Gazelle Consulting

Is G Suite HIPAA Compliant?

Is G Suite HIPAA Compliant?

Yes, G Suite can be configured to be HIPAA compliant. In this post we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.

Do not assume the configuration settings of G Suite apps or features are optimized for HIPAA compliance by default. It is important to understand that meeting HIPAA requirements combines the technical security control settings in G Suite with administrative security controls you are responsible for carrying out.

You must consider each G Suite feature on a case by case basis to identify what security controls are available and ensure those controls do not violate your established security procedures.

Common G Suite Features and HIPAA considerations


By default, emails sent by Gmail are not encrypted in transmission when sent across the Internet. In order to use Gmail to send HIPAA compliant emails, you will need to set up a mechanism to provide end-to-end encryption from sender to recipient.

There are a number of options available for encrypting messages. For G Suite Enterprise users, Google provides an option to send messages with Gmail using S/MIME. Using S/MIME only works if the email is being sent from and to G Suite Enterprise Gmail accounts.

Users with Basic or Business G Suite account, and those who wish to send secure emails to external recipients will need another encryption solution. Basic and Business users can encrypt Gmail messages using 3rd party services like Paubox or Virtru.

Google Drive

Files containing PHI stored on Google Drive should be encrypted before being uploaded. Before storing PHI on Google Drive, administrators must properly configure sharing permissions and periodically review user activity and file version updates.

Security features required by HIPAA are available for other Google apps not covered in this article like Calendar and Hangouts, but those features may not be enabled by default. A HIPAA savvy IT administrator can help you get your G Suite account set up correctly.

There is Help!

Google has provided an official HIPAA Implementation Guide that outlines some settings to consider for HIPAA compliance. For the past several years Google updated this HIPAA guide at least annually, check the footer for the release date to determine if the copy you are viewing is outdated. This document can be used in combination with your procedure documentation to find out what configuration settings are available and where they can be changed in the G Suite admin dashboard. Contact Gazelle Consulting for a free consultation if would appreciate guidance on getting set up.

Will Google Sign a Business Associate Agreement?

Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.

Deciding if G Suite is HIPAA Compliant for You

New collaborative cloud-computing software that stores or transmits PHI should meet your policy requirements for data encryption, role-based authorization, system activity monitoring and other features that support your HIPAA compliance processes.

Additionally, adding new software to information systems that processes your PHI is a development you will want to handle with great deliberation and care. If you have any questions about whether G Suite offers the best collaborative services to support your healthcare services, send Gazelle Consulting a message today or call 503-389-5666.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!