Is Google Workspace HIPAA Complaint?
For HIPAA compliance in Google Workspace, get a paid subscription, sign a BAA, use compliant services, and configure them properly. Keep reading to learn more.
Google Workspace is a collection of productivity and communication services that streamline workflows and enhance collaboration. It is a popular choice for many organizations, including those working in healthcare, because of cloud-based accessibility, familiarity, and user-friendly interface.
At the same time, when choosing collaboration and communication tools for their teams, healthcare organizations must ensure they can use these tools in compliance with HIPAA. In simple terms, both healthcare organizations and their service providers must implement all necessary security controls to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) created, collected, maintained, or transmitted electronically.
Google officially states that for customers subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Workspace can support HIPAA compliance as long as certain requirements are met. To use Google Workspace compliantly, customers must:
- use a paid Google Workspace subscription;
- sign a Business Associate Agreement (BAA) with Google;
- use only HIPAA-compliant Workspace offerings;
- configure Google Workspace correctly to support HIPAA compliance.
Following these simple steps will help ensure Google Workspace is HIPAA compliant. Let’s review each of them in more detail.
Choose Google Workspace Plans that Support HIPAA Compliance
Google Workspace is HIPAA compliant for services with "covered functionality," as long as HIPAA-covered entities subscribe to a Workspace plan that supports HIPAA compliance and properly configure the services to meet the HIPAA Security Rule requirements.
All Business and Enterprise plans include the same "core services" but vary in functionality. For instance, organizations on a Business "Starter" or Business "Standard" plan only have basic endpoint management capabilities. In contrast, those on a Business "Plus" or any Enterprise plan have enhanced personal and corporate mobile device security management. Conducting a risk assessment can help determine the most appropriate plan.
Sign a HIPAA BAA with Google Workspace
To use any Workspace services to create, collect, store, or transmit PHI, it is necessary to sign Google’s Business Associate Addendum (BAA).
Google Super Administrators can digitally sign the Addendum via the Admin console. To review and accept the HIPAA Business Associate Addendum, do the following steps:
- In the Admin console, go to Menu > Account>Account settings>Legal and Compliance.
- Go to the Security and Privacy Additional Terms section.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Addendum to review.
- Click Review and Accept and answer all three questions to confirm that you are a HIPAA-covered entity.
- To accept the HIPAA BAA, click OK.
The Google BAA is an extension of the Terms of Service Agreement, so before signing it, Administrators must carefully review the Terms of Service Agreement and the BAA itself to understand the areas of responsibility clearly. Special attention should be paid to Customer Obligations in Clause #3, which:
- prohibits the storage and transmission ofePHI without a signed BAA;
- makes customers responsible for end-user compliance with the Agreement;
- requires customers to notify Google of any unauthorized use of, or access to, a Workspace account (including compromised passwords).
One should take into special consideration BAA Clause #4, which requires customers:
- not request that Google use or disclose ePHI in any manner that would not be permissible under HIPAA;
- use controls available within Google Services, including those detailed in the HIPAA Implementation Guide and ensure its use of ePHI is limited to the Covered Services;
- To be solely responsible for ensuring that its and its End Users’ use of the Covered Services complies with HIPAA and HITECH.
Use HIPAA-Compliant Workspace Offerings
Per Google, BAA covers only a subset of Google services as long as these services are properly configured. Administrators can limit which services are available to different groups of end users depending on whether particular end users will use services with ePHI. The HIPAA-compliant Google Workspace offerings are listed in section 1 of the HIPAA implementation Guide and include:
- Gmail
- Calendar
- Drive (including Docs, Sheets, Slides, and Forms)
- Gemini for Google Workspace
- Google Chat
- Google Meet
- Keep
- Google Cloud Search
- Google Voice (managed users only)
- Sites
- Google Groups
- Jamboard
- Cloud Identity Management
- Tasks
- Vault
Any Core Service not listed in section 1 of the HIPAA implementation Guide may not be used for ePHI. For example, Google Analytics is not HIPAA compliant because it uses cookies, tracking pixels, fingerprinting scripts, etc., to track website/app traffic and collect any information (including ePHI) about how the user interacted with the page. Non-compliant Google Workspace services could be disabled for Google Workspace users who work with ePHI.
Configure Google Workspace Correctly to Support HIPAA Compliance
When considering how to make Google Workspace HIPAA compliant, it is important to note that Google Workspace services must be used and configured in such a way that they satisfy HIPAA requirements.
Manage Access with Google Role-Based Access Control (RBAC)
Google role-based access control (RBAC) enables Administrators to tailor access to Google Security Operations features based on an employee's role in the organization. Thus, only authorized personnel can access ePHI. Users & Groups page enables an Administrator to configure RBAC and assign roles to single users of user groups. The available roles are:
- Default
- ViewerWithNoDetectAccess
- Viewer
- Editor
- Administrator
Roles are associated with a set of product permissions. Assigning a role to a user grants the user the permissions associated with that role. So, each defined role has its permissions, including those related to ePHI handling.
Enable Google IAM for Authentication
Google Cloud services use Identity and Access Management (IAM) for authentication. IAM offers granular control by principal and by resource. In HIPAA-related terms, IAM ensures that only authorized individuals have access to ePHI and limits this access to a minimum necessary to perform their job functions. Administrators can manage access controls by defining who (identity) has what access (role) for which resource by implementing robust authentication mechanisms. These include using strong passwords, multi-factor authentication (MFA), and biometric verification.
Google APIs use the OAuth 2.0 protocol for authentication and authorization, offering an additional layer of security by allowing users to grant third-party applications access to their data without sharing their passwords. This is particularly beneficial in environments where token security is crucial, such as mobile apps, because it ensures that sensitive user credentials are not exposed and access can be securely managed through access tokens. By implementing OAuth 2.0, Google ensures that only authorized applications can interact with user data, enhancing security and user trust.
Google also offers 2-Step Verification (2FA), also called multi-factor authentication MFA, which adds an extra layer of security to Workspace accounts in case employees’ passwords are compromised. Enabling 2FA is only possible via Google Workspace Administrator Console:
- Go to Menu Security>Authentication>2-step verification.
- Check the Allow users to turn on 2-Step Verification box.
- Select Enforcement > On.
- Click Save.
Encrypt ePHI in Transit and at Rest with Google Encryption
Data stored by Google is encrypted both in transit and at rest. All data that Google stores is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256. Any data in transit is encrypted in transit with Transport Layer Security (TLS) or QUIC.
Enterprise Plus, Education Standard, and Education Plus Google Workspace Plans can use client-side encryption (CSE), which adds another layer of encryption to an organization's data. CSE helps keep data private with end-to-end encryption that Google servers and third parties can't decrypt. It is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data.
Enable Google DLP
Using Google data loss prevention (DLP), HIPAA-covered entities can create and apply rules to control the content users can share in files outside the organization. DLP controls what users can share and prevents the unintended exposure of sensitive information, such as PHI. It can automatically scan emails and attachments for ePHI and block or quarantine messages that violate policies.
DLP rules trigger file scans for sensitive content and prevent users from sharing that content. Rules determine the nature of DLP incidents, and incidents trigger actions, such as blocking specified content. Specifically, one can use DLP to:
- Audit the usage of ePHI in Drive that users may have already shared to gather information on ePHI uploaded by users.
- Directly warn end users not to share ePHI outside of the domain.
- Prevent sharing ofePHI with external users.
- Alert administrators about policy violations or DLP incidents.
- Investigate details of an incident with information on the policy violation.
Enable Audit Logs for Google Workspace
Audit logs for Google Workspace help healthcare organizations monitor and track activities around ePHI, what actions were taken, and when they occurred, thus supporting compliance with HIPAA regulations. Google Workspace provides the following audit logs at the Google Cloud organization level:
- Google Workspace Admin Audit: Admin Audit logs record actions performed in the Google Admin console (e.g. new users added or a new Google Workspace service turn on).
- Google Workspace Enterprise Groups Audit: Enterprise Groups Audit logs provide a record of actions performed on groups and group memberships (e,g, when a new user is added or a group owner deleted their group).
- Google Workspace Login Audit: Login Audit logs track user sign-ins to organizations’s domains. These logs only record the login event.
- Google Workspace OAuth Token Audit: OAuth Token Audit logs track which users are using which third-party mobile or web applications in the organization’s domain. For example, when a user opens a Google Workspace Marketplace app, the log records the app’s name and the person using it. The log also records when a third-party application is authorized to access Google Account data, such as Google Contacts, Calendar, and Drive files (Google Workspace only).
Google Workspace MDM
Healthcare organizations may also utilize Google Workspace Mobile Device Management (MDM) to secure sensitive patient data and comply with regulatory requirements. As healthcare professionals increasingly use mobile devices to access electronic health records and other confidential information, MDM helps ensure that these devices are properly secured and managed. By implementing Google Workspace MDM, organizations can enforce security policies such as device encryption, strong passwords, and screen locks, reducing the risk of data breaches. Additionally, MDM allows for remote management capabilities, enabling administrators to lock or wipe devices if they are lost or stolen, thus protecting sensitive ePHI. To set up a basic mobile device management in Google Workspace, Administrators must:
- Go to Admin Console > Menu > Devices > Mobile & endpoints > Settings > Universal.
- Click General > Mobile management.
- Select Basic.
- Click Save. Administrators might click Override for an organizational unit.
How Planet 9 Can Help
Using Google Workspace compliantly is important, yet it is not the only task of HIPAA-covered entities. Ensuring compliance with HIPAA involves a comprehensive approach that extends to regular risk assessments, employee training and awareness programs, and developing thorough policies and procedures to manage and respond to security incidents effectively.
Planet 9 HIPAA-compliance services offer a comprehensive approach to ensuring and maintaining HIPAA compliance and include:
- Conducting a discovery to understand the client’s organization, business processes, and technologies.
- Performing a HIPAA evaluation to identify safeguards in place and compliance gaps.
- Performing a risk assessment to identify risks to PHI.
- Developing a roadmap for addressing the identified compliance gaps and risks
- Assisting the client in executing the roadmap.
You can also utilize the Planet 9 HIPAA Vitals application to assess your HIPAA compliance. The HIPAA Vitals assessment is based on several reputable sources, including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals.
Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!
