G Suite has become an appealing option for many professionals, including those in the healthcare industry. Which brings up the question: is G Suite HIPAA compliant?
Yes, Google’s G Suite is HIPAA compliant. However, compliance is based on certain requirements, and I’ll go over those in this article.
Keep reading to find out more!
Google & HIPAA
According to Google one of their top priorities is ensuring that their customer’s data is safe and secure.
To meet the requirements of the Health Insurance Portability and Accountability Act, also known as HIPAA, Google has established high requirements related to the HIPAA Security Rule to ensure privacy and security protections.
HIPAA covered entities that utilize G Suite must sign a Business Associate Agreement (BAA) with Google.
Under HIPAA certain information related to an individual’s health or health care services is classified as Protected Health Information (PHI). Users of G Suite are responsible for assessing whether or not they are subject to HIPAA requirements and whether or not the Google services they will be using are related to PHI.
If a customer has not signed a BAA with Google, then Google services cannot be used for PHI.
FAQs About G Suite HIPAA Compliance
Now that I have covered some of the basics of HIPAA related to G Suite, let’s look at some specific (and common) questions related to G Suite and HIPAA compliance.
Why is HIPAA Compliance so Important?
HIPAA compliance is important to ensure the protection of sensitive patient information. Healthcare providers, health plans, business associates, and healthcare clearinghouses are required to keep sensitive patient information private and confidential.
What is a Business Associate?
A Business Associate is an individual or company that fulfills certain functions or activities that comprise of the use or disclosure of protected PHI for a covered entity. A Business Associate assists covered entities with HIPAA compliance.
What is a Business Associate Agreements?
A Business Associate Agreement is a written agreement that stipulates the responsibility each party has concerning PHI. The first step to HIPAA compliance is a signed BAA. Failure to obtain a BAA would be a HIPAA violation.
How do I Make G Suite HIPAA compliant?
Safeguards are in place in G Suite for covered entities to use G Suite in compliance with HIPAA. However, it is up to the covered entity to ensure that G Suite is correctly configured to comply with HIPAA rules.
There is the possibility of violating HIPAA rules when using G Suite if configurations are not correct. You must be in accordance to compliance.
Take the following steps to ensure G Suite is HIPAA compliant:
- Obtain a BAA from Google – Before using G Suite to store, maintain, or transmit electronic information a Business Associate Agreement must be attained.
- Configure Access Controls – Before using any electronic PHI with G Suite, G Suite account and services must be correctly configured through the admin console. You must set access controls to restrict access to services used with PHI to authorized users. Also, switch off any additional services that are not needed. Switch on services that include ‘PHI on for some organizations’. If you use services that have no involvement with PHI, then these can be switched on for everyone.
- Set Device Controls – HIPAA covered entities must take steps to secure all devices. Be certain to include appropriate security controls for all devices being used to access G Suite. This means that mobile devices must require log-in before gaining access. Set mobile devices to lock automatically as well. HIPAA entities should also establish a two-factor authentication
What Google Services Does the BAA cover?
Google’s BAA currently covers the following Google services:
- Gmail
- Google Calendar
- Drive (including Docs, Sheets, Slides, and Forms)
- Google Hangouts (chat messaging feature only)
- Chat
- Google Meet
- Google Keep
- Cloud Search
- Google Sites
- Groups
- Google Tasks
- Google Voice (managed users only)
- Jamboard
- Google Vault services
- Google Cloud Identity Management.
Remember that you cannot store or communicate PHI with any Google services not covered under the Google BAA.
Can Every Version of G Suite be HIPAA Compliant?
No, only the paid version of G Suite can be configured to be HIPAA compliant, which is one of the many reasons you may want to upgrade to the right G Suite License.