Book Consult
Is Google Workspace HIPAA Compliant

Is Google Workspace HIPAA Compliant?

Yes! Google Workspace is HIPAA Compliant.

So long as, of course, the user configures it properly and uses it in a secure manner. Allow me to elaborate for you…

Google Workspace (formerly known as G Suite) is a suite of cloud-based productivity tools for businesses. But is it secure enough to be trusted with sensitive information, such as patient records, or what is referred to as PHI (Protected Health Information)? The answer is YES – Google Workspace is HIPAA compliant when configured and used properly and can be used to store and manage protected health information. This blog post will explore how Google Workspace meets HIPAA compliance requirements and how private therapy practitioners can use the platform to manage their practice without compromising patient data.

*Important Note – The information in this blog post does not constitute legal advice and you should consult with a lawyer if you have any questions about legal issues in your practice. I am a therapist, not a lawyer and as a general rule of thumb – don’t take legal advice from a therapist! I have done the research to present all the information here to the best of my knowledge on this topic, but if you have questions or concerns you should definitely consult with an actual attorney.

What is HIPAA Compliance and Why Does It Matter?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets the standards for protecting patient health information. It was passed by Congress to provide some privacy protection for medical information. PHI stands for Protected Health Information and refers to any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. 

HIPAA requires organizations to implement physical, technical, and administrative safeguards to protect the privacy and security of patient data. Organizations that fail to comply with HIPAA can face significant fines and other penalties.

What is Protected Health Information (PHI)?

Information that is considered Protected Health Information (PHI) includes:

  • Hospital and physician records regarding your medical conditions and treatments.
  • Prescriptions.
  • Lab test results.
  • Billings and insurance claims.
  • Appointment histories.
  • Financial and personal information, such as your name, date of birth, age, address, phone number, email address, Social Security number, and insurance information.

What is a HIPAA Covered Entity?

HIPAA does not apply to everyone. It only applies to what the Act calls a “covered entity,” which basically includes:

  • Health care providers.
  • Health plans. This includes Medicare and Medicaid.
  • Business associates of health care providers and plans. These provide billing, claims processing, or other services.

So yes, as a therapist, you are considered a covered entity. In addition, these business associates are some more examples of covered entities:

  • Third-Party Billing Companies: Companies that handle billing and coding for healthcare services often have access to patient information and must comply with HIPAA regulations. For example, I use Square for my billing and invoicing, and therefore they are considered a covered entity. 
  • Cloud Service Providers: Companies that offer data storage or other cloud services where PHI is stored or transmitted, like cloud-based EHR (Electronic Health Record) systems. Examples include Google Workspace in addition to all of the other EHR platforms.
  • IT Service Providers: Companies providing IT support and infrastructure services, including maintaining, transmitting, or analyzing PHI.
  • Law Firms: Legal professionals who receive PHI to provide legal services related to medical cases, compliance, or litigation.
  • Accountants and Auditors: Financial professionals who require access to PHI for accounting or auditing purposes.
  • Consultants: Individuals or firms providing consulting services that involve access to PHI, such as healthcare compliance consulting.
  • Claims Processing Companies: Entities that process health insurance claims, which often require access to PHI to verify coverage and process payments.
  • Pharmacy Benefit Managers (PBMs): Organizations that manage prescription drug benefits on behalf of health insurers, requiring access to patient prescription data.

Each of these entities, when engaged in activities that involve PHI, must sign a Business Associate Agreement (BAA) with the covered entity (in your case, YOU!), outlining how they will protect the information and comply with HIPAA rules. Failure to comply can result in significant penalties. For example, if you use Square for invoicing and payments, you will sign a BAA with them. (That’s a Square affiliate referral link if you need a payment processing system and want to sign up. I’ve been using Square for many years and love it.)

What Is a BAA?

A Business Associate Agreement (BAA) is a critical component for HIPAA compliance when covered entities, such as healthcare providers, engage third parties to perform services that involve access to protected health information. The BAA is a legally binding document that outlines the responsibilities and safeguards a business associate must implement to protect PHI and ensure compliance with HIPAA regulations.

Key Elements of a BAA include defining what constitutes PHI and how it will be handled, how the business associate is allowed to use and disclose PHI, and mandating the implementation of administrative, physical, and technical safeguards to protect PHI. The business associate must also promptly report any breaches of unsecured PHI to the covered entity, including security incidents that might compromise the integrity or confidentiality of PHI.  If the business associate engages subcontractors, they too must agree to the same restrictions and conditions regarding PHI. In total, the business associate agrees to comply with all relevant aspects of HIPAA, including the Privacy, Security, and Breach Notification Rules.

Why is the BAA Important?

A BAA is crucial because it:

  • Protects the Covered Entity: It shifts some of the liability for PHI breaches to the business associate, provided that the covered entity has taken necessary steps to secure PHI and entered into a BAA.
  • Ensures Compliance: It helps both parties adhere to HIPAA regulations, reducing the risk of non-compliance and associated penalties.
  • Clarifies Responsibilities: It clearly delineates the responsibilities of both the covered entity and the business associate regarding the handling and protection of PHI.

For Google Workspace to be HIPAA compliant, a healthcare provider must enter into a BAA with Google. This agreement will cover core services such as Gmail, Google Calendar, and Google Drive, ensuring these services are used in a manner that protects PHI​.  Instructions for how to sign it can be found here: Privacy compliance and records for Google Workspace and Cloud Identity: A Copy of the BAA can be found here: Google Workspace HIPAA Business Associate Amendment 

Google provides a HIPAA Compliance With Google Workspace Guide. I encourage you to visit the site and read through the information. 

Why do I need to purchase Google Workspace? Can’t I just use a free Google account?

No you can’t and HIPAA compliance is the reason!  The free version of Google is not compliant and as therapists, we are required to be HIPAA compliant in our record keeping and communicating with clients or patients as we are a covered entity.  For those who are covered entities of the Health Insurance Portability and Accountability Act (HIPAA), Google Workspace can support HIPAA compliance.

People can feel confident using Workspace because Google ensures that it is secure. Storing in the “cloud” is much more secure than just storing information on your computer or even a thumb drive. If you are still using a paper documentation system, now is the time to change. With paper, you are at risk of physical theft or loss, environmental damage, you have limited access to your files when not in the office, and storage and organization are problematic. Transitioning to an electronic system will offer enhanced security, accessibility, and integration capabilities, along with better compliance with HIPAA requirements.

Google Drive is the cloud storage application that comes with a Google account. Everything you create using any of the applications is stored automatically in your Google Drive. It is secure and meets HIPAA standards for storing electronic records.

 

Google’s official statement is that it is compliant with HIPAA and is compatible with this important compliance framework for protected health information (PHI). It is important to note that  Google Workspace Security is noted as HIPAA compliant as long as certain requirements are met.

These include the following:

  1. You use a paid Google Workspace version
  2. You signed a Business Associate Agreement (BAA) with Google
  3. Your Google Workspace is configured correctly to support HIPAA compliance

What Google services are PHI compliant? At the time of this publication, these services include: 

  • Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms),
  • Google Meet 
  • Google Voice (paid version),
  • Keep
  • Sites
  • Jamboard
  • Google Chat
  • Google Cloud Search
  • Cloud Identity Management
  • Google Groups
  • Google Tasks
  • Vault (if applicable)
  • AppSheet
  • Apps Script

HIPAA Compliance Isn’t a Checkbox; It’s a Behavior

What does this mean? Adhering to the Health Insurance Portability and Accountability Act (HIPAA) involves more than just fulfilling a list of requirements or signing agreements. It highlights the need for an ongoing, comprehensive approach to protecting patient information and fostering a culture of privacy and security within an organization. Here’s a breakdown of what this means:

Continuous Process
  1. Ongoing Vigilance: HIPAA compliance requires continuous attention and vigilance. It’s not enough to set up security measures once. These measures need to be regularly reviewed, updated and tested to ensure they remain effective against evolving threats.
  2. Regular Training and Education: Employees must be regularly trained and educated on HIPAA regulations, the importance of protecting PHI and the specific policies and procedures of the organization. This training helps ensure that everyone understands their role in maintaining compliance.
  3. Risk Assessments and Audits: Regular risk assessments and audits are crucial. They help identify potential vulnerabilities and areas for improvement in handling PHI. These assessments should lead to actionable plans to mitigate identified risks.
Culture and Responsibility
  1. Cultural Emphasis on Privacy: Creating a culture that prioritizes patient privacy and data security is essential. This involves leadership setting the tone and all employees understanding that protecting PHI is a fundamental part of their job.
  2. Behavioral Integration: Compliance should be integrated into everyday operations. This means that employees consistently follow established protocols, such as verifying identities before sharing information, securing physical and electronic access to sensitive data and reporting any suspected breaches promptly.
  3. Individual Accountability: HIPAA compliance relies on each individual in an organization taking responsibility for their actions concerning PHI. This includes not only direct care providers but also administrative staff, IT professionals and any other employees who may come into contact with sensitive information.
Adaptability
  1. Adaptation to Changes: HIPAA regulations and best practices can evolve. Organizations must stay updated with these changes and adapt their policies, procedures and technologies accordingly.
  2. Incident Response: Having a well-defined and rehearsed incident response plan is crucial. This plan should include steps for containing and mitigating data breaches, notifying affected individuals and preventing future incidents.

Treating HIPAA compliance as a behavior rather than a checkbox approach means embedding privacy and security practices into the very fabric of an organization. It’s about creating an environment where protecting patient information is a core value and everyone understands and actively participates in maintaining compliance​.

5 Ways to Start Making Google Workspace HIPAA Compliant

In addition to signing the BAA, you can and should take additional measures when configuring Google Workspace to ensure that you are doing everything you can to maintain HIPAA compliance. These can all be configured in your admin panel. These practices include:

1) Set up two-factor authentication – A very important step for Google Workspace HIPAA compliance. Users will be asked to enter a code from their phone every time they log on.

2) Set up Alerts – Go through and turn on these notifications so that you are alerted if something suspicious occurs with your account.

3) Email Security Outbound – Review your email security settings and turn on alerts. Set up a disclaimer on your outbound emails.

4) Password strength – Check password strength in the Admin Console. Make sure it’s a long, strong password.

5) Turn off unused services – Disable any unused Google services to reduce your chances of accidentally exposing PHI.

Google Workspace: An Affordable EHR and Practice Management Solution for Therapists

Google Workspace is a powerful platform for private practice therapists. It enables practitioners to manage their practice and store patient records securely. The platform is HIPAA compliant and can be used to store and manage protected health information. Google Workspace offers a range of features and applications to help practitioners streamline their workflow and better serve their clients, with access to tools for documentation, creating and sending online patient intake forms, scheduling and communicating with clients. If you have not yet gone paperless in your practice or are looking for a more affordable way to launch your private practice with digital record keeping in an affordable EHR system, look no further. Sign up for a free trial of Google Workspace here with my referral link and see how easy it can be to manage your private practice without breaking the bank! 

Free Mini Course

Click the button below to access the free mini course video tutorial and learn how you can get started with Google Workspace in your practice!

Click Here

Related Posts