Is G Suite HIPAA Compliant?

Is it acceptable for HIPAA-covered entities to use G Suite and can the suite of cloud services be used without violating HIPAA Rules?

G Suite is a collection of cloud-based products developed by Google that incorporate a wide range of privacy and security features to ensure that users’ information is safeguarded. G Suite meets the essential requirements of the HIPAA Security Rule, and Google is prepared to sign a business associate agreement (BAA) with HIPAA-covered entities. So, can G Suite be considered HIPAA-compliant?

G Suite incorporates all of the necessary controls to ensure compliance with HIPAA Rules, but it is possible to use G Suite products in a manner that violates HIPAA. For instance, users could violate HIPAA Rules if they do not appropriately configure G Suite products. Prior to using G Suite products for sharing, storing, or processing ePHI, it is essential that they are correctly configured. Access to PHI ought to be restricted to ensure that only authorized individuals have access. It is also important for PHI access logs to be created and alerts to be set.

If using mobile devices to access G Suite products, proper security controls must be in place on those devices. This is crucial, as if a smartphone is used to access ePHI and the device is lost or stolen, it would be possible for any individual in possession of the device to view ePHI. Access controls must therefore be configured on the devices. HIPAA-covered entities should also activate multi-factor authentication as an additional safeguard against unauthorized access.

In order for G-Suite to be HIPAA-compliant, it is necessary for a covered entity to enter into a BAA with Google prior to using G Suite in connection with any ePHI. Google began signing BAAs with healthcare providers in 2013. However, HIPAA-covered entities should be aware that the BAA does not cover every Google Service. For example, Google Talk and Google+ are not covered by the BAA and cannot be used in connection with any PHI.

The products and services of G Suite that are currently covered by Google’s BAA are listed below. The list may change, so be sure to double check the Google’s BAA for up to date information.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Calendar
  • Gmail (not the free option)
  • Drive – this ought to be set up to allow access to certain persons or groups only
  • Keep
  • Apps Script
  • Sites
  • Vault
  • Jamboard
  • Hangouts (only the chat messaging feature)
  • Google Cloud Search

Google is happy to offer G Suite to healthcare organizations; however, it is the responsibility of users to ensure that they use G Suite products in a manner that is compliant with HIPAA Rules.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/