Is it acceptable for HIPAA-covered entities to use G Suite and can the suite of cloud services be used without violating HIPAA Rules?
G Suite is a collection of cloud-based products developed by Google that incorporate a wide range of privacy and security features to ensure that users’ information is safeguarded. G Suite meets the essential requirements of the HIPAA Security Rule, and Google is prepared to sign a business associate agreement (BAA) with HIPAA-covered entities. So, can G Suite be considered HIPAA-compliant?
G Suite incorporates all of the necessary controls to ensure compliance with HIPAA Rules, but it is possible to use G Suite products in a manner that violates HIPAA. For instance, users could violate HIPAA Rules if they do not appropriately configure G Suite products. Prior to using G Suite products for sharing, storing, or processing ePHI, it is essential that they are correctly configured. Access to PHI ought to be restricted to ensure that only authorized individuals have access. It is also important for PHI access logs to be created and alerts to be set.
If using mobile devices to access G Suite products, proper security controls must be in place on those devices. This is crucial, as if a smartphone is used to access ePHI and the device is lost or stolen, it would be possible for any individual in possession of the device to view ePHI. Access controls must therefore be configured on the devices. HIPAA-covered entities should also activate multi-factor authentication as an additional safeguard against unauthorized access.
In order for G-Suite to be HIPAA-compliant, it is necessary for a covered entity to enter into a BAA with Google prior to using G Suite in connection with any ePHI. Google began signing BAAs with healthcare providers in 2013. However, HIPAA-covered entities should be aware that the BAA does not cover every Google Service. For example, Google Talk and Google+ are not covered by the BAA and cannot be used in connection with any PHI.
The products and services of G Suite that are currently covered by Google’s BAA are listed below. The list may change, so be sure to double check the Google’s BAA for up to date information.
- Gmail (not the free option)
- Drive – this ought to be set up to allow access to certain persons or groups only
- Apps Script
- Hangouts (only the chat messaging feature)
- Google Cloud Search
Google is happy to offer G Suite to healthcare organizations; however, it is the responsibility of users to ensure that they use G Suite products in a manner that is compliant with HIPAA Rules.