Yes, G Suite can be configured to be HIPAA compliant. In this post we will discuss G Suite apps and learn what it takes to operate your G Suite account in a HIPAA compliant manner.
Do not assume the configuration settings of G Suite apps or features are optimized for HIPAA compliance by default. It is important to understand that meeting HIPAA requirements combines the technical security control settings in G Suite with administrative security controls you are responsible for carrying out.
You must consider each G Suite feature on a case by case basis to identify what security controls are available and ensure those controls do not violate your established security procedures.
Common G Suite Features and HIPAA considerations
By default, emails sent by Gmail are not encrypted in transmission when sent across the Internet. In order to use Gmail to send HIPAA compliant emails, you will need to set up a mechanism to provide end-to-end encryption from sender to recipient.
There are a number of options available for encrypting messages. For G Suite Enterprise users, Google provides an option to send messages with Gmail using S/MIME. Using S/MIME only works if the email is being sent from and to G Suite Enterprise Gmail accounts.
Users with Basic or Business G Suite account, and those who wish to send secure emails to external recipients will need another encryption solution. Basic and Business users can encrypt Gmail messages using 3rd party services like Paubox or Virtru.
Files containing PHI stored on Google Drive should be encrypted before being uploaded. Before storing PHI on Google Drive, administrators must properly configure sharing permissions and periodically review user activity and file version updates.
Security features required by HIPAA are available for other Google apps not covered in this article like Calendar and Hangouts, but those features may not be enabled by default. A HIPAA savvy IT administrator can help you get your G Suite account set up correctly.
There is Help!
Google has provided an official HIPAA Implementation Guide that outlines some settings to consider for HIPAA compliance. For the past several years Google updated this HIPAA guide at least annually, check the footer for the release date to determine if the copy you are viewing is outdated. This document can be used in combination with your procedure documentation to find out what configuration settings are available and where they can be changed in the G Suite admin dashboard. Contact Gazelle Consulting for a free consultation if would appreciate guidance on getting set up.
Will Google Sign a Business Associate Agreement?
Google provides official instructions titled Accept the HIPAA Business Associate Amendment that G Suite administrators can use to review and accept a HIPAA Business Associate Agreement (BAA). You will be guided through the process of accepting your BAA in 5 easy steps.
Deciding if G Suite is HIPAA Compliant for You
New collaborative cloud-computing software that stores or transmits PHI should meet your policy requirements for data encryption, role-based authorization, system activity monitoring and other features that support your HIPAA compliance processes.
Additionally, adding new software to information systems that