How to Make G Suite HIPAA Compliant

HIPAA compliance requirements have been around for nearly 25 years. But the constant change since then, in how data moves back and forth, makes HIPAA compliance challenging to maintain.

Companies that deal with patient data and protected health information (or PHI) must have procedures and plans in place to show they are following all HIPAA guidelines to maintain data security. Failure to protect these data can lead to large fines. Some of the biggest annual fines for HIPAA violations in the past decade exceed $5 million.

With this in mind, if you rely on Google Workspace for running your business and sharing documents, you may be wondering how to make G Suite HIPAA compliant. Does G Suite (currently called Google Workspace) have the security features needed to maintain compliance with HIPAA?

The short answer is yes. It takes a bit of admin muscle to achieve the necessary level of compliance, but it’s possible.

What does it mean to be HIPAA compliant?

HIPAA compliance involves following a series of steps that show you have procedures and practices in place that protect all sensitive health-related patient data. Understand that HIPAA rules change from time to time, so always check the latest information.

What is HIPAA?

HIPAA is short for the Health Insurance Portability and Accountability Act. Originally passed in 1996, the act continually undergoes tweaks as technology⁠—and the ability to share data⁠—evolve.

Any business that stores PHI on patients must have a plan for how to handle and protect that data. That means any software you’re using to manage or use PHI must be compliant with HIPAA security requirements, including G Suite.

The Security Rule is part of HIPAA. It specifies which safeguards any entities holding the sensitive data must follow. It also attempts to streamline the digitizing of PHI, ensuring these entities can run efficiently while still protecting people’s health information.

Importance of HIPAA

Without safeguards in place for important health-related data, threat actors could steal important personal information, resulting in identity theft. Additionally, attackers could obtain information related to someone’s health that the person needs or prefers to keep private.

As more health records become digitized, HIPAA’s technology arm moves to the forefront. Multiple organizations share digital patient data with other entities⁠—doctors share electronic data with pharmacies and insurance companies, for example.

Do I need to worry about HIPAA?

Only certain types of businesses need to be compliant with HIPAA.

  • Healthcare: Any company whose primary role deals with healthcare should be compliant with HIPAA.
  • Technology: Tech companies that have healthcare clients count too.
  • Contractors: For those who are self-employed or who work on a contract basis where they handle PHI, such as auditors or accountants, HIPAA compliance is also mandatory.
  • Third parties: Those that perform claims processing or third-party administration in the healthcare arena must be HIPAA compliant, and they may want to pass the G Suite Certification exam to show full competency with G Suite to their healthcare clients.

There’s a wide range of business types that may deal with PHI, including:

  • Attorneys
  • Billing companies
  • Cloud storage companies
  • Data centers
  • Document destruction companies
  • Financial service providers
  • Insurers
  • Medical equipment providers
  • SaaS providers
  • Transcription services

Is G Suite HIPAA compliant?

Not right out of the box. But the good news is, you can make G Suite HIPAA compliant. Only a few key settings need changing to set up G Suite properly for your HIPAA compliance needs.

The caveat: you, as the Google administrator, must go through the steps on your own. Google doesn’t do it for you. If you need help figuring out the admin functions in Google Workspace, try one of these G Suite training programs.

Nor does Google advise companies on whether they need to be HIPAA compliant. Use CMS’s Covered Entity Guidance tool to make sure the HIPAA rules apply to you.

How to make your G Suite HIPAA-compliant

1. Sign the BAA

One aspect of this process that creates some confusion is the signing of a Business Associate Agreement with Google.

When using G Suite, you will need to sign a BAA. But this alone does not make you HIPAA compliant. It’s only one step in the process.

Still, it’s easy to do for G Suite admins. First, sign in to the G Suite admin console. Click “Company Profile” > “Show More” > “Legal & Compliance.” You should see a “Review and Accept” button next to the BAA on the page. You’ll need to answer a few questions to verify that you need to be HIPAA compliant. Once you do, click “I Accept” to sign the BAA.

Essentially, the BAA lets Google know that you will be using G Suite for PHI. Google specifically lays out in its software agreement that you cannot use G Suite for PHI unless you sign the BAA.

2. Implement stricter logins

Should a threat actor steal one of your user’s passwords to Google Workspace, having the service’s two-factor authentication feature in place will keep your data safe and your G Suite HIPAA compliant.

With two-factor authentication, users have to present two pieces of information to log into G Suite. Additionally, they must verify their identity when signing in with a different device. Users may need to change their passwords every month, depending on how the G Suite admin sets up this feature.

For further reinforcement, you can request that users create tougher passwords. As a G Suite admin, you can’t see the specific passwords your users have stored. What you can see is whether Google ranks these passwords as strong enough. You also can see the length of each password.

Want to set a certain level of password strength or a minimum number of characters? Enforce those requirements in your Google Admin console by following these steps.

3. Secure your email

Adjusting the admin settings to ensure a high level of email security is key to maintaining G Suite HIPAA compliance. Use these settings to:

  • Automatically inspect emails for PHI-identifying clues.
  • Provide alerts when Gmail identifies sensitive data, such as health data or a social security number, in a message.
  • Activate all of Gmail’s secure email services.
  • Add disclaimers to all emails sent outside your organization.

4. Turn off G Suite services you don’t use

Within G Suite, you have access to several core services and apps. However, not all services you use with G Suite are HIPAA compliant. If you’re concerned that employees or coworkers may inadvertently try to use one of these unsupported services with PHI, you can just turn the services off in the admin console, preventing your G Suite users from even accessing them.

5. Use separate user groups

One way to ensure HIPAA compliance is by creating groups within G Suite. Place all users who need to manage or have access to PHI into one group, and those who shouldn’t have access in another. This makes it far easier to control G Suite access for HIPAA compliance reasons.

6. Let G Suite alert you to anomalies

Set up your admin settings to let you know when abnormal things occur in your G Suite instance. If an anomaly threatens to put your PHI in jeopardy, you’ll know immediately. Alerts you can choose to receive include:

  • Adding a new user
  • Changes to admin privileges for users
  • Deletions of users
  • Password change notifications
  • Sign-in and log-off tracking
  • Suspensions of any user
  • Suspicious login attempts

There are several other notification options available in G Suite, all disabled by default. It may require some trial and error on the admin’s part to figure out which alerts are necessary and which are more of a time suck.

Conclusion: G Suite HIPAA compliance rules

Given the cost of not following HIPAA rules, you do not want to make a mistake here. And, of course, you don’t want to suffer a security breach that puts sensitive data in the wrong hands.

These security measures take time and effort, but pay dividends in terms of keeping your data safe⁠—not just PHI, but all company information. If your G Suite users complain about having to take extra steps to access this information, remind them: it’s just par for the course to go to extra lengths to protect ourselves and our customers in today’s highly digital and collaborative world.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira