The ease of use of Google products has made it a popular choice for businesses across all industries. Google Workspace, formerly referred to as G Suite, consists of several Google products, including Gmail, Calendar, Meet, and Drive. As a healthcare organization, ease of use shouldn’t be the only determining factor when choosing what software platforms to use.
The main determining factor should always be whether or not the software in question is HIPAA compliant. Is GSuite HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
When it comes to software, there are certain indications of the tool’s HIPAA compliance. Software HIPAA compliance really boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate the proper uses and disclosures of PHI.
Physical safeguards are measures that protect an organization’s physical location, such as locks and alarm systems.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are important, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. Technical safeguards that you should keep an eye out for include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a key determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant is they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant, and be responsible for maintaining compliance. As such, a BAA limits the liability for both singing parties in the event of a breach or OCR audit, as only the negligent party would be held culpable.
Is Google Workspace HIPAA Compliant?
So, is Google Workspace HIPAA compliant? Yes and no. Some Google Workspace products are HIPAA compliant while others are not. While the full Google Workspace product line meets HIPAA security standards, Google’s BAA only covers certain products. Also, only users with a paid subscription have access to Google’s BAA. In addition to having a signed BAA with Google, some products require the platform to be configured for HIPAA compliant use.
The following Google products are HIPAA compliant with a signed BAA:
- Gmail
- Calendar
- Drive (including Docs, Sheets, Slides, and Forms)
- Apps Script
- Keep
- Sites
- Jamboard
- Hangouts (chat messaging feature only)
- Google Chat
- Google Meet
- Google Voice (managed users only)
- Google Cloud Search
- Cloud Identity Management
- Google Groups
- Google Tasks and Vault
For more information regarding Google Workspace and HIPAA configurations, please refer to Google’s HIPAA Implementation Guide.
