HIPAA compliance is a crucial, but highly complex issue for all healthcare providers and other covered entities who deal with protected health information (PHI). It’s an issue that has become more complicated as businesses’ increase their reliance on cloud-based apps (like Google).
Ensuring your Google apps’ HIPAA compliance may seem like a technical and administrative headache waiting to happen, but with the right guidance, support and tools, you can take full advantage of storing your PHI on Google services without worrying about potential compliance violations.
In this article, we’ll cover the basics of ensuring that your Google Workspace-based information is HIPAA compliant and discuss the steps that you can take to safely begin this process.
Does Google’s Cloud-Based Services Comply with HIPAA Requirements?
The short answer? Yes, they can.
What’s important to realize, however, is that the various tools that are offered by Google are not configured for HIPAA by default; rather, certain controls must be put in place to allow for Google cloud HIPAA compliance.
Google provides various resources to simplify this process for existing and potential clients, although it’s best completed under the guidance of experts in the field of healthcare security.
Making Your Google Drive Apps HIPAA Compliant
To support HIPAA compliance for your Google Drive apps, it’s necessary to understand the potential threats—and benefits—of cloud storage for PHI.
As a healthcare provider, you’re likely already familiar with the Health Insurance Portability and Accountability Act (HIPAA), which is the US law that established the creation of regulations to guarantee the privacy and security of protected health information.
Since HIPAA was passed in 1996, the healthcare industry has undergone drastic changes in terms of how such patient information is shared and stored, and healthcare providers and other covered entities have had to quickly adapt to keep up with these changes while guaranteeing continued compliance.
In recent years, these changes have included the mass migration of information to cloud solutions like Google Workspace (formerly called G Suite), Google’s collection of paid productivity and collaboration apps for businesses.
What is Google Workspace?
For healthcare teams that don’t have the resources, infrastructure or time to put into developing their own cloud storage systems, Google Workspace offers an attractive and relatively inexpensive solution. Google’s cloud-based tools enable healthcare providers to organize and store large volumes of patient information, easily distribute and manage forms, send and receive emails and messages, quickly schedule meetings and appointments, collaborate with colleagues and more.
Perhaps the most valuable services that Google Workspace offers to businesses are those associated with Google Drive, including Docs, Sheets, Slides and Forms.
As mentioned above, Google Drive HIPAA compliance is, fortunately, entirely possible, if slightly complicated. To achieve HIPAA compliance for Google Drive, paying for a subscription for Google Workspace—as opposed to utilizing Google’s free Drive apps—is absolutely obligatory, the reasons for which we’ll get to shortly.
Google Workspace subscriptions range from between $6USD and $18USD for small and medium businesses, depending on businesses’ storage and user needs.
The main differences between Google Workspace and Google’s free apps are that the Workspace apps:
- allow you to use your own business name as your email domain (i.e., @businessname.com instead of @gmail.com)
- they offer more storage and support
- and, crucially, they allow for greater security and administrative control, which will allow you to support HIPAA compliance.
Additionally, Google Workspace can also provide companies with a Business Associate Agreement (BAA), which is mandatory for HIPAA compliance.
Although subscribing to Google Workspace is necessary to ensure your apps are HIPAA compliant, simply hitting “subscribe” does not mean that your work is done. It’s also worth noting that not all Workspace apps can be made compliant, and therefore are not all appropriate for storing PHI.
Per Google, the following apps can be used to store and share PHI: Drive (including Docs, Sheets, Slides and Forms), Gmail, Calendar, Hangouts Chat, Hangouts Meet, Keep, Cloud Search, Voice (for managed users), Sites, Groups, Jamboard, Cloud Identity Management, Tasks and Vault.
The use of PHI is not permissible, meanwhile, on Google+ and Google Contacts.
How Do You Guarantee Google HIPAA Compliance for Drive Apps?
The first step is to configure your apps in such a way that will support HIPAA compliance. Suggestions for doing so can be found in Google’s HIPAA Implementation Guide.
The guide recommends:
- Avoiding the inclusion of protected health information in file and folder names
- Restricting access to documents and adjusting sharing settings as appropriate
- Seeking the assistance of a Google Workspace manager to separate users who manage PHI from those who don’t
- Ensuring that any third-party apps that PHI is to be shared with satisfying HIPAA compliance measures, as well as signing BAAs with such apps as necessary and disabling those apps that don’t comply
As noted above, HIPAA compliance also requires you to sign a BAA with Google.
A Business Associate Agreement (BAA) is a legal agreement between a covered entity and a vendor or contractor (in this case, Google) which certifies that both parties agree to comply with HIPAA regulations.
Should one party violate the agreement, the other is entitled to pursue legal action.
The Google-provided BAA covers the aforementioned Google Workspace apps and guarantees HIPAA compliance from all Google apps.
Only after configuring your apps according to the Google-provided recommendations and reviewing and signing your BAA can you be certain that you’re not violating HIPAA and, most importantly, that your precious PHI isn’t at risk.
While this process is relatively straightforward for those versed in HIPAA compliance and cybersecurity, it can prove challenging for the uninitiated and is not to be taken lightly.
Next Steps for Achieving HIPAA Compliance With Your Google Apps
If you want to enjoy the benefits of all that Google has to offer and simultaneously avoid the fear of your system’s configuration failing to pass scrutiny, the assistance of a trusted, experienced compliance expert is the surest way to achieve peace of mind.
While achieving Google Drive HIPAA compliance is an entirely achievable (and surprisingly quick) task, the failure to set the correct permissions for even a single shared file could leave your business vulnerable to fines and could leave your clients at risk of having their sensitive information stolen.
A company that specializes in healthcare security can help you avoid these pitfalls and make sure nothing has been missed so that you can focus on serving your own clients and patients.
Have more questions about Google Cloud HIPAA compliance? Our consultants are available to answer your questions and share how Techumen can help you optimize your business.