Share this article on:
Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?
Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.
Making G Suite HIPAA Compliant (by default it isn’t)
As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.
Obtain a BAA from Google
One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).
Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.
Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.
Configure Access Controls
Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.
You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.
Set Device Controls
HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.
Not All Google Services are Covered by the BAA
You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.
If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.
What Services in G Suite are HIPAA Compliant?
At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:
- Gmail (Not free Gmail accounts)
- Apps Script
- Hangouts (Chat messaging only)
- Google Cloud Search
In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.
Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.
G Suite HIPAA Compliance is the Responsibility of Users
Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.
Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.