G Suite & HIPAA Compliance
As with any safe cloud service or platform, it is possible to implement it in a manner that violates HIPAA Rules. In the case of G Suite, all the security measures are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered group to ensure that G Suite is configured properly. It is possible to use G Suite and breach HIPAA Rules.
Complete a BAA with Google
One important stipulation of HIPAA that a signed, HIPAA-compliant business associate agreement (BAA) must be completed.
Google initially agreed to sign a business associate agreement with healthcare groups in 2013, back when G Suite was called Google Apps. The BAA must be completed before G Suite being implemented to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are set up, the failure to obtain a BAA would be a HIPAA breach.
Completing a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not ensure compliance with HIPAA Rules.
Set Up Access Controls
Before G Suite can be implemented with any ePHI, the G Suite account and services must be set up correctly via the admin console. Access controls must be configured to limit access to the services that are working with PHI to authorized persons only. You should set up user groups, as this is the easiest way of supplying – and disabling – access to PHI, and logs and alerts must be also be configured.
You should also make sure all extra services are disabled off if they are not needed, switch on services that include PHI ‘on for some groups,’ and services that do not involve PHI can be disabled on for everyone.
Turn on Device Controls
HIPAA-covered groups must also ensure that the devices that are used to access G Suite include proper security controls. For instance, if a smartphone can be used to log on to G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized persons. A login must be needed to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that permits the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered groups should also set up two-factor authentication.
Not Every Google Service is Covered by the BAA
You may want to use other Google services even if they are not included in the BAA, but those services cannot be used for storing or sending PHI. For insatnce, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI. (You can see more about voice-activated virtual assistants and HIPAA here)
If you do opt to leave these services on, you must see to it that your policies prohibit the use of PHI with these services and that those policies are properly communicated to all employees. Employees must also be given training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally breached.
G Suite: What Services are HIPAA Compliant?
Currently, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used in tandem with PHI:
- Google mail (Not free Gmail accounts)
- Google Calendar
- Google Drive
- Google Apps Script
- Keep service
- Google Sites
- Goggle Hangouts (Chat messaging only)
- Google Cloud Search
- Google Vault
Using Google Drive
With Google Drive, it is important to restrict sharing to specific people. Otherwise it is possible that folders and files could be logged onto by anyone over the Internet. Drives should be configured to only permit access by specific individuals or groups. Any files stored on Google Drive should not include any PHI in titles of files, folders, or Team Drives.
Gmail, the free email from Google, is not the same as G Suite. Using any Gmail account (@gmail.com) to send PHI is not allowed. The content of Gmail messages is monitored by third parties. If PHI is included, it may be ‘accessed’ by third parties, and erasing an email does not ensure removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.
Responsibility of Users and G Suite HIPAA Compliance
Google encourages healthcare groups to implement G Suite and has done what it can to make G Suite HIPAA compliant, but Google outright states it is the responsibility of the user to ensure that the requirements of HIPAA are met.
Google help healthcare groups make G Suite HIPAA compliant, Google has put in place guidance for healthcare group for getting established on G Suite: See Google’s G Suite HIPAA Implementation Guide.