Is Google Workspace HIPAA Compliant? Gmail, Meet, Drive & Other G Suite Apps
Rising data breaches in healthcare have paved the way for compliance laws to keep patients' medical data secure. Thousands of healthcare providers in the US are now legally required to adhere to the Health Insurance Portability and Accountability Act (HIPAA). As a result, they need to use HIPAA-compliant technologies when corresponding with clients and patients online.
Generally speaking, email is not considered a secure platform. There is no way of guaranteeing that a person who receives an email from a healthcare professional is the person for whom the mail was originally intended. This is particularly true for businesses, organizations and professionals whose messaging systems are controlled through dedicated IT departments.
Most IT departments have a policy in place informing digital platform users that they cannot expect privacy when using a company's email or internet facilities. Thus, people who handle sensitive data, like healthcare providers who discuss diagnoses and treatment for their patients, should be aware that most email services do not promise any significant level of privacy.
Is Google Workspace/G Suite HIPAA compliant?
Google Workspace is the re-branded and updated version of G Suite. As such, similar rules apply when using Google Workspace in a HIPAA-compliant way. Healthcare professionals must use the paid version of Google Workspace and configure its services appropriately. This will maximize security and minimize risks to patients' data. Additionally, healthcare professionals must sign a Google Workspace Business Associate Agreement (BAA) before sending any protected health information (PHI).
Google Workspace/G Suite contains a variety of HIPAA-compliant Google services, including paid Gmail, Drive, Meet, Calendar, Chat, Sites, Keep, Jamboard, Google Cloud Search, and Vault, among others. However, this does not automatically mean that G Suite is compliant. It is possible to use G Suite in a way that violates HIPAA regulations. So, certain safeguards must get implemented before healthcare professionals can use G Suite in a compliant way.
Firstly, you should obtain a signed Google Workspace/G Suite BAA before using G Suite to store, transmit or maintain any protected health data. Failure to obtain a BAA will constitute a HIPAA violation, even if other security and privacy controls were put in place. Secondly, you will need to configure G Suite services correctly through the admin console to restrict access to services used with PHI to authorized users only. Additional services should get switched off if not needed if they involve PHI.
G Suite HIPAA cost factors are a consideration too, as only the paid version of this service is considered HIPAA compliant. Plans begin from just $6 for Business Starter, providing affordable options for every healthcare professional.
Compliant parties must also ensure that any devices used to access G Suite have robust security controls in place to safeguard information. This protects the data in the event that a device is lost or stolen. Logins must be entered on all mobile devices to access Google Workspace/G Suite, and devices must be configured to lock automatically and employ two-factor authentication measures.
What Does HIPAA Require from Email Services?
HIPAA requires three main characteristics when it comes to HIPAA-compliant email. Firstly, the email platform should offer strong security. Healthcare professionals are legally required to ensure that every person involved in handling personally identifying or confidential data complies with HIPAA safeguards. Most professionals use methods like outbound email scanning and secure email to ensure this.
HIPAA also requires that clients must consent to communications via email only after getting informed of the risks of sending personal health information through email platforms.
Does Gmail Comply with HIPAA Regulations?
The simple answer is "yes" to the question: is Gmail HIPAA compliant? HIPAA-compliant Gmail can be safely used by healthcare providers and organizations. But there are a few important best practices to bear in mind.
Only the paid version of Gmail – that is, Google Workspace emails rather than free @gmail.com addresses, provide the features required to ensure that you can use your email services in a HIPAA-compliant way. You may also need to use a few additional services to ensure a high level of safety and security for your email recipients.
Additionally, you will need to put a separate protocol in place for handling PHI. If you wish to send PHI via email, you will either need to sign up for another, extra-secure, email service or obtain written consent from your patients before doing so. Administrators will need to review and sign a Business Associate Agreement before they can use Google services with PHI.
Lastly, healthcare providers who use third parties like Gmail for email (known as Business Associates) must sign an agreement stating that they will protect their patients' information with the same stringent standards required of them across their practices.
What about other Google Workspace tools? Let's take a look:
Is Google Docs HIPAA compliant?
Workspace features a variety of HIPAA-compliant collaboration tools. These tools include Google Docs, Google Slides, Google Sheets, Google Forms HIPAA-compliant services, and Google Sites, which compliant parties can utilize.
Is Google Drive HIPAA compliant?
Google Drive can be configured to be HIPAA compliant. It's important for professionals to limit sharing abilities to specific people who are authorized to access patient records and data. If this is not done, virtually anyone can access certain files and folders.
HIPAA-compliant Google Drives must get configured to allow access only to specific groups or individuals. And, any files that are uploaded to Google Drive must not contain PHI in the title of files, folders, or any Team Drives.
Is Google Meet HIPAA compliant?
Interest in Google Meet has risen sharply since 2020. Today, it is a popular tool for telehealth consultations. Google Meet can also be HIPAA compliant, provided that it is configured correctly. You can use Google Meet by navigating to meet.google.com and starting a HIPAA-compliant call. However, do not use the video call feature on Classic Hangouts as Google's BAA only covers the chat feature on this service.
Is the Google Cloud Platform HIPAA compliant?
Google has agreed to sign BAAs with HIPAA-compliant entities. So, in theory, the Google Cloud platform is compliant. However, the BAA is just a single requirement of HIPAA. It indicates that Google has had its data protection and security mechanisms tested and that these mechanisms have been found to surpass the minimum demands of the HIPAA Security Rule.
Google's cloud services meet Privacy Rule stipulations, and Google understands its obligations as a HIPAA business associate. The company willingly provides secure and compliant technologies for the processing and storage of PHI.
With that said, it falls to individual healthcare professionals and organizations to ensure that they follow HIPAA rules when using Google Cloud and that all apps are properly secured and configured. These organizations must disable Google services not covered by the BAA, implement sufficient access controls, prevent accidental data theft and deletion, regularly check audit logs, and set audit log export destinations.
Furthermore, these organizations and healthcare professionals must ensure that PHI uploaded to the cloud is properly secured and cannot be accidentally shared with unauthorized people or businesses. Ultimately, Google Cloud can be HIPAA compliant. But it's up to healthcare providers to ensure that they use the platform in a compliant way to avoid possible HIPAA violations.
The Bottom Line
Google provides a variety of HIPAA-compliant services, including Gmail HIPAA, G Suite/Workspace, Google Meet and more. However, it's important for healthcare providers to understand how to configure and use these services correctly to maintain compliance and protect their patients' personal data.
Research your chosen services carefully to find out how to configure them to safeguard your patients' personal health information and your business. Thereafter, always ensure that you only use services that fall under Google's Business Associate Agreement framework, the Google HIPAA BAA.