The major cloud computing providers now understand HIPAA compliance requirements and provide a path for a Covered Entity or Business Associate to use their products in a compliant manner. Google’s G-Suite, previously branded “Google Apps for Work,” is one of those services. A covered entity or business associate must implement, use and administer the service in a compliant manner, which involves a number of steps, considerations and caveats.
Google has robust security measures in place which are regularly verified as compliant with numerous national and international security standards including ISO 27001, 27017, 27018, SOC 2 and SOC 3 and FedRAMP. These reports and audits are available for inspection. Of course, security is not the same as compliance, so the rest of this post will focus on how G Suite can be used in a HIPAA compliant manner.
HIPAA Business Associate Agreement. Since the Google cloud will be used to store and maintain ePHI, Google is a HIPAA Business Associate. The first step is to put in place a Business Associate Agreement (BAA).
Google offers its HIPAA BAA which will be non-negotiable. Eagle’s opinion is that the agreement meets the minimum requirements of a HIPAA BAA, and as such Google accepts the minimum liability in the event of a data breach which is to send you “applicable Breach notifications” via email in the event of a breach. Google will not indemnify you, reimburse you for your breach notification costs, or pay any other damages. The agreement further specifies that you appropriately configure and use the G Suite services as detailed in their “HIPAA Implementation Guide”. You can execute the agreement electronically via the G Suite Admin console. Go to “Company Profile,” and then select “Profile”. Under “Security and Privacy Additional Terms” you will find the HIPAA Business Associate Amendment which you can sign electronically.
Included Functionality. To achieve HIPAA compliance, you must agree to limit yourself to “included functionality,” which at this writing includes Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides and Forms) and Google Vault. This is a small subset of the entire G Suite so it is important that prospective users be aware of this limitation.
Implementation Requirements. Google requires that you configure and use their service according to the specifications in its “HIPAA Implementation Guide.” This guide specifies that users may use certain “Core Services” including Hangouts, Contacts and Groups as long as no PHI is used within those services. All remaining, “non-core” services, including YouTube, Google+, Blogger, Picasa Web Albums and many others must be disabled for any user who processes ePHI. However, individuals in the organization who do not process ePHI (e.g. marketing staff) may use these non-core services. Google provides guidelines for appropriate configuration of all of these services
Information System Activity Review. HIPAA requires that organizations monitor system activity – and Google provides notifications, audit reports, and logs so that organizations can fulfil their HIPAA obligation to monitor activity. Covered entities and Business Associates should use these features on an ongoing basis.
Gmail. Since one of the most popular Google services is Gmail let us drill into this in more depth. Is Gmail HIPAA compliant? Google provides the required encryption for both “data in motion” and “data at rest” for emails within the organization. However – if you want to transmit any ePHI via Gmail to someone outside of your organization then you will need to purchase the add-on G Suite Message Encryption (GAME). GAME is delivered by industry leader ZixCorp and requires an additional fee, which is $100/user/year, or for larger organizations, $3500/year for 100 users. You may review the GAME Overview Page for more details including technical specifications and features.
Best practices. Google supports 2 factor authentication which while not explicitly mandated by HIPAA is highly recommended. Other best practices would be to utilize email identity technologies including Domain-Based Message Authentication, DomainKeys Identified Mail and sender policy framework which can prevent spammers and phishers from “spoofing” your domain.
Larger, more sophisticated organizations will be able to handle the implementation of G Suite. Smaller organizations, those without dedicated IT staff, should get the assistance of a G Suite Implementation Partner as the array of configuration options could easily overwhelm the non-technical user. You can use the Google Cloud Partners page to find one of their numerous partners to assist with implementation. The bottom line is that Google’s newly rebranded G Suite can be used by a covered entity of business associate in a HIPAA compliant manner. The covered entity or business associate has some significant technical and administrative responsibilities in order to achieve this compliance.