A lot of companies make a huge mistake when it comes to Google Workspace and HIPAA.  They think that all they have to do is sign a HIPAA Business Associate Agreement (BAA) with Google, and they're suddenly HIPAA compliant.

Nothing could be further from the truth.

Here's the story of Ted (not his real name).  Ted runs a 30 person medical practice.

Last year, Ted made the smart call to move his practice over to Google Workspace, Google's paid version of Gmail.

Why is this smart? Because Google Workspace is super easy to use. Google has done a ton of work to make it super secure and HIPAA-compliant.

Sadly, the company that Ted worked with to set up Google Workspace didn't know much about HIPAA. They helped Ted sign a HIPAA BAA, but that was about it.  Too bad Ted didn't have our checklist "17-Step Guide on Gmail and HIPAA Compliance."

After a cyber security scare a few weeks back, Ted got nervous.  Was his Google Workspace HIPAA compliant?

He worried that his staff might accidentally breach PHI.  That they might share something they shouldn't.  Or they might click on a link that they shouldn't.

He didn't want to end up on the HIPAA "wall of shame."

The HIPAA "Wall of Shame"

Ted made the right call.  When we reviewed Google Workspace, we found a bunch of settings that weren't configured properly.

Google Workspace has excellent security and can definitely be used to safely store and share PHI.  But it's only secure if you set it up the right way.

5 Ways to Start Making Google Workspace HIPAA Compliant

Google Workspace has hundreds of settings that you can configure.  Set them up the wrong way, and you're exposing your company to a possible data breach.

Here are five of the most important settings to make sure you configure to be HIPAA compliant:

1) Two factor authentication

It's easier than you think for someone to steal your password.  Even if your password is stolen, two-factor authentication keeps you safe.

When you turn it on, your users will be asked to enter a six digit code from their phone every time they log in.

The nice thing about the way Google has set up two factor authentication is that it's smart.  It bugs you every 30 days.  It'll also bug you if something changes, like you log in from a new computer  or a new place.

HHS specifically recommends two-factor authentication for systems that contain ePHI (like your Google Workspace).

2) Set up Alerts

Google is awfully smart about security.  They'll tell you if a user does something weird.  Like that time one of your users logged in from China an hour after being in Boston.

BUT you'll only get these notifications if you turn them on.  They're turned off by default.

There are almost 20 alerting rules that you can set up out of the box, and many, many more that you can turn on as custom rules.  Go through each to make sure you'll get notified when something weird happens.

3) Email Security Outbound

Google Workspace has dozens of settings that control your email security. Review every setting to make sure they're configured the right way. Specifically check for:

• disclaimers on outbound emails
• setting up secure email service so you can send ePHI through email
• triggers so you'll get alerted when staff sends info like credit cards, social security numbers, or health data via email. Unless it's going over secure email, users should never send this data via email.

4) Password strength

Did you know that you can see the password strength of your users right in the Google Workspace admin console?

Most users have the bad habit of using a short password that they already know.  This is a TERRIBLE idea for systems that handle ePHI like Google Workspace.

You can quickly and easily see which of your staff members are using passwords that are weak or too short.  You can even set rules to force them to pick a longer, stronger password.

5) Turn off unused services

Google is very specific about which services you can use to store ePHI.  As of the writing of this article, here are the services:

When you're setting up Google Workspace, be sure to disable unused services so your staff doesn't put ePHI in the wrong places.

Also, think hard about these 9 services that allow ePHI.  Many of them aren't commonly used.  If you're not going to use them, shut them down.  That way, you drop the chances of accidentally exposing ePHI.

Bonus! 6) HIPAA Compliant Google Meet

Due to the COVID-19 response, we’ve heard from practices of all sizes that need telemedicine options. Fortunately, Google Workspace includes Google Meet, which can be used for HIPAA compliant telemedicine/teleconferencing. But the settings need to be configured appropriately.

There are two ways to place video calls in Google Workspace:

1. Classic Hangouts (which is the chat feature on the left side of the Gmail interface) has the option to place video calls. This service is not HIPAA compliant. Google’s BAA only covers the chat portion of Classic Hangouts.
2. The other program is Google Meet. You use Google Meet by going to meet.google.com and starting a call. Google Meet can be used for HIPAA compliant telemedicine and conferencing.

Check out our article Is Google Meet HIPAA Compliant? for answers to common questions.

The Google Workspace Learning Center has excellent tutorials and explanations on how to use Google Meet, including if you need to switch from using Zoom, WebEx or Skype.

Google Meet information was updated on 4/20/2020.

What should you do next?

1. Get our free “17-Step Guide on Gmail and HIPAA Compliance” to learn more about keeping your email safe.
2. Know someone who might like this article?  Share it!
3. Have questions or something to add?  Let us know in the comments below!