Yes, G Suite can be configured to be HIPAA compliant.
In this post we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.
Common G Suite Features and HIPAA Compliance Considerations
Do not assume the configuration settings of G Suite apps or features are optimized for HIPAA compliance by default. To meet HIPAA requirements you must combine the technical security control settings in G Suite with administrative security controls that you are responsible for carrying out.
Gmail
By default, emails sent by Gmail are not encrypted in transmission when sent across the Internet. In order to use Gmail to send HIPAA compliant emails, you will need to set up a mechanism to provide end-to-end encryption from sender to recipient.
Encryption for Gmail on G Suite Enterprise
- For G Suite Enterprise users, Google provides a built-in option to send messages with Gmail using S/MIME.
- Using S/MIME only works if the email is being sent from and to G Suite Enterprise Gmail accounts.
Encryption for Gmail on Basic and Business G Suite Accounts
- Users with Basic or Business G Suite accounts and those who wish to send secure emails to external recipients will need a third party encryption solution.
- Basic and Business users can encrypt Gmail messages using 3rd party services like Paubox or Virtru.
Google Drive
- Files containing PHI (Protected Health Information) that you wish to store on Google Drive should be encrypted before being uploaded.
- Before storing PHI on Google Drive, administrators must properly configure sharing permissions that align with your role-based access policies and permission groups.
- Administrators must periodically review user activity and document updates.
The Google HIPAA Implementation Guide
- Google has provided an official HIPAA Implementation Guide that outlines what configuration settings are available and where they can be changed in the G Suite admin dashboard.
- For the past several years Google has updated this HIPAA guide at least annually; check the footer for the release date to determine if the copy you are viewing is outdated.
- Do not rely solely on this implementation guide to identify the required security settings. It is your responsibility to make sure all requirements are covered.
Will Google Sign a Business Associate Agreement?
Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.
Takeaways
- G Suite can be configured to be HIPAA compliant through encryption and administrative controls
- Google offers a HIPAA implementation guide (found here) to assist you in this process, but it is your responsibility to ensure it’s executed properly
- Google will sign a Business Associate Agreement (BAA)
- Check out our blog for more guidance on Choosing HIPAA Compliant Software
Are you unsure if G Suite is the right platform to support your healthcare services?
Gazelle Consulting is here to help! Call us today at (503) 389-5666, email us at info@gazelleconsulting.org, or contact us here. We can answer all of your HIPAA compliance questions and help you feel as confident as a lion in a grassy savanna.
