Call now for cybersecurity help: 888-646-1616
Josh Ablett

5 Ways to Make Google Workspace HIPAA Compliant

Google Workspace HIPAA compliance can be confusing. A lot of companies make a huge mistake when it comes to Google Workspace and HIPAA.  They think that all they have to do is sign a HIPAA Business Associate Agreement (BAA) with Google, and they're suddenly HIPAA compliant.

Nothing could be further from the truth.

Feature Download: FREE checklist to avoid a HIPAA disaster you can use right now (Download Now)

Here's the story of Ted (not his real name).  Ted runs a 30 person medical practice.

Last year, Ted made the smart call to move his practice over to Google Workspace, Google's paid version of Gmail.

Why is this smart? Because Google Workspace is super easy to use. Google has done a ton of work to make it super secure and HIPAA-compliant.

Sadly, the company that Ted worked with to set up Google Workspace didn't know much about HIPAA. They helped Ted sign a HIPAA BAA, but that was about it.

After a cyber security scare a few weeks back, Ted got nervous.  Was his Google Workspace HIPAA compliant?

He worried that his staff might accidentally breach PHI.  That they might share something they shouldn't.  Or they might click on a link that they shouldn't.

He didn't want to end up on the HIPAA "wall of shame."

HIPAA Wall of Shame

The HIPAA "Wall of Shame"

Ted made the right call.  When we reviewed Google Workspace, we found a bunch of settings that weren't configured properly.

Google Workspace has excellent security and can definitely be used to safely store and share PHI.  But it's only secure if you set it up the right way.

BAA does not mean HIPAA compliance

Here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace HIPAA compliant.

Seriously – Google CLEARLY says

“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”

“PHI is allowed only in a subset of Google services.”

“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."

So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.

You need to make sure your account is secure. 

5 Ways to Start Making Google Workspace HIPAA Compiant

Google Workspace has hundreds of settings that you can configure.  Set them up the wrong way, and you're exposing your company to a possible data breach.

Here are five of the most important settings to make sure you configure to be HIPAA compliant:

1) Two factor authentication - very important for Google Workspace HIPAA compliance!

G Suite HIPAA 2FAIt's easier than you think for someone to steal your password.  Even if your password is stolen, two-factor authentication keeps you safe.

When you turn it on, your users will be asked to enter a six digit code from their phone every time they log in.

The nice thing about the way Google has set up two factor authentication is that it's smart.  It bugs you every 30 days.  It'll also bug you if something changes, like you log in from a new computer  or a new place.

HHS specifically recommends two-factor authentication for systems that contain ePHI (like your Google Workspace).

2) Set up Alerts

Google is awfully smart about security.  They'll tell you if a user does something weird.  Like that time one of your users logged in from China an hour after being in Boston.

BUT you'll only get these notifications if you turn them on.  They're turned off by default.

There are almost 20 alerting rules that you can set up out of the box, and many, many more that you can turn on as custom rules.  Go through each to make sure you'll get notified when something weird happens.

3) Email Security Outbound

Google Workspace has dozens of settings that control your email security. Review every setting to make sure they're configured the right way. Specifically check for:

  • disclaimers on outbound emails
  • setting up secure email service so you can send ePHI through email
  • triggers so you'll get alerted when staff sends info like credit cards, social security numbers, or health data via email. Unless it's going over secure email, users should never send this data via email.

4) Password strength

Did you know that you can see the password strength of your users right in the Google Workspace admin console?

g suite hipaa password strength

Most users have the bad habit of using a short password that they already know.  This is a TERRIBLE idea for systems that handle ePHI like Google Workspace.

You can quickly and easily see which of your staff members are using passwords that are weak or too short.  You can even set rules to force them to pick a longer, stronger password.

5) Turn off unused services

Google is very specific about which services you can use to store ePHI.  As of the writing of this article, here are the services:

Google Workspace HIPAA compliant services

When you're setting up Google Workspace, be sure to disable unused services so your staff doesn't put ePHI in the wrong places.

Also, think hard about these 9 services that allow ePHI.  Many of them aren't commonly used.  If you're not going to use them, shut them down.  That way, you drop the chances of accidentally exposing ePHI.

Feature Download: FREE checklist to avoid a HIPAA disaster you can use right now (Download Now)

What should you do next?

  1. Get our free “Gmail and HIPAA Compliance Checklist”.
  2. Know someone who might like this article?  Share it!
  3. Have questions or something to add?  Let us know in the comments below!

Leave a Reply

Your email address will not be published. Required fields are marked *


Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved