Yes, G Suite can be configured to be HIPAA compliant. In this post we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.
Do not assume the configuration settings of G Suite apps or features are optimized for HIPAA compliance by default. To meet HIPAA requirements you must combine the technical security control settings in G Suite with administrative security controls that you are responsible for carrying out.
Common G Suite Features and HIPAA considerations
By default, emails sent by Gmail are not encrypted in transmission when sent across the Internet. In order to use Gmail to send HIPAA compliant emails, you will need to set up a mechanism to provide end-to-end encryption from sender to recipient.
Encryption for Gmail on G Suite Enterprise
- For G Suite Enterprise users, Google provides a built-in option to send messages with Gmail using S/MIME.
- Using S/MIME only works if the email is being sent from and to G Suite Enterprise Gmail accounts.
Encryption for Gmail on Basic and Business G Suite Accounts
- Users with Basic or Business G Suite account and those who wish to send secure emails to external recipients will need a third party encryption solution.
- Basic and Business users can encrypt Gmail messages using 3rd party services like Paubox or Virtru.
- Files containing PHI that you wish to store on Google Drive should be encrypted before being uploaded.
- Before storing PHI on Google Drive, administrators must properly configure sharing permissions that align with your roles-based access policies and permission groups.
- Administrators must periodically review user activity and document updates.
The Google HIPAA Implementation Guide
- Google has provided an official HIPAA Implementation Guide that outlines what configuration settings are available and where they can be changed in the G Suite admin dashboard.
- For the past several years Google has updated this HIPAA guide at least annually, check the footer for the release date to determine if the copy you are viewing is outdated.
- Do not rely solely on this implementation guide to identify the required security settings. It is your responsibility to make sure all requirements covered.
Will Google Sign a Business Associate Agreement?
Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.
Deciding if G Suite is HIPAA Compliant for You
Adding new software to information systems that