Gazelle Consulting

Is G Suite HIPAA Compliant?

Is G Suite HIPAA Compliant?

Yes, G Suite can be configured to be HIPAA compliant. In this post we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.

Do not assume the configuration settings of G Suite apps or features are optimized for HIPAA compliance by default. To meet HIPAA requirements you must combine the technical security control settings in G Suite with administrative security controls that you are responsible for carrying out.

Common G Suite Features and HIPAA considerations


By default, emails sent by Gmail are not encrypted in transmission when sent across the Internet. In order to use Gmail to send HIPAA compliant emails, you will need to set up a mechanism to provide end-to-end encryption from sender to recipient.

Encryption for Gmail on G Suite Enterprise

  • For G Suite Enterprise users, Google provides a built-in option to send messages with Gmail using S/MIME.
  • Using S/MIME only works if the email is being sent from and to G Suite Enterprise Gmail accounts.

Encryption for Gmail on Basic and Business G Suite Accounts

  • Users with Basic or Business G Suite account and those who wish to send secure emails to external recipients will need a third party encryption solution.
  • Basic and Business users can encrypt Gmail messages using 3rd party services like Paubox or Virtru.

Google Drive

  • Files containing PHI that you wish to store on Google Drive should be encrypted before being uploaded.
  • Before storing PHI on Google Drive, administrators must properly configure sharing permissions that align with your roles-based access policies and permission groups.
  • Administrators must periodically review user activity and document updates.

The Google HIPAA Implementation Guide

  • Google has provided an official HIPAA Implementation Guide that outlines what configuration settings are available and where they can be changed in the G Suite admin dashboard.
  • For the past several years Google has updated this HIPAA guide at least annually, check the footer for the release date to determine if the copy you are viewing is outdated.
  • Do not rely solely on this implementation guide to identify the required security settings. It is your responsibility to make sure all requirements covered.

Will Google Sign a Business Associate Agreement?

Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.

Deciding if G Suite is HIPAA Compliant for You

Adding new software to information systems that process your PHI is a development you will want to handle with great deliberation and care. If you have any questions about whether G Suite offers the best collaborative services to support your healthcare services, send Gazelle Consulting a message today or call 503-389-5666.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!