Google Apps is a suite of tools that has become widely-used over the last several years. Providing email, calendar, and document storage in the form of Google Drive, Google Apps is filling the role that Microsoft Office used to fill in many cases. However, for health professionals, the question remains as to if Google Apps is HIPAA Compliant. The answer is yes, but in its default form, Google Apps is not HIPAA Compliant. Extra steps must be taken in order to use Google Apps to transmit or notate PHI.
In September 2013, Google began to start signing BAAs (Business Associate Agreements) with organizations that are required to comply with HIPAA. What this means is that the partnering organization (in this case Google), agrees to abide by HIPAA requirements and seek to protect a patient’s PHI. By signing this document, Google is assuming liability and conveying their intent to comply with HIPAA. Functionally speaking, this means that after signing this document, one can use Google Drive, Gmail, and Google Calendar with HIPAA-protected data.
There are some caveats, however. For one, the additional services that Google offers are not covered by the BAA, so things like Google+, Google Groups, and Google Sites must be disabled or risk violating the BAA. The only services that are officially covered by the BAA are Google Drive, Google Calendar, Gmail, and Google’s backup solution, Google Vault. In addition, third-party marketplace apps are specifically not included in the BAA. Some experts suggest requesting a BAA from Google only if completely necessary. For example, if a company currently uses Gmail but has a policy in place not to share PHI via email, it may not be necessary to sign the BAA.
Simply having a BAA is not an assurance that the processes in place are HIPAA Compliant. It is still of paramount importance to use effective security practices, such as strong, regularly rotated passwords, and two-factor authentication. The BAA is a necessary and important piece of the complete puzzle that is HIPAA Compliance. It is important to also account for the other factors that combine to result in HIPAA Compliance. If you host databases that include PHI or offer services to customers that require anything besides Google Apps, you should look for a more complete HIPAA cloud hosting solution. HIPAA Vault offer HIPAA compliant hosting starting at only $299 per month with technical support included. If you need support from Google, support costs start at $400 per month on top of the hosting charges.