Is G Suite HIPAA Compliant?

Is it acceptable for HIPAA-covered entities to use G Suite and can the suite of cloud services be used without violating HIPAA Rules?

NOTE: In October 2020, Google announced it was rebranding G-Suite as Google Workspaces. The transition from G-Suite to Google Workspaces finished in February 2023, by which time the number of services covered by Google’s BAA had increased to sixteen., You can read more about the revised package in our article “Is Google Workspaces HIPAA Compliant?”

G Suite is a collection of cloud-based products – now known as Google Workspace – developed by Google that incorporate a wide range of privacy and security features to ensure that users’ information is safeguarded. G Suite meets the essential requirements of the HIPAA Security Rule, and Google is prepared to sign a business associate agreement (BAA) with HIPAA-covered entities. So, can G Suite be considered HIPAA-compliant?

G Suite incorporates all of the necessary controls to ensure compliance with HIPAA Rules, but it is possible to use G Suite products in a manner that violates HIPAA. For instance, users could violate HIPAA Rules if they do not appropriately configure G Suite products. Prior to using G Suite products for sharing, storing, or processing ePHI, it is essential that they are correctly configured. Access to PHI ought to be restricted to ensure that only authorized individuals have access. It is also important for ePHI access logs to be created to audit user activity.

If using mobile devices to access G Suite products, proper security controls must be in place on those devices. This is crucial, as if a smartphone is used to access ePHI and the device is lost or stolen, it could be possible for any individual in possession of the unsecured device to view ePHI. Access controls and automatic logoff must therefore be configured on the devices. HIPAA-covered entities should also activate multi-factor authentication as an additional safeguard against unauthorized access.

In order for G-Suite to be HIPAA-compliant, it is necessary for a covered entity to enter into a BAA with Google prior to using G Suite in connection with any ePHI. Google began signing BAAs with healthcare providers in 2013. However, HIPAA-covered entities should be aware that the BAA does not cover every Google Service. For example, Google Talk and Google+ are not covered by the BAA and cannot be used in connection with any PHI.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The products and services of G Suite that are currently covered by Google’s BAA are listed below. The list may change, so be sure to double check the Google’s BAA for up to date information.

  • Calendar
  • Gmail (not the free option)
  • Drive – this ought to be set up to allow access to certain persons or groups only
  • Keep
  • Apps Script
  • Sites
  • Vault
  • Jamboard
  • Hangouts (only the chat messaging feature)
  • Google Cloud Search

Google is happy to offer G Suite to healthcare organizations; however, it is the responsibility of users to ensure that they use G Suite products in a manner that is compliant with HIPAA Rules.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/