How to use Gemini and still be HIPAA compliant

Gemini, Google's AI, previously known as Bard, helps you write, design, and organize with generative AI. Gemini can be considered HIPAA compliant if used as part of a Google Workspace account that has signed a business associate agreement with Google and is configured for HIPAA compliance. Use this article as a guide for the process of ensuring your Gemini account is HIPAA compliant.

What is Google's AI, Gemini?

Gemini is an artificial intelligence system developed by Google designed to engage in natural, human-like conversations. It allows end users to use generative artificial intelligence features to help write content, organize files, visualize information, accelerate workflows, and have more productive meetings. 

The limitations Gemini accounts for HIPAA compliance

Access to Gemini via gemini.google.com or mobile applications is not designed to meet HIPAA's specific security and privacy requirements. If Gemini is used in this manner to transmit PHI, it poses risks such as data breaches, unauthorized access, and non-compliance with HIPAA regulations. To be compliant, you must transition to Gemini for Google Workspace. 

Google Workspace: The HIPAA compliant solution

Google Workspace offers a suite of productivity and collaboration tools that can be configured to meet HIPAA compliance standards. By transitioning to Gemini for Google Workspace, you can access enhanced security features and administrative controls necessary for handling PHI securely.

Steps to make Gemini HIPAA compliant:

Step 1: Transition to Google Workspace

Visit the Google Workspace website to select the appropriate plan featuring Gemini and proceed with signing up. If you currently use a Google Workplace account, you can transition to a supported edition and acquire the Gemini add-on as required.

Step 2: Assign Gemini for Google Workspace licenses

After you add Gemini for Google Workspace to your account, you must assign licenses to users. When you assign the license to a user, they gain access to all the available Gemini for Google Workspace features. 

Step 3: Sign a business associate agreement

An important step for HIPAA compliance within Google Workspace entails signing a business associate agreement (BAA) with Google. A BAA is a contractual arrangement that specifies Google's obligations regarding handling protected health information (PHI) in alignment with HIPAA regulations.

Related: How do I sign a business associate agreement with Google?

Step 4: Configure security settings

Upon establishing your Google Workspace account and signing the BAA, configuring security settings is paramount for HIPAA compliance. Implement strong passwords, enforce complexity requirements, enable multi-factor authentication for all users, and utilize Google Workspace's access controls to restrict access to authorized personnel.

Additional security measures for HIPAA compliance

While Google Workspace provides a solid foundation for HIPAA compliance, implementing additional security measures can further enhance the protection of PHI:

• Regular software updates and patching: Keep your Google Workspace applications and any related software up to date by applying regular updates and patches. That helps address potential vulnerabilities and protects you against emerging threats.
• Educate users on HIPAA compliance: Conduct regular training sessions to ensure that employees understand the importance of protecting PHI, recognize potential risks, and know how to handle PHI securely within the Google Workspace environment. 
• Enable data encryption: Google Workspace provides encryption capabilities to protect PHI during transit and at rest. This ensures that emails and attachments sent within the Google Workspace environment are encrypted, adding an extra layer of protection for PHI.
• Use HIPAA compliant encryption software: Even though you have configured your Google Workspace to comply with HIPAA regulations, there may still be encryption gaps in the email setup of the recipients. To address this issue, healthcare organizations can turn to HIPAA compliant encryption solutions like Paubox, which offers a seamless solution for achieving complete HIPAA compliance in email communication. This solution involves encrypting all outbound emails by default to protect sensitive information.

By following these steps and using the security features provided by Google Workspace, you can protect sensitive health information, meet HIPAA compliance standards, and maintain the privacy and integrity of PHI while using Gemini. 

Related: Comparing Google Workspace to Paubox for HIPAA compliant email (2023 update)