If you want your Gmail HIPAA compliant, you’re in the right place.
Gmail and Google Workspace are wonderful tools for medical practices since they can be HIPAA compliant. Notice I said CAN BE. Gmail and Google Workspace are not HIPAA compliant right out of the box.
We help medical practices with making their Google Workspace and Gmail HIPAA compliant - and there are a surprising number of practices that are making BIG mistakes with their accounts.
One of these mistakes makes it very easy for hackers to access your data and PHI. You do NOT want that to happen.
Before we get to the list, I want to clarify that we are talking about paid Gmail accounts, which is part of Google Workspace. If your email address ends in @gmail.com, that means you are using a free Gmail account and it cannot be HIPAA compliant, no matter what.
Here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.
Now let's get into 3 Gmail HIPAA mistakes we see all the time.
This is a big mistake.
And unfortunately we see this all.the.time.
And we’ve seen so many companies hurt by not using 2SV or turning it off temporarily (and then forgetting to turn it back on). You do not want a HIPAA breach and you do not want hackers to send spam emails from your account; I promise.
You absolutely should use two-step verification (sometimes called two-factor verification or multi-factor authentication) for your email. This goes for personal accounts too!
Two-step verification (2SV) means that you need to enter your username/password AND another form of verification to log into your Google account. This could be an SMS message or a code in the Google Authenticator app. It adds an extra, much-needed level of protection.
It is scary how easy it is to get usernames and passwords. But using 2SV means hackers would also need your phone to access your data.
Google makes it super easy to set up 2SV for your account. Use this link to set it up for your work and personal accounts: https://www.google.com/landing/2step/
If you are the administrator of your Google Workspace account, you should have all of your users enroll in 2SV and then you need to enforce 2SV, which means users can’t turn it off when they feel like it. Tip: be sure to set the New User Enrollment Period so new users don’t get locked out of their account immediately. Here’s the link with information about deploying 2SV for your organization: https://support.google.com/a/answer/9176657?hl=en
This is another mistake we see all the time.
We’ve talked with practices that use email accounts like this:
And so on.
This is a bad idea. Yes, it’s cheap! And maybe easy for your practice to stay on top of emails, but you should not share accounts. You should not share usernames/passwords.
Why? To start, it’s violating HIPAA. The Security Rule specifies that you need to “assign a unique name and/or number for identifying and tracking user identity.”
Sharing usernames and passwords means you have no way of knowing who accessed the program.
Ok, so let’s say you have a Google Workspace account full of shared accounts. What should you do? There are a few ways to do this, and it will depend on your specific situation. But most likely you’d need to do something like this:
That way, people can still send emails to [email protected], and multiple people will receive the email in their inbox. No need for shared usernames/passwords.
As you already know, Google has some amazing products like:
Maybe you use some of these services for your practice. Maybe you use all of them!
The good news is that you can certainly use programs like this, but you do not want them anywhere near your PHI.
Google’s Business Associate Agreement (BAA) does not cover these Additional Services.
So how do you use these services while keeping your Gmail/Google Workspace HIPAA compliant?
We recommend using a personal Gmail account to use these systems. That way the non-HIPAA compliant programs aren’t close to your PHI.
Another option is using Organizational Units within Google Workspace to only allow certain users to access the programs. https://cloud.google.com/security/compliance/hipaa-guide#seperating-user-access
No matter what, you do not want these programs (full list found here) enabled for all users.
Gmail and Google Workspace can be HIPAA compliant if they are set up the correct way. We speak with practices all over the US, and we have seen these common mistakes:
1 - Not using 2-Step Verification
2 - Sharing email accounts
3 - Not controlling access to Google’s Additional Services
If you need further help with making Google Workspace or Gmail HIPAA compliant, be sure to grab our free guide: https://adeliarisk.com/free-hipaa-and-google-workspace-guide/