Is Google’s G Suite HIPAA compliant? Can healthcare organizations and covered entities use G Suite and not be in violation of HIPAA?
Google have included a number of security and privacy features in G Suite to ensure it can be used in a manner compliant with the HIPAA Security Rule. Google have also shown their willingness to enter into business associate agreements (BAAs) with covered entities to cover G Suite. With this is mind, can we say that G Suite is HIPAA compliant? As with all technologies, even when the necessary features and settings are in place, compliance is ultimately down to the users.
Making G Suite HIPAA Compliant (Default G Suite is Not)
G Suite can be used in ways that are not HIPAA compliant, like all similar services. G Suite includes all the features necessary for it to be used in a compliant manner, but the covered entity is responsible for making sure the proper settings are active or disabled. If incorrectly configured, use of G Suite may violate HIPAA.
Signing a BAA with Google
A BAA with the service provider is almost always necessary for HIPAA compliance.
Since 2013, Google has accepted entering into BAAs so healthcare organizations could use its G Suite services, known as Google Apps at that time. BAAs should always be in place before any PHI is used, processed, or uploaded by the tool. While all settings may be correctly configured, use of the service without a BAA would be a HIPAA violation.
Signing a BAA with Google is a necessary condition, but it is not the only condition
Implementing Access Controls
Prior to PHI being used in conjunction with G Suite, all features must be set correctly through the Admin Console. Any service using PHI must have access controls in place to prevent unauthorized individuals from viewing the information. User Groups should be created to give certain users access to data while restricting others. Access logs and alerts should also be set up.
Services that are not needed should be disabled, services that do not treat PHI can be left open to all registered users, and access to services dealing with PHI can be granted solely to those who need it.
Covered entities must also secure any portable devices with access to G Suite. Should a device that can access PHI be lost or stolen, measures should be in place to prevent it from being used by unauthorized persons to view any restricted data. Use of G Suite should be protected by login details, preferably two factor authentication, and devices should lock themselves after a period of inactivity. Administrators should be able to remotely wipe any PHI stored on the device.
Google’s BAA Does Not Cover All Google Services
Only services included in the BAA can be used with PHI. Google+, Google Talk, and others are not covered by the BAA. They can therefore not be used with PHI.
If these services remain enabled, internal rules must be established to make sure PHI is not used with them. All staff members must clearly understand these rules. Specific training for using G Suite to treat PHI in a way that is compliant with HIPAA and internal rules should be provided.
Which G Suite Services are HIPAA Compliant?
Currently, only G Suite’s core services are included in the BAA with Google. The following G Suite services can be used to treat or share PHI:
- Gmail (Not free Gmail accounts)
- Apps Script
- Hangouts (Chat messaging only)
- Google Cloud Search
- Google Drive
For Google Drive, note that sharing should be limited to selected accounts. If not, files could be accessed online by unauthorized persons. Drives should only allow access to specific individuals or groups. Files, folders, and team names on Google Drive should not reference PHI in the titles.
Use of a free Gmail account to communicate PHI is not HIPAA compliant. One reason for this is because free Gmail email messages are scanned by third parties, leading to the potential for unauthorized access to PHI. Free Gmail accounts are not included in the G Suite BAA.
G Suite HIPAA Compliance is Based on Users
G Suite is a tool that is marketed to companies including healthcare organizations and it has been developed to include the features necessary for HIPAA compliance. However, Google note as we have above that compliance is ultimately up to the user.
Google assist organizations in configuring their accounts for HIPAA compliance and have published a G Suite HIPAA Implementation Guide that is available online.