google baa

When using Google to run your healthcare business you need to ensure that you sign a proper Google BAA. A BAA–or Business Associate Agreement–is a HIPAA mandated contract that must be executed between two parties in the event that healthcare data is being exchanged.

This sensitive data is called protected health information (PHI) under HIPAA regulation. PHI includes any demographic information that can be used to identify a patient in a healthcare setting. Common examples include name, address, date of birth, full facial photo, Social Security number, financial information, insurance ID number, and health records, to name a few.

Google applications including Gmail and other G Suite Services like Google Drive and Google Calendar can all potentially touch, encounter, or store PHI. Therefore, if your healthcare organization utilizes a Google G Suite Service, you must ensure that you execute a BAA with Google in order to be HIPAA compliant.

Will Google Sign a BAA?

Google, like other cloud service providers, is willing to sign a HIPAA BAA under the right circumstances.

Users requesting a HIPAA BAA must have a Google Apps for Business, Education, or Government account. This is a paid service that organizations can contract Google to use. The free version, which is common for personal email accounts, is not included in this group. Google will only sign a BAA with paid users upon the request of a systems administrator.

There are still limitations to the data security of PHI stored on Google G Suite apps. PHI can never be transmitted to patients over a non-secure, unencrypted email connection. Even more restrictions exist, and it’s essential that you keep them in mind before using Google G Suite to store or handle PHI.

Find out exactly how to make Gmail HIPAA compliant–along with other G Suite Applications that are essential to running your business. Follow through with your Google BAA with trusted HIPAA education from the experts at Compliancy Group.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image