Google Workspace offers healthcare providers a set of collaboration and productivity apps to help deliver quality patient care. It includes cloud-based apps you’re already familiar with: Gmail, Google Drive, Google Meet, Google Voice, Docs, Sheets, Slides, and more.
However, you cannot use all Google Workspace apps in a HIPAA-compliant manner. This guide offers the steps to make Google Workspace HIPAA-compliant so you can safely use it for handling protected health information (PHI).
How To Make Google Workspace HIPAA-Compliant:
Why You Should Ensure a HIPAA-Compliant Google Workspace
Using Google Workspace makes healthcare-related tasks more efficient. Since these apps work seamlessly together, You can save a lot of time and effort in administrative tasks. Moreover, your team is probably already familiar with Google Workspace, making it easier for them to adopt.
By making Google Workspace HIPAA-compliant, you maximize the software’s benefits without worrying about breaking federal law. As HIPAA mandates PHI privacy and confidentiality, disregarding this law can impact your business negatively.
The Department of Human and Health Services (HHS) and other government agencies take HIPAA violations seriously. Data breaches can compromise patient safety, erode patient trust, and lead to financial losses for your organization. The penalties can reach millions of dollars, depending on the extent of a data breach.
Here are the ways to make Google Workspace HIPAA-compliant:
Carefully Review and Sign Google’s Business Associate Addendum (BAA)
Google Cloud Identity customers who wish to use Google Workspace to handle PHI must sign the BAA. This requirement also aligns with the guidelines set by HIPAA law for all business associates. In this case, Google Workspace is the business associate since it handles PHI. Note that the BAA is only available for paid accounts.
Only Use Apps With HIPAA Included Functionality
Not all Google Workspace apps are covered by the BAA. These apps should be part of Google’s Included Functionality before you use them with PHI.
Google identifies the following Core Services as HIPAA Included Functionality apps:
- Gmail
- Calendar
- Drive
- Sheets
- Docs
- Slides
- Forms
- Apps Script
- Google Chat
- Google Meet
- Keep
- Google Cloud Search
- Google Voice (managed users only)
- Sites
- Jamboard
- Google Groups
- Cloud Identity Management
- Tasks
- Vault
All other Core and Non-Core Services not listed above, like Google Contacts, should not be used to handle PHI. Of course, you can still employ these apps if you want to, but you should not use them to store or manage PHI.
You can view the complete list of HIPAA Included Functionality apps online. Regularly check for updates, as the contents of this list may change from time to time.
Configure HIPAA Included Functionality Apps for HIPAA Compliance
While the Included Functionality Apps can be used in a HIPAA-compliant manner, they should still be appropriately configured by your IT administrator. Google provides HIPAA-compliant apps, but your organization still has a role in ensuring it meets the federal law’s stringent requirements.
Here are some of Google’s recommendations when configuring apps. You can view all the steps in the Google Workspace and Cloud Identity HIPAA Implementation Guide.
- Monitor your account activity through the Admin console. This helps you identify potential security threats and track and analyze user activity.
- Turn off search history to reduce the amount of data collected and retained. Only create the minimum necessary information for staff to perform their jobs.
- Share Google Drive files with only intended recipients. When inserting Google Drive files in emails, you can choose the sharing settings (Restricted, Private, Share to Anyone with the Link). Your admin can set the default sharing settings to “Private. They can also create data loss prevention (DLP) policies that allow them to inspect emails for PHI identifiers.
- Limit sharing Calendar data. All the data in each user’s Google Calendars are shared with anyone within your domain. Admins can change the default settings to make them private. Users can also set specific calendar entries with PHI to “Private.”
- Don’t use PHI in file names. It’s common practice to use names or medical record numbers as file names. Train your staff to avoid doing so to prevent PHI exposure.
Conduct Regular HIPAA Employee Training
HIPAA Compliance can be a complex topic, especially for new employees. Moreover, Google Workspace may update its policies. In the same way, the US government may revise, delete, or add provisions to the HIPAA law. Staying updated will help your staff handle PHI more confidently and reduce the risk of HIPAA violations.
Review Third-Party Integrations With Google Workspace
Many apps integrate with Google Workspace. Make sure that you also vet these apps and use them in a HIPAA-compliant manner. For instance, HIPAA-compliant internet fax apps like iFax offer Google Workspace integration so you can send and receive faxes directly from Gmail, Docs, Sheets, and Drive. However, our fax service must sign a separate BAA with your business or organization.
Using Google Workspace in a HIPAA-Compliant Manner
Undoubtedly, the productivity and collaboration suite offers convenience and ease of use to healthcare workers. However, before you employ Workspace apps in your organization, make sure that you follow the steps outlined in this article. Also, it’s best to carefully review and implement Google’s guide on Google Workspace and HIPAA compliance.
Remember, ensuring Google Workspace compliance is your organization’s responsibility. You must take the necessary steps to integrate it into your healthcare workflows while safeguarding PHI.
