restrict access to PHI-carrying data.
You can regularly conduct staff training & orientation about the importance of keeping the medical records secured.
You have seen above that if you’re looking for an online suite with HIPAA compliance capabilities Google Workspace provides plenty of features. There cannot be 100% security against data breaches and inadvertent sharing of sensitive information because compliance has less to do with technology and more to do with how you handle data.
A combination of technology and sensitisation is needed.
Nonetheless, if you are looking for a cloud-based solution that is HIPAA Compliant, there is nothing to stop you from using Google Workspace. With a slew of features that it gives you, combined with your own effort to keep ePHI data safe, almost all the major apps in Google Workspace that you intend to use with your business are HIPAA Compliant.