Google & HIPAA Compliance: The Ultimate Guide
by Amanda Larson
Google delivers results to over 5.6 billion searches every day, but the company is much more than a search engine. Google also offers Google Workspace (formerly G Suite), a suite of cloud computing, productivity and collaboration tools, software and products.
Many medical providers have migrated their email, cloud services, and document collaboration to Google Workspace because of its large list of offerings. Google Workspace includes popular applications like Gmail, Google Docs, Google Hangouts, and more.
Google Workspace is an attractive option for healthcare practitioners, but the question is: is Google Workspace HIPAA compliant?
Paubox is a proud business associate to thousands of companies. Many of our healthcare customers ask what other products are HIPAA compliant, and Google’s offerings are among them.
The Paubox team spent hours of research learning all about Google Workspace’s BAA so you don’t have to. We have written so many blogs covering Google Workspace products, we decided to compile them here.
This guide will answer all your questions about Google and HIPAA compliance. Let’s dive in!
Google and HIPAA Compliance
Signing up for a free Gmail email address gives you access to many of the Google Workspace products. If you’re using Google for business, they have premium paid plans. There’s a significant difference between the free and paid plan, especially in the world of HIPAA.
The paid version of Google Workspace can be configured to be HIPAA compliant, but NOT the free version. Keep reading and we’ll explain.
“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.”
No matter what, you must sign Google’s business associate agreement (BAA) to be HIPAA compliant. It is NOT included by default.
Keep in mind however that Using a paid Gmail account with a signed BAA in and of itself does not make your email HIPAA compliant.
Google’s BAA does not cover email sent or received in transit, which is an essential component of sending HIPAA compliant email.
Gmail encrypts email at-rest only, but HIPAA also requires that email be encrypted in-transit and upon delivery. You must partner Gmail with an email solution that secures your email at all stages, such as Paubox Email Suite.
Paubox Email Suite is the only HIPAA compliant email solution with zero-step encryption on all sent emails. It can integrate with Google Workspace in under 30 minutes, and after that all emails you send are encrypted end to end by default.
SEE ALSO: Google Workspace with BAA vs Paubox
Below we will expound on the various individual products that Google provides, and whether or not each one can be configured to be HIPAA compliant. We have separated the various tools into different product types for the sake of ease.
Google’s Communication Tools
The world’s most popular email platform can be configured for HIPAA compliance, but it does not come standard. This post takes a deeper dive into how to make Gmail compliant. To sum up:
If you are using a paid version of Gmail, Google will sign a BAA with your organization. Again, Google does not offer a BAA for free Gmail accounts, and therefore free Gmail is not HIPAA compliant.
Launched in 2001, Google Groups allows you to participate in discussions through online forums and email-based groups. These community conversations provide a “rich experience,” according to Google, but are Google Groups HIPAA compliant?
Yes, Group Groups can be configured for HIPAA compliance with a proper BAA.
Google Hangouts is a communication platform that includes instant messaging, video chat, SMS, and VOIP. This solution replaced three previous Google communication products.
Beware if you’re using Google Hangouts as a medical professional. Only the chat messaging feature of Google Hangouts is HIPAA Compliant.
If you need to be HIPAA compliant, you should not use the video chat, SMS, or VOIP components of Google Hangouts.
Google Hangouts Chat
Hangouts Chat is Google’s take on modern workplace communication, and it is available as a core part of Google Workspace. The natural question then arises, is Google Hangouts Chat HIPAA compliant?
Yes, Google Hangouts Chat is HIPAA compliant with a BAA.
Google Hangouts Meet
Telehealth has become more and more popular, especially as a way that medical professionals are reacting to COVID-19. Google Hangouts Meet is Google’s enterprise video conferencing software. To learn more about it, check out our blog on the topic.
If you’re using Google Hangouts Meet for patients or to chat with other medical providers, it’s good to know that it can be configured for HIPAA compliance. Just make sure you have a signed BAA that covers your plan.
SEE ALSO: Top 5 Telehealth Software Services
Need a calling alternative? Google Voice is a telephone service that provides call forwarding, voicemail, voice, and text messaging. The service was launched in 2009 when Google acquired Grand Central. As another communication tool from Google, is this HIPAA complaint too?
No, Google Voice is not HIPAA compliant. We determined that Google Voice is not part of Google Workspace and it is not mentioned in Google’s BAA.
Google’s Cloud Services
Similar to Dropbox, Google Drive is a file storage and synchronization service. Users use it to upload, sync, and share files in the cloud. Google Drive encompasses Google Docs, Sheets, and Slides.
As referenced in this article from Google’s help center, Google Drive is HIPAA compliant. Just make sure you sign a BAA!
We explain in further detail in this post.
Google Docs, Google Sheets, and Google Slides
Google Slides and Google Sheets are encompassed by Google Docs, which is a part of Google Drive. When you open Google Drive to create a new text document, spreadsheet, or slide deck, you’re using Google Docs. If you use Google Docs for your business, you may be curious if it’s HIPAA compliant.
Since Google Docs is a component of Google Drive, it can also be configured to be HIPAA compliant.
Similar to Wix or WordPress, Google Sites is a website builder. However, Google Sites is specially tailored for businesses and web-based teams. To learn more, read our full post on the topic.
If you’re thinking about using Google Sites for your medical practice, it can be a HIPAA compliant option with a signed BAA from Google.
Google Cloud is a computing service by Google that offers hosting on the same infrastructure that Google uses internally for consumer products like Google Search and YouTube. Google Cloud provides developer products to build a range of solutions from simple websites to complex applications.
The Google Cloud platform is comprised of a suite of enterprise services from Google Cloud. It provides a host of development tools like hosting and computing, cloud storage, data storage, translations APIs and prediction APIs. Learn more about it here.
Google Cloud offers a BAA, and therefore it can be used it a HIPAA compliant manner.
It’s important to note however that the BAA only includes coverage for the Google Cloud Platform; HIPAA compliance for Google Workspace is covered separately under a different BAA.
Google Cloud Identity
This product is Google’s Identity-as-a-Service (IDaaS) solution. It provides a centralized console to manage users, apps, and devices. But is Google Cloud Identity HIPAA compliant?
In brief, Google Cloud Identity can be configured for HIPAA compliance. But keep in mind that a BAA must be in place before any Google services are used to store protected health information (PHI).
Google Cloud Search
Complimenting Google Cloud Identity, Google Cloud Search lets employees search and retrieve internal information. We explain in detail in this post.
Like Google Cloud Identity, Google Cloud Search can also be configured for HIPAA compliance with a BAA in place.
The Google Vault was created for data storage. Organizations use Google Vault to retain, hold, search, and export data. It supports Google Workspace products like Gmail, G Drive, and more. Read more about it here.
As long as you sign a BAA with Google, Google Vault is HIPAA compliant.
Google’s Productivity Tools
Many people use Google Calendar to organize both their work and personal lives. Since its launch in 2006, Google Workspace’s Google Calendar has risen to become a top calendar app. Its integration with Gmail makes time management and scheduling simple. But does scheduling medical-related appointments with Google Calendar break any HIPAA rules?
Like many of the other Google Workspace products, Google Calendar is HIPAA compliant with a signed BAA.
Google Workspace has so many products it is no wonder that Google created a task organizer too. Google Tasks allows users to make to-do lists inside Google or on a separate app. These tasks are then integrated into the user’s Google Calendar. But how about maintaining HIPAA compliance if you use it?
As long as you sign a BAA, Google Tasks can become HIPAA compliant.
Google Forms is Google Workspace’s solution to surveys. It can be used to manage event registrations, create a quick opinion poll, Q&A’s and more. Google Forms is an essential component of the Google Workspace because it helps businesses get answers fast, but is it HIPAA compliant?
According to Google, Google Forms is included in HIPAA compliant coverage with a signed BAA.
If your business is tech-savvy, Google Jamboard is a modern addition to any office. Google Jamboard is a 55”, 4k display that looks like a whiteboard. This digital screen lets your team collaborate digitally in a creative way. So does this next-level Google screen meet HIPAA requirements?
For nearly $5,000, it should be. Thankfully if you made that investment, you can rest assured that Google Jamboard can also be configured for HIPAA compliance.
Since 2013, Google Keep has become another popular productivity tool from Google Workspace. This note-taking service lets users take digital notes. It provides text, lists, images, and even audio.
Google Keep for Google Workspace can be configured for HIPAA compliance. However, it is important to note that Google Keep for a free Gmail account is not!
HIPAA compliant solutions that are complimentary to Google Workspace
Google offers many useful products that are great for healthcare professionals along with a signed BAA. To complement the power of Google, other HIPAA compliant solutions are worth considering.
Paubox Email Suite
It bears repeating that paid Gmail with a signed BAA needs an additional service like Paubox Email Suite to be secure enough to send HIPAA compliant email.
Paubox Marketing is a leading solution for HIPAA compliant email marketing. You can segment your recipients and send personalized email messages that include PHI which arrive directly to the recipient’s email box.
Simply put, Paubox Marketing is the best HIPAA compliant email marketing solution available.
Paubox Email Suite Plus
Unfortunately, Gmail doesn’t protect you from cybercrime and spam. But Paubox can.
In conclusion, Google and Paubox can be used together for superior HIPAA compliant communication. Their combined power can provide a solid foundation for modernizing and improving your medical practice.