Is G Suite HIPAA Compliant?

Can HIPAA-covered entities use G Suite without violating HIPAA Rules? G Suite was developed by Google with privacy and security protection features necessary to safeguard data. It satisfies the required standards of the HIPAA Security Rule. If necessary, Google willingly signs a business associate agreement with a HIPAA-covered entity. Does this mean G Suite is HIPAA-compliant?

If Configured Correctly

While there’s no problem with HIPAA-compliance when using G Suite, there’s a concern with the way users use G Suite. It’s possible to violate HIPAA rules when G Suite is not configured correctly. Before using G Suite with ePHI, it must be configured using the admin console. PHI access must be restricted allowing only authorized users. User groups can be set up for an easier way to block and provide access to PHI. PHI access logs and alerts must be configured as well. If not required, it is better to switch off additional services associated with PHI.

When devices are used to access G Suite, there must be appropriate security controls. This is important in cases when a smartphone used to access G Suite is lost or stolen. Access to G Suite must require login when using mobile devices to get access. HIPAA-covered entities generally use two-factor authentication. Then, use technology to remotely erase data (PHI) stored on mobile gadgets.

If There’s a BAA

To be HIPAA-compliant, it is required to have a signed business associate agreement (BAA) before using a service to store, maintain or transmit ePHI. Google agreed to sign a BAA with healthcare organizations starting in 2013. But entities need to know that not all Google Services are covered by BAA. Examples are Google+ and Google Talk. If these services are made available in a healthcare organization, employees must be informed that using PHI with these services is prohibited.

The following services of G Suite are the only ones covered by Google’s BAA, and may be used with PHI:

  • Gmail (not the free version)
  • Calendar
  • Drive – this should be configured to give access only to specific individuals or groups. It is better not to include any PHI in Google Drive files.
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google is glad to have G Suite available to healthcare organizations. But users are responsible to make sure its use satisfies HIPAA requirements.