The HIPAA BAA
Google has made special efforts to accommodate clients working in healthcare by creating a HIPAA Business Associate Agreement (BAA) that helps clients stay compliant when using and storing information on their cloud service. Clients must sign this BAA if they wish to use Google Apps to handle PHI, it describes which Google applications can be used to handle PHI. Google's Compliance Guide indicates that not all Google programs can be used for PHI, but only a subset of offered programs.
The Guide breaks Google's program offerings down into three groups:
- HIPAA "Included Functionality", or the subset of core apps offered by Google that are HIPAA compliant and able to handle PHI. These apps include:
- 1. Gmail
- 2. Google Drive (includes Docs, Sheets, Slides, and Forms)
- 3. Google Calendar
- 4. Google Sites
- 5. Google Vault
- Core Apps that have not been approved for handling of PHI:
- 1. Google Hangouts
- 2. Contacts
- 3. Groups
- Google for Work Apps users handling PHI may use these applications, but they must not let these applications handle PHI in order to remain compliant with HIPAA standards.
- Non-core Services are programs with which Google is affiliated or programs that Google offers like YouTube, Google+, Blogger, and Picasa Web Albums. Individuals using Google Apps for Work to handle PHI must disable these programs so that they do not receive sensitive information from that individual's account.
Monitoring Access via Audits
Healthcare Companies using Google Apps who are concerned with HIPAA compliance should take advantage of the Admin console's features. These features help to manage security risks and keep track of who is accessing or has access to PHI. The Admin console generates logs and reports that can be configured to provide notifications of events like suspicious login attempts or activity from a suspended user.
A brief overview of how "Included Functionality" Google Apps remain compliant:
Controls in Gmail make it so that information sent is only seen by the sender and the recipient. If files are attached to an email, the sender can specify that the attachments only be seen by the listed recipient.
Link sharing settings in Google Drive can be turned off so that files can only be seen by specified individuals. File visibility can be set to "Private" in Google Apps for Healthcare Companies so that files can not be seen by other users.
When Google Calendar is used in Google Apps for Healthcare Companies, sharing options can be set to "No sharing" so that employees working with PHI do not inadvertently send private information about scheduled appointments or patient data.
Share settings can be set to "Private" so that sensitive information is not accidentally accessed or given out.
Download the HiPPA Compliance Guide for Google Apps and other resources for Healthcare companies in the Showcase.
If your Healthcare company has questions about HIPPA complaince or wants to start using Google Apps, contact us or send us your question down below.