Is G Suite HIPAA Compliant?

By Stephen Trout

Collaboration and teamwork – they’re key to what you do. For healthcare teams especially, the excellent care you provide wouldn’t be accomplished without them. 

For numerous clinics and counselors, surgeons and specialists, Google’s powerful suite of collaborative services – from Gmail to Hangouts, to Calendar and Sheets – offers the anywhere, real-time connections necessary to promote efficient outcomes. They really do make life easier. 

But in a world where cyber criminals continue to find new ways of breaching protected health data, the question of whether you should be using them – either in an office setting or remote location – should first be settled: Is G Suite HIPAA compliant?

The good news is, it can be. Google will certainly sign a Business Associates Agreement (BAA) with you – a legal agreement to handle your sensitive patient data in a HIPAA compliant manner – for their core, G Suite services (called “included functionality.”) This includes Gmail, Calendar, Drive (with Docs, Sheets, Slides, Forms), Hangouts, Groups, and more. (See the HIPAA Implementation Guide for the complete list).

But what’s the basis for Google being able to provide this?

Foundationally, we know that HIPAA requires a secure infrastructure for hosting and handling your data. On that score, Google’s commitment to “best in class” infrastructure security is simply unmatched. With ISO 27001 certification, SOC 2/ SOC 3 Type II audits, and HIPAA compliance – all supported by a team of over 500 world-class security experts – Google is truly cutting-edge. All Google’s products – including G Suite – are launched with the most stringent security testing and end-user privacy controls in view.

But like all “HIPAA compliant tools,” true HIPAA compliance requires adherence to both the technical and the administrative aspects for security and high availability to be maintained. In other words, how G Suite is configured for your company’s environment and used by your team are the dual tests of true compliance. (HIPAA Vault’s expertise can help you get up to speed on both issues).

So let’s look at the basics for configuring G Suite and using it in a HIPAA compliant manner:

1.) IT Administrators Should Set User Groups and Access Controls for Devices

Google’s Admin console has the user controls you need to limit who in your organization will have access to electronically protected health information (ePHI). As a rule, the principle of minimum, or least privilege, should govern these decisions, giving users access to only what is necessary for them to fulfill their functions. (Note: Admins should turn off non-core Google services for those users who handle ePHI).

Are there additional business associates (user groups) inside or out of your network that are considered HIPAA-covered entities? These too must be considered when applying the necessary controls for G Suite with ePHI.

2.) Institute Controls for all Devices with ePHI

Additionally, any devices (including mobile phones) that your staff and associates will use to access G Suite with ePHI must be governed by the appropriate security controls.

For instance, one “extra layer security” feature is multi-factor (or “two factor”) authentication, which generates a one-time code as a requirement for every sign-in. This protects against stolen passwords, as only the individual who receives the code can login.

3.) Encrypt Your Data (GMail has Native Encryption, But it May not be End-to-End)

HIPAA regulations require sufficient end-to-end privacy protections for all messages, files, and folders with ePHI. For this, encryption is the accepted standard. While Google uses Transport Layer Security (TLS) – an “encrypted tunnel” that protects normal Gmail in transit – it should be noted that TLS itself doesn’t guarantee true end-to-end security for ePHI.

This is because TLS depends on both sender and recipient’s email provider having it. (Google’s red padlock icon will appear in the address bar to let you know when this is not the case for incoming and outgoing messages).

That said, configuring G Suite for reliable, end-to-end encryption will require the use of a third-party service. HIPAA Vault can help with this, providing a secure, seamless encryption that is both data-centric and specifically designed with services like Gmail in mind.

(Note: “Gmail Confidential mode” is a recent feature that further enhances access management capabilities. This allows you to set expiration dates for messages, prevent forwarding and printing, and even revoke access where needed).

4.) Utilize Sharing Settings

G Suite’s controls for sharing protected data with only intended recipients/groups should be used. For instance, it is often necessary to insert a Google Drive link to ePHI into an email. When this is done, the Link sharing settings can be changed from the default (“Anyone with the link”) to “Private.”

Administrators also have the option to regularly inspect all emails for any PHI identifiers to ensure the appropriate policies on how that data is shared.

5.) Employee Training for HIPAA/GSuite is Key

As mentioned above, HIPAA compliance ultimately hinges on people. How your staff embraces and employs all the secure practices for G Suite, workstations, devices, and other tools – both inside and out of the workplace – is key.

This means that regular “refresher training” regarding ePHI must be incorporated into the life of your company. For example, how to recognize and avoid new kinds of phishing emails – some that even use the Google logo to posit authenticity and tempt you to click on it – should be included in the training.

6.) Leverage Google’s Extensive Log-Monitoring Capabilities

Google’s admin console supports HIPAA by allowing logs to be kept of both authorized and unauthorized logins to those tools containing ePHI. Notifications and alerts can also be enabled, to inform admins of potential security risks.

Privacy and data integrity – the heart of HIPAA regulations – along with high availability, is also supported by records of administrator activities, data exposures, user collaborations, file activity, audits, and more.

These are the basics to keep in mind when configuring G Suite for HIPAA. Keep in mind that Google specifies that technical support services for customers are not part of the HIPAA Included Functionality. This is where HIPAA Vault’s expertise can keep you up and running, providing 24/7, dedicated technical support. As an experienced Google Technology partner and HIPAA cloud solutions specialist, we’re here for all your HIPAA G Suite needs.

HIPAA Vault is a leading provider of HIPAA compliant solutions and a Certified Google Technology Partner, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault provides secure email and file sharing solutions to improve patient communications. For more information, please visit our website at www.hipaavault.com.


Our certifications