Google created G Suite to include privacy and security measures to keep data secure, and those protections are of an adequately high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered outfits. So, is G Suite HIPAA compliant? G Suite can be used without breaking HIPAA Rules, but HIPAA compliance has more to do with the user than the cloud service provider.
Enabling HIPAA Compliance on G Suite
As with all secure cloud services or platforms, it is possible to use it in a manner that breaks HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant fashion, but it is up to the covered outfit to ensure that G Suite is configured correctly. It is possible to use G Suite and break HIPAA Rules.
Complete a BAA with Google
One important obligation of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).
Google first committed to signing a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained at a point in time before G Suite is used to store, maintain, or transmit electronic protected health information. Even though privacy and security measures are in place, the failure to obtain a BAA would be a HIPAA violation.
Obtaining a signed BAA from Google is the first action in HIPAA compliance, but a BAA on its own will not guarantee compliance with HIPAA Rules.
Set Up Access Controls
Before G Suite can be used to manage any ePHI, the G Suite account and services must be configured correctly via the administration/management console. Access controls must be set up to control access to the services that are used with PHI to authorized persons only. You should set up user groups, as this is the simplest way of providing – and controlling – access to PHI, and logs and alerts must be also be set up.
You should also make sure all extra services are disabled if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not include PHI can be enabled for everyone.
Establish Device Controls
HIPAA-covered outfits must also ensure that the devices that are implemented to access G Suite include appropriate security measures. For example, if a smartphone can be used to log onto G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized persons. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices set to automatically lock. Technology that allows the remote deletion of all data (PHI) stored on mobile devices should also be an option. HIPAA-covered entities should also set up two-factor authentication.
Not All Google Services are Included in the BAA
You may want to use all Google services even if they are not covered by the BAA, but those services cannot be used for storing or sending PHI. For instance, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.
If you do decide to turn these services on, you must ensure that your policies forbid the use of PHI with these services and that those policies are effectively communicated to all staff. Employees must also receive training on G Suite in relation to PHI to ensure HIPAA Rules are not accidentally broken.
What HIPAA Compliant Services are in G Suite?
Only the following core services of G Suite are covered by Google’s BAA, and can therefore be implemented with PHI:
- Gmail (Not free Gmail accounts)
- Calendar
- Drive
- Apps Script
- Keep
- Sites
- Jamboard
- Hangouts (Chat messaging only)
- Google Cloud Search
- Vault
Google help healthcare groups make G Suite HIPAA compliant, Google has created guidance for healthcare groups on setting up G Suite: Read Google’s G Suite HIPAA Implementation Guide.