Google Workspace is HIPAA compliant if the suite of productivity and communication services is configured to be compliant and Google’s Business Associate Amendment is accepted before any Workspace service is used to create, receive, store, or transmit Protected Health Information (PHI).
Google Workspace is a popular suite of productivity and communication services that has been adopted by many healthcare organizations because of its security features and the ease with which the services integrate with each other. Among many use cases for Google Workspace in the healthcare industry, healthcare providers can:
- Support patients remotely with virtual visits.
- Equip frontline caregivers with safe-by-design devices.
- Improve operational efficiency through the Drive platform.
- Recruit, interview, and onboard healthcare professionals.
- Create and manage brand assets for the organization.
- Manage hospital operational processes remotely.
- Improve patient registration and communication experiences.
- Train healthcare professionals anytime, anywhere.
- Connect remote healthcare workers and external partners.
- Coordinate and communicate patient plans across multiple caregivers.
However, when these use cases – or any others – include the creation, receipt, storage, or transmission of PHI, it is important the Workspace services used are HIPAA compliant – and are used in compliance with HIPAA. So, how can your organization make Google Workspace HIPAA compliant and ensure it is used compliantly? This may depend on which plan you subscribe to.
Considerations for Subscribing to Google Workspace
Google offers four Workspace plans. All four plans support HIPAA compliance – subject to how they are configured – and offer a Business Associate Amendment. The decision on what plan to subscribe to should be based on the total number of users that will use Workspace services (not just those with access to PHI) and what existing mechanisms are in place to comply with HIPAA.
Business Starter, Business Standard, and Business Plus plans are limited to 300 users, but even if fewer than 300 users will use the Workspace services, it may be beneficial to subscribe to the Enterprise Plan as this plan includes S/MIME encryption (for PHI in transit), Data Loss Prevention (to prevent accidental or malicious impermissible disclosures), and a feature-packed security center.
The security center includes some security solutions that should already be deployed in a HIPAA-compliant environment – for example, device management control, antivirus software, and an email filter. However, by replacing the existing security solutions with the protections offered by the Google Workspace security center, you can reduce the risk of data loss due to theft, malware, and phishing.
How to Make Google Workspace HIPAA Compliant
The easiest way to make Google Workspace HIPAA compliant is to take advantage of Google’s HIPAA Implementation Guide. The Guide makes recommendations about separating user access by service and about how each service covered by the Business Associate Amendment should be configured to mitigate threats to the confidentiality, integrity, and availability of PHI.
The Guide also links to the Business Associate Amendment that needs to be accepted before Google Workspace can be used to create, receive, store, or transmit PHI. To accept the Amendment, a user with Admin privileges should log into their account, navigate to the Security and Privacy Additional Terms page, click “review and accept”, and answer three questions to confirm their HIPAA status.
This steps are sufficient to make Google Workspace HIPAA compliant, but it is also important the Workspace services are used compliantly. Therefore it is advisable to include Workspace training in security awareness training when those attending security awareness training are using Workspace services to create, receive, store, or transmit PHI.
Conclusion – No Technology is HIPAA Compliant by Default
Despite Google Workspace’s security features and the ease with which the services integrate with each other, it is important to remember that Google Workspace is HIPAA compliant by default. Depending what services are going to be used – and what for – there may be a lot of configuration and training required to make Google Workspace HIPAA compliant and ensure the services are used compliantly.
Organizations that experience challenges configuring Workspace services should speak with Google’s technical support experts who tend to have advanced product knowledge and can guide you through each services step-by-step. Organizations that experience challenges with training users on how to use Workspace services in compliance with HIPAA should seek professional compliance advice.