The HIPAA Guide - Celebrating Over 15 Years Online

Is Google Workspace HIPAA Compliant?

April 8, 2024HIPAA Advice Articles0

Is Google Workspace HIPAA compliant? HIPAAGuide.net

Google Workspace is HIPAA compliant for core services with included functionality which can be used to collect, receive, store, or transmit PHI. To make Google Workspace HIPAA compliant, healthcare providers must subscribe to a Workspace account, agree to Google’s Business Associate Addendum, and configure the core services to comply with HIPAA.

Google Workspace is a popular suite of productivity, collaboration, and communication services that has been adopted by many healthcare providers due to the user familiarity with the services, the ease with which services integrate with each other, and the security features. Among the use cases for Google Workspace in the healthcare industry, providers can:

  • Support patients remotely with virtual visits.
  • Equip frontline caregivers with safe-by-design devices.
  • Improve operational efficiency through the Drive platform.
  • Recruit, interview, and onboard healthcare professionals.
  • Create and manage brand assets for the organization.
  • Manage hospital operational processes remotely.
  • Improve patient registration and communication experiences.
  • Train healthcare professionals anytime, anywhere.
  • Connect remote healthcare workers and external partners.
  • Coordinate and communicate patient plans across multiple caregivers.

However, when these use cases – or any others – include the creation, receipt, storage, or transmission of Protected Health Information (PHI) it is necessary for healthcare providers to comply with the Privacy Rule standards for the protection of PHI, the Security Rule Standards for the confidentiality, integrity, and availability of PHI, and any state laws that preempt HIPAA.

Which Google Workspace Plan is HIPAA Compliant?

There are sixteen types of Google Workspace Plan in addition to personal plans such as Workspace Individual for Solopreneurs and four Google One plans. Depending on the nature of a healthcare provider’s activities (i.e., “frontline”), and whether it qualifies as a non-profit organization, nine Google Workspace plans could support HIPAA compliance in theory.

In practice, healthcare providers will opt for one of the three Business plans or one of the three Enterprise plans depending on the size of their workforce. All six of the plans include the same core services. The difference between them is the level of “included functionality”. For example different plans have different levels of endpoint management included functionality.

Because of the differences between the plans, to determine which Google Workspace Plan is HIPAA compliant healthcare providers must conduct a HIPAA risk assessment. The risk assessment should be used to identify any reasonably anticipated impermissible disclosures of PHI and any reasonably anticipated threats to the security of PHI when using a Workspace service.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Using the results of the risk assessment, healthcare organizations can create a Google Workspace HIPAA compliance checklist. The checklist should be compared against the different plans to determine which Google Workspace plan is HIPAA compliant for the healthcare provider’s needs because it best mitigates the threats identified by the risk assessment.

What are Google HIPAA Compliant Services?

Google HIPAA compliant services are the core services in each Workspace account that can be configured to support HIPAA compliance. Under the Workspace Terms of Service and Google’s Business Associate Addendum, healthcare providers are only permitted to create, receive, store, or transmit PHI using certain core services. As of March 31, 2024, these are:

  • Google Calendar.
  • Google Chat.
  • Cloud identity Management.
  • Google Drive (inc. Docs, Sheets, Slides, and Forms).
  • Gemini for Google Workspace.
  • Gmail.
  • Google Cloud Search
  • Google Groups.
  • Google Voice.
  • Jamboard.
  • Google Keep.
  • Google Meet.
  • Google Sites.
  • Google Tasks.
  • Google Vault (where included).

It is not permitted (by Google) to store PHI in Google Contacts. However, as Google Contacts is usually only used to store names and contact information (which does not count as PHI when it is maintained in a database separate from individually identifiable health information), this should not be an issue with regards to making Google Workspace HIPAA compliant.

How to Make Google Workspace HIPAA Compliant

Once an appropriate plan has been chosen, it is necessary to agree to the Workspace Terms of Service and Google Business Associate Addendum before any PHI is created, received, stored, or transmitted by a Google Workspace core service. This includes communications via Gmail except when a patient has requested “confidential communications” via email.

Thereafter it is necessary to configure the core services to make Google Workspace HIPAA compliant. To help healthcare providers with this task, Google has produced a HIPAA Implementation Guide. The Guide provides advice on how to configure specific core services, how to monitor account activity, and how to set up security notifications.

The advice includes how to compliantly share PHI stored in Google Drive, how to create Data Loss Prevention policies, and how to disable third party applications that may not support HIPAA compliance. The Guide also explains how to separate user access to PHI to ensure that only those with the correct permissions are able to access PHI relevant to their roles.

In addition to making Google Workspace HIPAA compliant by following the advice in the HIPAA Implementation Guide, healthcare providers should also ensure they comply with Security Rule requirements relating to security incidents (i.e., response and reporting), terminating user access, and contingency planning if PHI is maintained in Google Drive or Google Vault.

More about the Workspace TOS and Google’s BAA

It is important for system administrators and compliance officers to review both the Workspace Terms of Service and Google’s Business Associate Addendum to the Terms of Service before digitally signing the documents. The reason for this is that both have conditions which could be easily violated and – if enforced – could lead to a loss of service and access to PHI.

The Terms of Service includes the conditions that healthcare providers will use reasonable efforts to prevent and terminate any unauthorized use of, or access to, the services (i.e., via phishing), and will notify Google of any unauthorized use of, or access to, the services, the provider’s account, or any passwords use to access PHI stored in a Google Workspace service.

In addition, the Business Associate Addendum states healthcare providers are solely responsible for ensuring they and members of their workforces use the services in compliance with HIPAA and HITECH. Under §4 of the Terms of Service, Google reserves the right to suspend its service for any violation of the Terms of Service or the Business Associate Addendum.

As a suspension of service may result in the non-availability of PHI (which itself is a violation of HIPAA), healthcare providers are advised to develop policies and procedures for using Google Workspace. The policies and procedures should be included in HIPAA training (and CMS compliance training where appropriate) in addition to security awareness training.

Is Google Workspace HIPAA Compliant? Conclusion

Google Workspace is HIPAA compliant in certain circumstances and under certain conditions. These circumstances and conditions are not unique to Google, and will likely be found in any alternative to a HIPAA compliant Google Workspace account. What may be more important with regards to HIPAA compliance is how Google Workspace is used by workforce members.

It was mentioned at the start of this article that Google Workspace is a popular suite of services because of user familiarity with the services. For example, many members of a healthcare provider’s workforce will have a personal Gmail account and may use Google Drive for sharing documents, photos, and videos with family members and friends.

However, workforce members are likely to be less conscious about data privacy when sharing photos with friends. So, whereas adopting Google Workspace in a healthcare environment can be a benefit because users are already familiar with how the services work, it can also have disadvantages if poor data privacy habits are allowed to continue in the workplace.

Healthcare providers who have concerns about training members of the workforce to use Google Workspace in compliance with HIPAA should seek independent compliance advice, while those who have concerns about configuring the core services to make Google Workspace HIPAA compliant should reach out to Google Support or the Google Workspace Community.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement