By 2025, an estimated 85% of enterprises will shift to a cloud-first mindset, while others will adopt a hybrid approach where some services are on-premise and others are in the cloud. For organizations that must comply with HIPAA regulations, cloud computing paves the way for a new set of risks. Often, that means finding the right software solution, which could include Google Workspace, from Gmail’s ubiquitousness to Google’s calendar, document storage, video chatting and more. But is Google Workspace a good solution for companies that need to be mindful of HIPAA compliance as they move functions to the cloud? Cybersecurity practitioner Nick Harrahill explores how companies can marry Google’s cloud offerings with HIPAA’s rigid rules.
Is Google Workspace HIPAA compliant? The short answer is yes, at least according to Google itself. Google’s official statement is that it is compliant with HIPAA and compatible with this important compliance framework for protected health information (PHI).
The longer answer is: Google Workspace Security is noted as HIPAA compliant as long as certain requirements are met. These include the following:
- You use a paid Google Workspace version.
- You signed a business associate agreement (BAA) with Google.
- Your Google Workspace is configured correctly to support HIPAA compliance.
It is important to remember there are some differences in terms of HIPAA compliance between the various paid Google Workspace plans, so simply using a paid version may not be enough to get you compliant. Let’s look at Gmail, for example.
When thinking about making email compliant with HIPAA, organizations need to use end-to-end encryption. This ensures that information contained in emails is secured as it is transmitted across the internet. Google does offer S/MIME email encryption, but S/MIME encryption relies on your organization using the Google Workspace Enterprise plan as documented in Google’s S/MIME administration guide. Without the end-to-end encryption of the Enterprise plan, companies would need to look at a third-party solution.
It is important to understand that between the various plans, there may be limitations to certain types of configurations for getting a HIPAA compliance certification. You can find more on external sharing here.
Understanding your legal agreement
While HIPAA’s regulations apply directly only to covered entities — such as healthcare providers, plans or clearinghouses — if these covered entities use the services of another person or business, those third parties must also provide assurances that their actions will not violate patients’ rights.
BAAs provide assurances that PHI information accessible by third parties will be used only for the purposes explicitly defined by the provider who engaged the third party’s services. In the case of organizations using Google Workspace to house information that may contain PHI data, the BAA needs to be signed with Google.
Luckily, Google makes the process to review and accept the agreement fairly easy by signing into the paid Google Workspace account as an administrator and opting into the HIPAA BAA.
A note on technical support: Tech support provided by Google is not part of the included HIPAA compliant services the company provides, but, of course, your team does not need to disclose PHI to Google during the course of a tech support ticket.
Constructing HIPAA compliance in Google Workspace
An important methodology when it comes to ensuring your Google Workspace environment is HIPAA compliant comes down to the people, processes and technology triangle. Google lists a number of core services that can be used by your organization in conjunction with HIPAA and PHI information. Additionally, there may be services in the list below that require certain features or functionality either to be used or not used for PHI purposes as listed.
- Gmail
- Calendar
- Drive (including Docs, Sheets, Slides and Forms)
- Tasks
- Keep
- Sites
- Jamboard
- Hangouts classic (chat messaging features only)
- Hangouts Chat
- Hangouts Meet
- Google Cloud Search
- Google Groups
- Google Voice (managed users only)
- Cloud Identity Management
- Vault
It is also important to understand that by default, Google Workspace users may have access to other Google services that are not permitted for use with HIPAA PHI. These other Google services that are not listed in the core services and for which Google has not made available a separate BAA are not permitted for use with HIPAA PHI information. These include:
- YouTube
- Blogger
- Google Photos
Google has provided a Google Workspace help guide discussing how you can see the list of additional Google Workspace services as well as how these additional services can be turned off to be HIPAA compliant.
You can manage different users in your organization by creating organizational units in Google Workspace, segregating users who interact with PHI from users who do not and adjusting the services they see based on the organizational unit they are a member of.
Other important security practices
The better your overall security posture the easier it is to comply with compliance frameworks like HIPAA, regardless of what other services you might use to perform your organizational functions. Here are a few recommended best practices can help secure your Google Workspace environment and protect HIPAA PHI:
- Enable Two-factor authentication
- Monitor account activity
- Enable role-based access
- Control third-party apps, systems and databases
Nick Harrahill is an experienced cybersecurity and business leader with industry experience leading security teams and building programs at enterprise companies PayPal and eBay and cybersecurity start-ups Synack, Elevate Security and Spin.AI. Nick is credentialed in both cyber security (CISSP) and privacy (CIPP/US). 
