With Google Apps/G Suite (Gmail, Drive, Calendar, etc) providing a full-featured platform for email and collaboration, it’s no wonder organizations are turning to Google for many of their cloud service needs. With the regulatory requirements the healthcare space, many are wondering: Are Google Apps HIPAA compliant? How do I make Google Apps HIPAA compliant?

Email services are not inherently secure or HIPAA compliant. Many cloud services are not clear about access control or data security. Most common cloud platforms operate on a “Shared Responsibility Model” where your organization is responsible for specific HIPAA safeguards. Fortunately Google, along with several other services provide guidelines for insuring HIPAA compliance for Google App Services. In this post we are going to dig deep into how we can secure Google Apps and insure HIPAA compliance.

Using Google Services In a Clinical Setting

By securing the Google Apps platform, your organization can use services that your team is familiar with to accomplish patient/provider tasks such as:

Using Google Calendar to schedule patient appointments

Sending sensitive information between providers in Gmail

Storing protected health information (PHI) in Google Drive

Making Google Apps HIPAA Compliant

Requirements

Please review the following components with your HIPAA compliance officer/team. This guide makes the following assumptions:

1. Your organization must be subscriber to Google Apps For Work.

If your team uses a custom domain with the Google Apps platform (ie. [email protected]), you are most likely already a subscriber.

2. You must be the Google Apps administrator in order to follow the process below.

Sign The BAA

Google provides a Business Associates Agreement (BAA) to any organization using Google Apps For Work, for free!

The agreement currently covers Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Vault services. You can read about Google’s policies related to HIPAA and their BAA here.

In order to sign the BAA:

<

p style=”padding-left: 30px;”>1. Login to the admin dashboard at admin.google.com

2. Go to the “Company profile” Section > Select “Profile” > Scroll to “Security and Privacy Additional Terms”

3. Click the “Review and Accept” button next to HIPAA Business Associate Amendment

4. Answer the questions and review/accept the agreement

General Best Practices

Set password recovery options and require users to use strong passwords.

For increased security, enable 2-step verification

Lock Down Apps

After signing the BAA, it is time to restrict user access to Google Apps in order to limit risk.

1. Go to the admin dashboard at admin.google.com

2. Disable Google Apps not covered by the BAA

Go to the “Apps” section.

Select “Google Apps”.

Select each service, by hovering over each icon and checking each box.

In the top right bar, click on the switch icon “Turn OFF Services”.

3. Disable Google Drive Add-ons/Offline Access

In the “Apps” section > Go to “Google Apps” > Select Drive > Data Access

Uncheck “Allow users to enable offline Docs”.

Uncheck “Allow users to install Google Docs add-ons from add-ons store”.

4. Disable Gmail Offline Storage/Automatic Forwarding

In the “Apps” section > Go to “Google Apps” > Gmail > User settings

Scroll down to the “End User Access” section.

Uncheck “Enable Offline Gmail for my users”.

Uncheck “Allow users to automatically forward incoming email to another address”.

5. Disable “Additional Google Apps” not covered by the BAA

In the “Apps” section > Go to “Additional Google Apps”.

Select each service, by hovering over each icon and checking each box.

In the top right bar, click on the switch icon “Turn OFF Services”.

6. Disable Marketplace apps

In the “Apps” section > Go to “Marketplace Apps”

Select the three-dot menu in the upper right then choose “Manage Apps”.

Select either the “Do not allow..” or “Allow users to install only whitelisted applications” option.

Audit Logging & Backup

Using Google Apps Vault:

Vault allows you retain, archive, search, and export your organization’s emails. You can receive audit reports based on user actions and place legal holds on user accounts. By default, many user functions will be audit logged automatically. You can also set custom alerts, define reporting settings in order to monitor for suspicious activity.

Google Vault is available to users that are part of Google Apps Unlimited and costs $10/month per user, rather than the typical $5/month for Google Apps For Work.

Unfortunately, Vault does not archive files from Google Drive. You can still search and create alerts for suspicious activity on Drive, but backup functionality is currently missing. I recently called Google Apps and was told that they plan to release archiving and backup features in their next release, but was not given a definitive date. (JN- Dash)

You learn more about Vault’s functionality here.

Currently, Google does not include automatic retention (for Drive), backup functions for disaster recovery and advanced auditing and file level security. There are several 3rd party providers which currently offer solutions:

Backupify offers automatic retention of Gmail, Drive, Calendar, Contacts, and Sites. The service allows your organization to retain and restore all files, emails, etc created by users. Backupify may be a great option for augmenting Google Vault’s missing functionality, or backing up all of your organization’s data for disaster recovery.

CloudLock offers advanced auditing and advanced file level security for Google Apps

Encrypting Email

Emails sent from Gmail are insecure without additional encryption measures.

Google Apps does not automatically encrypt/secure emails. This means that just signing Google’s BAA does not make Gmail secure and HIPAA compliant.

There are several services available that provide email encryption for Gmail.

1. Google Apps Message Encryption (GAME), is a service offered by Google, in partnership with ZixCorp. *Pricing is based on number of users.*

2. Virtru offers email encryption with simple browser extensions for Chrome and Firefox and support for Gmail. *Their pro version provides encryption and HIPAA compliance needs for $5/m per user.*

Using Other Google Apps In Your Organization

The Google BAA only covers a certain set of Google Apps (Currently: Gmail, Calendar, Drive, Sites, and Vault).

This means that protected health information (PHI) should not be sent, received, or stored within any other Google Apps services (ie. Hangouts, YouTube, Etc). In the steps above, we disabled all Google Apps & Add-ons that are not HIPAA compliant. This is the safest way to insure PHI is handled securely.

If your team is interested in using other Google App services outside of the realm of PHI and HIPAA compliance, Google supports the creation of different classes of permissions using “organizational units” that dictate which users have access to different apps. You can read more about creating user policies here.

Conclusion

Google provides any admin of Google Apps For Work the ability to sign a Business Associates Agreement (BAA). This agreement provides a framework for insuring that your Google services are secure and follow HIPAA guidelines.

Ultimately, it is up to your team to implement the appropriate protections to encrypt email communications, audit log and backup any sensitive data. For more information, review the Google Apps HIPAA Implementation Guide.