gsuite-hipaa-compliant-logo

Is Google’s G Suite HIPAA Compliant?

Many practices want to use cloud storage services like Google drive and hosted email.  Is Google’s G-Suite HIPAA compliant?

First, let’s review what’s actually in Google’s G-Suite, Google’s paid version of a variety of productivity tools.

HIPAA Compliant Email

Most famously, G-Suite includes Gmail, an excellent and easy-to-use email platform.  Users go through the famous Gmail portal, but their email address is their own custom email (@yourcompany.com).  G-Suite customers get 30GB of inbox storage, and are able to use Microsoft Outlook and other email clients.

One important note is that the paid version of Gmail doesn’t scan your emails to show you ads.  Paid Gmail users never see ads.

HIPAA Compliant Calendar

The calendar in G-Suite lets you plan meetings with other people, and schedule appointments.  Many EMR/EHR systems offer integration with Google’s Calendar for scheduling.  The calendar is also well integrated into other G Suite applications like Gmail, Drive, Contacts, Sites and Hangouts.

HIPAA Compliant Cloud File Storage

G Suite includes Google Drive, a tool to easily store, sync and share files.  Files sync between your desktop, mobile devices, and the cloud.  You can control who can see which files.

HIPAA Compliant Collaboration Tools

G Suite includes web-based versions of some simple-but-solid productivity tools.  This includes:

  • Docs (kind of like Microsoft Word)
  • Sheets (kind of like Microsoft Excel)
  • Slides (kind of like Microsoft PowerPoint)
  • Forms (for building forms on the web)
  • Sites (a tool for building an intranet)

HIPAA Compliant Note-Taking

G Suite includes a tool called Google Keep for note-taking (kind of like Evernote).

HIPAA Compliant Google Meet 

Due to the coronavirus COVID-19 response, we’ve seen a dramatic increase in interest surrounding Google Meet. The good news: Google Meet can be HIPAA compliant and Google Meet can be used for telehealth! But it needs to be set up the correct way.

There are currently 2 ways to place video calls using your G Suite account:

  1. Using Classic Hangouts, which is where you start a video call using the chat on the left side of the Gmail Interface. This is not HIPAA compliant, and if you’re using video you should tell your staff not to use this.
  2. The other is using Google Meet. You use Google Meet by going to meet.google.com and starting a call.  This service can be HIPAA compliant.

Google’s BAA covers the chat feature in Classic Hangouts, so you should not use the video function in Classic Hangouts. Use Google Meet!

Check out our article Is Google Meet HIPAA Compliant? for answers to common questions.

The G Suite Learning Center has excellent tutorials and explanations on how to use Google Meet, including if you need to switch from using Zoom, WebEx or Skype.

Google Meet information was updated on 4/20/2020.

Will Google sign a BAA for G Suite?

Yes, Google will execute a HIPAA Business Associate agreement (BAA) with paying customers of G Suite.

Be aware of the stipulations

It’s important to note that the G Suite Business Associate Agreement covers ONLY some of the G Suite services.  As of this publishing, here are the services that are and aren’t part of the G Suite BAA:

g-suite-hipaa-compliant-services

You are still responsible for verifying your compliance

Just because Google is ensuring security when it comes to the actual storage of your PHI doesn’t mean that you can sit back and let them do all the work. You still need to be proactive when it comes to making sure your information is protected. Two-factor authentication, permissions management, password policies, employee use policies — all of these are still your responsibility to implement and test.  But keeping these things in mind, G Suite can now be a convenient tool in helping to manage your PHI.

So is G Suite HIPAA compliant?

Yes, G Suite can be used by medical practices in ways that are HIPAA compliant.  However, this is only true if you:

  1. Use the paid version of Google’s G Suite (we can set it up for you if you’d like),
  2. Sign a HIPAA Business Associate Agreement (BAA) with Google, and
  3. Take correct steps to set up G Suite to make sure your practice is HIPAA compliant

What should you do next?

  1. Get our free “17-Step Guide on Gmail and HIPAA Compliance” to learn more about keeping your email safe.
  2. Know someone who might like this article?  Share it!
  3. Have questions or something to add?  Let us know in the comments below!

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email