Is Google Workspace HIPAA Compliant? — Hosting & Cloud Solutions

by Stephen Trout

Secure collaboration — it’s essential to your success. The excellent care you provide wouldn’t happen without it.

It’s been estimated that a single hospital patient can see up to 10 different healthcare providers. Coordination of care is therefore essential for positive outcomes.

For numerous clinics and counselors, surgeons and specialists, Google’s powerful suite of collaborative services provide the answer.

From using HIPAA compliant Gmail and Meet for effective communications across remote locations, to creating patient folders in My Drive, to setting Calendar appointments, Workspace provides the anywhere, real-time connections necessary to promote efficient outcomes. It really does make life easier — and with many hospitals going paperless, it saves a whole lot of trees!

But in a world where cybercriminals continue to find new ways of breaching protected health data, the question of whether you should be using them — either in a clinical setting or remote location — should first be settled:

Is Google Workspace (formerly G Suite) really HIPAA compliant?

The good news is, it can be. Google will certainly sign a Business Associates Agreement (BAA) with you — a legal agreement to handle your sensitive patient data in a HIPAA compliant manner — for their core, Workspace services (called “included functionality”).

This includes Gmail, Calendar, Drive (with Docs, Sheets, Slides, Forms), Meet, Groups, and more. (See the HIPAA Implementation Guide for the complete list).

But what’s the basis for Google being able to provide this?

Foundationally, we know that HIPAA requires a secure infrastructure for hosting and handling your data. On that score, Google’s commitment to “best in class” infrastructure security is simply unmatched.

With ISO 27001 certification, SOC 2/ SOC 3 Type II audits, and HIPAA compliance — all supported by a team of over 500 world-class security experts — Google is truly cutting-edge.

All Google’s products — including Workspace — are launched with the most stringent security testing and end-user privacy controls in view.

But like all “HIPAA compliant tools,” true HIPAA compliance requires adherence to both the technical and the administrative aspects for security and high availability to be maintained.

In other words, how Workspace is configured for your company’s environment and used by your team are the dual tests of true compliance. (HIPAA Vault’s expertise can help you get up to speed on both issues).

So let’s look at the basics for configuring Workspace and using it in a HIPAA compliant manner:

1.) IT Administrators Will Set User Groups and Access Controls for Devices

Google’s Admin console has the user controls needed to limit who in your organization will have access to electronically protected health information (ePHI).

As a rule, the principle of minimum, or least privilege, should govern these decisions, giving users access to only what is necessary for them to fulfill their functions. (Note: Admins will turn off non-core Google services for those users who handle ePHI).

Are there additional business associates (user groups) inside or out of your network that are considered HIPAA-covered entities? These too must be considered when applying the necessary controls for Workspace with ePHI.

2.) Institute Controls for all Devices with ePHI

Additionally, any devices (including mobile phones) that your staff and associates will use to access Workspace with ePHI must be governed by the appropriate security controls.

One such “extra layer security” feature is multi-factor (or “two-factor”) authentication, which generates a one-time code as a requirement for every sign-in. This protects against stolen passwords, as only the individual who receives the code can log in.

3.) Encrypt Your Data (GMail has Native Encryption, But it May not be End-to-End)

HIPAA regulations require sufficient end-to-end privacy protections for all messages, files, and folders with ePHI.

For this, encryption is the accepted standard. While Google uses Transport Layer Security (TLS) — an “encrypted tunnel” that protects normal Gmail in transit — it should be noted that TLS itself doesn’t guarantee true end-to-end security for ePHI.

This is because TLS depends on both the sender and recipient’s email provider having it. (Google’s red padlock icon will appear in the address bar to let you know when this is not the case for incoming and outgoing messages).

That said, configuring Workspace for reliable, end-to-end encryption for HIPAA will require HIPAA Vault’s expertise.

(Note: “Gmail Confidential mode” is a recent feature that further enhances access management capabilities. This allows you to set expiration dates for messages, prevent forwarding and printing, and even revoke access where needed).

4.) Utilize Sharing Settings

Workspace’s controls for sharing protected data with only intended recipients/groups should be used.

For example, it is often necessary to insert a Google Drive link to ePHI into an email. When this is done, the Link sharing settings can be changed from the default (“Anyone with the link”) to “Private.”

Administrators also have the option to regularly inspect all emails for any PHI identifiers to ensure the appropriate policies on how that data is shared.

5.) Employee Training for HIPAA/Workspace is Key

As mentioned above, HIPAA compliance ultimately hinges on people. How your staff embraces and employs all the secure practices for Workspace, workstations, devices, and other tools — both inside and out of the workplace — is key.

This means that regular “refresher training” regarding ePHI must be incorporated into the life of your company.

For example, how to recognize and avoid new kinds of phishing emails — some that even use the Google logo to posit authenticity and tempt you to click on it — should be included in the training.

6.) Leverage Google’s Extensive Log-Monitoring Capabilities

Google’s admin console supports HIPAA by allowing logs to be kept of both authorized and unauthorized logins to those tools containing ePHI. Notifications and alerts can also be enabled, to inform admins of potential security risks.

Privacy and data integrity — the heart of HIPAA regulations — along with high availability, are also supported by records of administrator activities, data exposures, user collaborations, file activity, audits, and more.

Summary:
These are the basics to bear in mind when configuring Workspace for HIPAA. Be aware that technical support services for Google customers are not part of the HIPAA-included functionality.

With HIPAA Vault’s HIPAA Gmail and compliant Workspace, however, you’ll receive 24/7, dedicated technical support. You won’t pay extra for this, as it comes standard with all our solutions.

As an experienced Google Technology partner and HIPAA-cloud solutions specialist, HIPAA Vault is here for all your Workspace needs.

HIPAA Vault is a leading provider of HIPAA compliant solutions and a Certified Google Technology Partner, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, please visit our website at www.hipaavault.com.

Originally published at https://www.hipaavault.com on June 1, 2022.