Call now for cybersecurity help: 888-646-1616
Josh Ablett

Is Google Workspace HIPAA Compliant?

Many practices want to use cloud storage services like Google drive and hosted email.  Is Google's Google Workspace HIPAA compliant?

First, let's review what's actually in Google Workspace, Google's paid version of a variety of productivity tools.

Feature Download: FREE checklist to avoid a HIPAA disaster you can use right now (Download Now)

HIPAA Compliant Email

Most famously, Google Workspace includes Gmail, an excellent and easy-to-use email platform.  Users go through the famous Gmail portal, but their email address is their own custom email (@yourcompany.com).  Google Workspace customers get 30GB of inbox storage, and are able to use Microsoft Outlook and other email clients.

One important note is that the paid version of Gmail doesn't scan your emails to show you ads.  Paid Gmail users never see ads.

HIPAA Compliant Calendar

The calendar in Google Workspace lets you plan meetings with other people, and schedule appointments.  Many EMR/EHR systems offer integration with Google's Calendar for scheduling.  The calendar is also well integrated into other Google Workspace applications like Gmail, Drive, Contacts, Sites and Hangouts.

HIPAA Compliant Cloud File Storage

Google Workspace includes Google Drive, a tool to easily store, sync and share files.  Files sync between your desktop, mobile devices, and the cloud.  You can control who can see which files.

HIPAA Compliant Collaboration Tools

Google Workspace includes web-based versions of some simple-but-solid productivity tools.  This includes:

  • Docs (kind of like Microsoft Word)
  • Sheets (kind of like Microsoft Excel)
  • Slides (kind of like Microsoft PowerPoint)
  • Forms (for building forms on the web)
  • Sites (a tool for building an intranet)

HIPAA Compliant Note-Taking

Google Workspace includes a tool called Google Keep for note-taking (kind of like Evernote).

HIPAA Compliant Google Meet

Due to the coronavirus COVID-19 response, we’ve seen a dramatic increase in interest surrounding Google Meet. The good news: Google Meet can be HIPAA compliant and Google Meet can be used for telehealth! But it needs to be set up the correct way.

There are currently 2 ways to place video calls using your Google Workspace account:

  1. Using Classic Hangouts, which is where you start a video call using the chat on the left side of the Gmail Interface. This is not HIPAA compliant, and if you’re using video you should tell your staff not to use this.
  2. The other is using Google Meet. You use Google Meet by going to meet.google.com and starting a call.  This service can be HIPAA compliant.

Google’s BAA covers the chat feature in Classic Hangouts, so you should not use the video function in Classic Hangouts. Use Google Meet!

Check out our article Is Google Meet HIPAA Compliant? for answers to common questions.

The Google Workspace Learning Center has excellent tutorials and explanations on how to use Google Meet, including if you need to switch from using Zoom, WebEx or Skype.

Google Meet information was updated on 4/20/2020.

Will Google sign a BAA for Google Workspace?

Yes, Google will execute a HIPAA Business Associate agreement (BAA) with paying customers of Google Workspace.

Be aware of the stipulations

It's important to note that the Google Workspace Business Associate Agreement covers ONLY some of the Google Workspace services.  As of this publishing, here are the services that are and aren't part of the Google Workspace BAA:

g-suite-hipaa-compliant-services

You are still responsible for verifying your compliance

Just because Google is ensuring security when it comes to the actual storage of your PHI doesn’t mean that you can sit back and let them do all the work. You still need to be proactive when it comes to making sure your information is protected. Two-factor authentication, permissions management, password policies, employee use policies — all of these are still your responsibility to implement and test.  But keeping these things in mind, Google Workspace can now be a convenient tool in helping to manage your PHI.

So is Google Workspace HIPAA compliant?

Yes, Google Workspace can be used by medical practices in ways that are HIPAA compliant.  However, this is only true if you:

  1. Use the paid version of Google's Google Workspace,
  2. Sign a HIPAA Business Associate Agreement (BAA) with Google, and
  3. Take correct steps to set up Google Workspace to make sure your practice is HIPAA compliant

Feature Download: FREE  checklist to avoid a HIPAA disaster you can use right now (Download Now)

What should you do next?

  1. Get our free “Checklist on Gmail and HIPAA Compliance”.
  2. Know someone who might like this article?  Share it!
  3. Have questions or something to add?  Let us know in the comments below!

Leave a Reply

Your email address will not be published. Required fields are marked *

12 comments on “Is Google Workspace HIPAA Compliant?”

  1. I've used the 50% off coupon code (expires 12/31/15): 47FUDQ7P6FW6N9 in my Google Apps for Work Subscription but it's saying that the coupon has been used already... let me know how to proceed

  2. If we are talking to a patient through Meet on our end but the patient is on a different platform (e.g. the free version of Google), does this mean that the conference is no longer HIPAA compliant?

    1. Hi - if you're using Meet as part of the paid Google Workspace offering, and you've (1) signed the HIPAA BAA and (2) confirmed that all of the settings are configured the right way to be HIPAA compliant, then your whole session (both on your side and the patient's side) would be HIPAA compliant. Great question!

  3. Great info - thanks! Are both the $5/user and $10/user plans HIPAA compliant? What are the benefits of the top tier plan?

    1. Yes, they can both be made HIPAA-compliant. The main differences between the two plans are that the more expensive plan has more storage shared across Gmail and Google Drive, plus the more expensive plan has a formal records retention product (called Vault). Most small practices we work with start with the $5 plan (and archive their email instead of deleting it), and then bump up to the $10/month plan if they need it. Hope that helps!

    1. What we've learned in talking to vendors about HIPAA is that they default to saying "no" unless they've been told to explicitly say "yes." Unfortunately, that means vendors often give incomplete answers, which scares people off.

      We asked Google the same question, but really challenged them on why they said "no." After a number and back and forth conversations, we got to the real answer:

      First, Outlook is made by Microsoft, not Google, so Google will never assert that your use of Outlook is HIPAA-compliant. If you're using Outlook, then you need to make sure that your computer is configured to be HIPAA compliant (either on your own or working with a service like ours). Once the email lands in Outlook, HIPAA compliance is 100% on your shoulders, not Google's.

      Second, Google Contacts is not covered by the HIPAA BAA with Google, so you should never use Contacts to store PHI. This relates to Outlook because the Outlook sync utility (GSSMO) syncs emails, calendars, AND contacts. If you're confident that you're not storing PHI in contacts, then you should be fine. If you are, then you should (1) stop and (2) disable the syncing of Contacts in Outlook. To disable syncing of contacts, it requires some hardcore Registry updates, so feel free to Contact us for instructions.

      Lastly, the connection between your Outlook and Google's servers is encrypted when you're using GSSMO, so that part is definitely compliant with HIPAA.

      So Outlook can definitely be used with Google Workspace in a way that's compliant with HIPAA. You just need to make sure it's configured correctly and that you're doing all the right things to protect PHI on your computer, and not just in the cloud.

      Hope that helps!

  4. To your list of 3 items under the question of “So is Google Workspace HIPAA compliant?” we are in compliance with #s 1 & 2. However as to #3 your guidance is rather vague. What else is required if #1 & 2 are satisfied?

  5. I have a BAA with google - can I send a google form to a client to complete by sharing the form link so they can complete it? This avoids emailing the form and such?

    1. Hi - great question! A BAA is a great starting point, but there's a lot more setup work that needs to be done to make Google Workspace HIPAA compliant. Once that setup work is done, though, you can use a Google Form to request PHI from your clients. The one complaint we've heard is that Google Forms don't support e-signatures, so you should consult with your attorney on whether these digital signatures are needed / important.

5-star-review5-star-review5-star-review

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
About
Blog
Copyright 2024 Adelia Associates, LLC | All Rights Reserved