Google Workspace HIPAA Compliance Guide

 

Google works constantly to ensure that their customers' data remains safe and secure at all times. Does this automatically mean that Google is HIPAA compliant? For those in industries that are subject to requirements like HIPAA, it isn’t always obvious if cloud platforms such as Google are prepared to adhere to strict regulatory requirements. HIPAA, or the Health Insurance Portability and Accountability Act, requires businesses to adhere to specific guidelines regarding patient Protected Health Information (PHI).

Is Google Workspace HIPAA Compliant?

 

The short answer is that Google Workspace and Cloud Identity can support HIPAA compliance. This does not mean that all representations of Google Workspace are inherently compliant. Google requires customers who are subject to HIPAA and wish to use Workspace or Cloud Identity with PHI to first sign a Business Associate Agreement (BAA). As the healthcare industry changes, it requires technology and services that are equipped to handle the ever-changing security needs of providers and patients.

What Apps can be made HIPAA-Compliant?

Do not assume just because an application is available in the Google Workplace suite of apps that it is automatically compliant, or even offers an option for compliant use.

 

Many apps outside of the "core" Workspace are not able to be used by organizations managing PHI, and even apps inside the "core" group need to be carefully vetted and adjusted to specific settings.

Additionally, technical Support Services are not included in the HIPAA-compliant services and applications offered by Google Workplace. Administrators must be careful not to allow outside tech support teams access to PHI when experiencing technical difficulties.

Only some Google services and applications within Workspace can be made HIPAA compliant. These apps include:

  • Gmail
  • Calendar
  • Drive
  • Docs
  • Sheets
  • Slides
  • Forms
  • Google Chat
  • Google Meet
  • Keep
  • Google Cloud Search
  • Google Voice
  • Sites
  • Google Groups
  • Jamboard
  • Cloud Identity Management
  • Vault
  • Tasks

How to Achieve HIPAA Compliance in Google Workspace

The first step in implementing a HIPAA-safe Google Workspace system is to sign a Google BAA, or Business Associate Agreement.

 

It is up to each individual company to determine if they work with PHI and if they need to request a BAA from Google. After the BAA is signed, administrators will need to add HIPAA-compliant settings to each application used by their organization. Google offers a full guide of recommendations regarding these security measures, known as the Google Workspace and Cloud Identity HIPAA Implementation Guide.

Most of these settings can be adjusted by simply selecting the most secure option when managing PHI and sensitive data. For example, administrators are recommended to choose the highest privacy settings for all users within Google Calendar. This would keep any sensitive PHI from being accessible by someone connected to the company's Google Calendar.

When integrating third-party applications, individual companies are responsible for ensuring any information shared with outside parties and business associates is HIPAA compliant. For instance, your Google Docs account may be HIPAA compliant, but that doesn't mean you can't violate HIPAA by sharing PHI with an external party you choose to connect with through Google Docs. 

Compliance Audits

Google Workspace Core Services are subject to audits in accordance with industry standards. 

This includes ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and SOC 1/2/3 Type II audits. These audits are internationally accepted third-party security compliance checks of Google Services that increase data safety for all involved parties. Additionally, Google offers access to ISO/IEC certificates and SOC audit reports via their Compliance Reports Manager.

mirthful-employee-looking-at-the-laptop-screen-and-2021-10-26-01-44-20-utc

Screen Shot 2023-02-02 at 4-38-12 PM-png



 

Two-Factor Authentication in Google Workspace

Google Workspace's built-in two-factor authentication functionality is one way Google helps companies in the healthcare industry meet security requirements. 

Under HIPAA, businesses must confirm user identity before sharing any PHI. Two-factor authentication is a straightforward way of requiring and tracking this compliance requirement. Administrators will need to turn on this functionality in order to activate it and ensure each application is utilizing it properly.

Why Promevo?

Clients trust Promevo not only for our in-house expertise, but for our commitment to outstanding customer service.

 

We have a Google Certified team that provides holistic Google Workspace support from upfront consultation to implementation. Contact an advisor today.

 

image-4

 

Frequently Asked Questions

Set up an Advisory Workshop for Your Organization


When your team needs expert guidance on a specific Google Workspace issue, Promevo can help. Gather your team for an Advisory Workshop. We’ll take a deep dive into your organization’s pain points and strategize to implement the best possible solution. Using proven methodologies and best practices, we’ll help optimize your business functionality and user experience while equipping your team to take on new challenges. Start today with a free consultation and to learn more about our advisory services.

Schedule A Free Consultation