HIPAA Compliance Guide for Google Workspace Administrators

As your business moves into the cloud,  compliance regulations must be your top priority. An extremely important compliance regulation today is the Health Insurance Portability and Accountability Act (HIPAA). What is HIPAA?  If you fall under HIPAA compliance and use Google Workspace, is Google Workspace HIPAA compliant?  What about Google Workspace services like Gmail, Calendar, Keep, Hangouts, Vault, and others?

What is the Health Insurance Portability and Accountability Act (HIPAA)?

The main stated purpose of Health Insurance Portability and Accountability (HIPAA) is to protect health care coverage for individuals who lose or change jobs. However, HIPAA Title II, part of the Administrative Simplification, defines how electronically protected health information (PHI) should be protected and secured.

HIPAA includes the following five main directives:

1. HIPAA Privacy rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

2. HIPAA Security rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

3. HIPAA Unique identifiers rule

HIPAA requires that health care providers have standard national numbers that identify them on standard transactions.  The National Provider Identifier (NPI) is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses use the NPIs in the administrative transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty. More information on the National Provider Identifier Standard.

4. HIPAA Transactions and code set rule

The HIPAA transactions and code set standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They are based on electronic data interchange (EDI) standards, which allow the electronic exchange of information from computer to computer without human involvement. They outline standards for code sets.  It is based on the following: International Classification of Diseases, 9th Edition, Current Procedural Terminology, HCFA Common Procedure Coding System, HCFA Common Procedure Coding System (HCPCS), Code on Dental Procedures, and Nomenclature 2nd Edition, and National Drug Codes.

5. HIPAA Enforcement rule

The HIPAA Enforcement Rule relates to compliance and investigations, as well as penalties for non-compliance.

The official resource for HIPAA standards and information is the hhs.gov site.  You will want to reference this resource to fine-tune your understanding and implementation of HIPAA throughout your environment, including in cloud environments like Google Workspace.

Are you migrating your data to the cloud?  If you have decided that Google Workspace is the SaaS environment that makes the most sense for your business, is it compliant with HIPAA regulations?

Is Google Workspace HIPAA compliant?

Google’s official statement is that it is compliant with HIPAA and is compatible with this important compliance framework for protected health information (PHI). It is important to note that  Google Workspace Security is noted as HIPAA compliant as long as certain requirements are met.

These include the following:

  1. You use a paid Google Workspace version
  2. You signed a Business Associate Agreement (BAA) with Google
  3. Your Google Workspace is configured correctly to support HIPAA compliance

Which Google Workspace plan can be HIPAA compliant?

To become HIPAA certified when using Google Workspace, the Google Workspace plan your organization chooses must be a paid plan.  This means that any of the free Google Workspace offerings are not allowed as options if you must align with HIPAA regulations.

Google has historically scanned content for advertising purposes. While it has stopped doing this circa 2017, there is nothing to prevent Google from doing this again in the future with a free Google Workspace plan.

With the paid version, and to be compliant with the protected health information (PHI), Google does not scan content for advertising purposes.  Are there differences or features in terms of HIPAA compliance between the paid Google Workspace plans?  Yes.

When thinking about making Gmail email compliant with HIPAA, organizations need to use end-to-end encryption for email communications.  This ensures that information contained in emails is secured as it is transmitted across the Internet.

S/MIME email encryption

Google does offer S/MIME email encryption.  However, S/MIME encryption relies on your organization using the Google Workspace Enterprise plan as documented in Google’s S/MIME administration guide.  Without the end-to-end encryption of the Enterprise plan, you will need to look at a third-party solution.

Some settings may benefit your organization when configuring Google core services to be HIPAA compliant that is limited to certain Google Workspace plans.  As an example, you may want to restrict sharing outside your organization to an organizational unit or configuration group.

You can only select a child OU or group if you have Google Workspace Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition as detailed here.  It is important to understand that between the various plans, there may be limitations to certain types of configurations for getting a HIPAA compliance certification.

What legal agreements do you need to sign with Google?

As mentioned above, you need to sign a Business Associate Agreement (BAA) with Google to be HIPAA compliant.  What is the BAA and what role does it play in HIPAA?

In the world of HIPAA, the regulation only applies to covered entities which include health care providers, plans, clearinghouses, and others.  However, if these covered entities use the services of another person or business, these are considered to be business associates of the health care providers.

These business associates provide assurances that PHI information they have access to will be used only for the purposes that were explicitly defined by the provider who agreed with them.

In other words, if your organization uses a third party that will in some way interact with PHI that falls under HIPAA, you will need to sign a Business Associate Agreement with them.  Since Google’s Google Workspace will be housing information that may contain PHI data, the BAA needs to be signed with Google.

How is the BAA signed with Google?

Google makes the process to review and accept the Business Associate Agreement fairly easily.  To sign the HIPAA Business Associate Agreement for Google Workspace, you sign in to your paid Google Workspace account as an administrator and opt into the HIPAA BAA.  As outlined in the official Google Workspace Admin help, to do this:

  1. Sign in to the Google Workspace Admin console
  2. Click Company Profile
  3. Click Show more > Legal & compliance
  4. In the Security and Privacy Additional Terms next to HIPAA Business Associate Amendment, click Review and Accept.
  5. Answer the three questions presented and if you are confirmed as a HIPAA-covered entity, click I accept to accept the HIPAA BAA.

Does technical support from Google help you make your Google Workspace HIPAA compliant?

Does Google technical support deal with HIPAA-related issues?  No.  It is important to understand the technical support provided by Google is not part of the included HIPAA compliant services they provide.  With that being said, you do not need to disclose PHI to Google with technical support cases.

Learn about other frameworks: ISO 27001, SOC 2, and NIST.

How to achieve HIPAA compliance in Google Workspace

After you have signed the Business Associate Agreement (BAA), you are in a position to begin configuring Google Workspace under the regulation of HIPAA compliance.  When considering how to make Google Workspace HIPAA compliant, it is important to note that Google Workspace services must be used and configured in such a way that it satisfies HIPAA requirements.

An important methodology when it comes to ensuring your Google Workspace environment is HIPAA compliant comes down to the People, Processes, and Technology triangle.  It will generally be a mix of all three to ensure that end users are trained to use technology systems including Google Workspace in such a way that aligns with HIPAA compliance, and the processes and technology support keeping PHI secure.

What are these core services that are PHI compliant?

Google lists certain core services that can be used by your organization in conjunction with HIPAA and PHI information.  Additionally, there may be services in the list below that require certain features or functionality either to be used or not used for PHI purposes as listed.  What are these core services that are PHI compliant?  These include the following:

  • Gmail
  • Calendar
  • Drive (including Docs, Sheets, Slides, and Forms)
  • Tasks
  • Keep
  • Sites
  • Jamboard
  • Hangouts classic (chat messaging features only)
  • Hangouts Chat
  • Hangouts Meet
  • Google Cloud Search
  • Google Groups
  • Google Voice (managed users only)
  • Cloud Identity Management
  • Vault

Are there Google services that are not permitted for use under HIPAA regulations and PHI information?

Yes.  These include:

  • Google Contacts

It is also important to understand that by default Google Workspace users may have access to other Google services that are not permitted for use with HIPAA PHI.  These other Google services that are not listed in the core services and for which Google has not made available a separate Business Associate Agreement (BAA) are not permitted for use with HIPAA PHI information.  These include:

  • YouTube
  • Blogger
  • Google Photos

Google has provided a Google Workspace  Admin Help guide discussing how you can see the list of additional Google Workspace services as well as how these additional services can be turned off to be HIPAA compliant.  It is important to review this article and make sure that all services that have not been approved for use for those who manage PHI within your organization have been disabled.

From a management perspective, you can manage different users in your organization by creating what is referred to as organizational units in Google Workspace.  You can segregate users who interact with PHI from users who do not and adjust the services they see based on the organizational unit they are a member of.

What about the configuration and tweaks needed for specific Google services?  Let’s take a look at those.

Google Drive (including Docs, Sheets, Slides, and Forms)

Google Drive provides cloud storage for your organization when using the Google Workspace SaaS service. With Google Drive, there are configuration and administration items that you want to make sure to give attention to for safeguarding your HIPAA PHI.  There will be a mix of user training as well as technical items that you want to have in place.

Is Google Drive HIPAA compliant?

Users need to be made aware of the following:

  • Do not put PHI into the titles of files, folders, or Team Drives
  • Do not attempt to share information in an unsanctioned way outside the Google Drive

The Google Workspace administrator will play an integral part in making sure the Google Workspace Google Drive configuration is sufficient to protect HIPAA PHI.  There are two main components of making sure from a technical perspective that HIPAA PHI is protected appropriately.  This includes configuring visibility and permissions appropriately.

Configuration settings for Google Workspace

The following list of items details configuration settings the Google Workspace administrator will want to enforce with Google Drive to ensure PHI is safeguarded appropriately:

  1. Google Workspace admins will want to see the visibility level appropriately for the Google Workspace account.
  2. Restrict how employees can share information outside the sanctioned Google Workspace domain
  3. When you set this setting to off – “Prevents users from sharing Google Drive files with people outside your organization through invitations, links, and email attachments. Users outside of your organization will not be able to view new published sites. Also, prevents users from submitting Google Forms that require them to share documents outside your organization”
  4. Change the default visibility to Private
  5. Limit and restrict content sharing even with Team Drives
  6. Restrict having external members as team members
  7. Restrict who can download, copy, or print files in the Team Drive
  8. Make use of the file exposure report in Google Workspace
  9. Disable the installation of third-party apps


Gmail is an extremely important part of your Google Workspace core services that you want to make sure you configure correctly to align with HIPAA email rules.  Any time end users have the ability to send information and potentially the wrong types of information (PHI) outside your domain, it deserves extra scrutiny.

Google Workspace Gmail provides the controls needed to help ensure that information, as well as attachments, are only sent to the intended, sanctioned recipients.  The last thing you want to happen is PHI to be sent out intentionally or unintentionally, outside your organization.

What are some of the controls in place that can help to ensure that Gmail messages and attachments are not inadvertently sent containing PHI?

Google Workspace Gmail and HIPAA compliance

Google Workspace Gmail provides powerful email capabilities that can align with HIPAA.

Admins use the following Google Workspace controls:

  • Make sure users only share messages and attachments with the intended recipients
  • Create Google DLP (Data Loss Prevention) policies that scan emails for PII/PHI identifiers and act appropriately to prevent transmission or sharing

It’s also important to understand that Google Workspace cloud storage and Gmail work hand-in-hand as employees will most likely be choosing attachments from the Google Drive storage.  Having the aforementioned controls in place for Google Drive is necessary to ensure HIPAA compliance.  Let’s now look at another important consideration for Gmail message transmission itself – encryption.

TLS and S/MIME Gmail encryption

So, is Gmail HIPAA compliant? For Gmail email to be compliant with HIPAA regulations, it needs to be encrypted.  Encrypted communication has long been a way to prevent prying eyes from having visibility to information. Configuring and making use of Google Workspace email encryption with Gmail is an extremely important part of ensuring that protected health information is secured appropriately.

All Gmail uses what is known as TLS (Transport Layer Security) encryption.  However, it is important to understand with the default TLS implemented by Google for Gmail is that it is basically optional.  Without administrative rules to enforce it, if the email server of the sender/recipient does not support TLS encryption, Gmail will be exchanged without TLS encryption.

An additional drawback of TLS encryption is that it does not guarantee the email message will be secure after it reaches its destination.  While encrypted in transit, anyone can open an email that has been encrypted by TLS once it has been received.

As you step up into the paid Google Workspace accounts, Google Workspace administrators can create transport rules that disallow any email to be exchanged if TLS isn’t supported.  Google does offer a step up from the basic TLS encryption that is provided by default.  This is called S/MIME (Secure/Multipurpose Internet Mail Extensions).  As mentioned earlier, S/MIME is only available with the paid accounts at the Enterprise plan level.  What advantage over TLS does S/MIME bring to the table?

S/MIME (Secure/Multipurpose Internet Mail Extensions)

With S/MIME encryption, the email is encrypted with encryption keys specific to a user so that only that intended user recipient can open the email.  This ensures the email stays encrypted and is only readable in transit and at rest with the destination recipient.

S/MIME has some of the same limitations as TLS does such as the requirement for both parties to have email systems that can support the encryption mechanism.  In addition, it requires some work to be carried out on the front end by the organizations that you wish to exchange information with.  This includes exchanging encryption keys in advance so emails can be encrypted and decrypted properly by both parties.

You can set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME.  Using S/MIME routing rules at the Google Workspace organization level ensures that even if end users turn off encryption, the routing rules override this action.

There are third-party solutions that allow implementing easier and more thorough encryption solutions for your Google Workspace environment.  Your organization will need to weigh out the pros and cons of each solution and the costs involved to see which encryption implementation makes sense.

Google Calendar

Sharing calendars between users and teams in Google Workspace is a great way to enhance collaboration and team productivity.  However, the Google Workspace Calendar is another service that needs to be configured properly for ensuring that PHI is protected accordingly in line with HIPAA guidelines.

Again, proper end-user sharing processes and technology controls in place can help make sure that PHI is not exposed.  Like many of the other core Google Workspace services, the calendars in Google Workspace share all information with everyone in the Google Workspace organization.

End users can set calendar entries to Private for any event related to PHI.  Additionally, Google Workspace admins can change the default behavior with visibility and sharing options that can change the default behavior across the entire Google Workspace domain.

Google Keep

Google Keep allows your end-users to take notes and create lists and other items that could contain PHI.  With Keep, Google Workspace administrators need to make sure that the Google Drive sharing settings are set for restricting information appropriately.  Google Workspace administrators can set the sharing options to either Restrict or Allow sharing outside the organization.

Google Keep Features

With Keep, many of the default sharing settings are in line with HIPAA configurations since Keep by default sets notes to Private regardless of Drive settings.

Google Sites

Google Sites allows easily creating team sites to share content between team members in Google Workspace.  When thinking about PHI information, it is important to understand that Google Sites can be visited by members outside your Google Workspace organization.

According to the main Google Sites page:

Can external visitors access a company site?

Yes. People outside your company can access your site, even without a Google Workspace account. You can also opt to restrict access through sharing settings.

Google Workspace Apps: Google Sites

Google Sites easily allows creating websites. Care must be taken with HIPAA compliance

Since Google’s “bread and butter” is advertising, Google Adsense can be added to Google Sites websites for advertising purposes.  This needs to be turned off for sites that include HIPAA PHI.

Other considerations to make and change:

  • Limit who has access to edit the information on the site
  • Do not include text, images, or other content such as calendar information that may contain PHI
  • Limit publishing sites externally, perhaps limiting to the internal domain

Google Cloud Search

Google cloud search offers built-in applications that can be used out-of-the-box. Connectors are made available that can pull in information from other systems such as CRM, Google Workspace documents, and others.  Using Google’s patented search technology, information can be found much more efficiently.

Information-intensive industries like healthcare deal with an overwhelming amount of information. So, Google Cloud Search technology can be extremely helpful for healthcare organizations.

Google Cloud Search brings Google search technology to your organization’s data

To ensure that your organization uses Google Cloud search in line with HIPAA policies, admins will want to control how search history is used and who has search history turned on or off.  This can be limited for everyone or it can be turned on or off for specific organizational units (must have Google Workspace Enterprise).

Additionally, part of the shared responsibility model that customers have when using Google Workspace in regards to HIPAA is making sure third-party connectors or other connections that allow aggregating data for search indexing are properly secured with appropriate permissions.

Google Hangouts and Meet

Google Hangouts is now Google Meet.  Google Meet provides secure videos meetings for your business that allow effective collaboration and communication.  It’s important to note that the classic Google Hangouts video calls are not compliant with Google’s Business Associate Agreement.

Instead of the classic Hangouts, you will want to make sure you are using the new Google Meet platform.  Users can be prevented from starting video calls from the classic Hangouts application.  See how to do this here.

Google Meet allows Google Workspace team members to communicate and collaborate

Another important consideration to make with Meet is whether external guests can participate in your Hangouts Meet video meetings.  The organizers of the Hangouts Meet video call have to decide whether or not to allow anonymous guests to join or to allow only internal Google Workspace organization users to join the call.

If your organization uses Google Workspace Enterprise, it allows the ability to record meetings in MP4 format to Google Drive.  Will the recording potentially have PHI subject matter?  This is functionality that Google Workspace admins can control as well through policies set to control whether Google Workspace Enterprise users have the ability to record their meetings to Drive.


Vault is Google’s eDiscovery and compliance solution for Google Workspace.  It is used to retain, hold, search, and export data to support retention and eDiscovery activities.  Vault is only included in the Google Workspace enterprise plan.  It is an additional add-on for the other Google Workspaceplans if your organization chooses to purchase licenses for your users.

Google does not provide a great deal of information regarding specific settings or configurations of vault related to HIPAA.  In fact, in the recent HIPAA guide from Google, Vault is only briefly mentioned.  However, it is included in the services that Google defines as HIPAA compliant.

When Vault is used with the other Google core Google Workspace (formerly G Suite) services that are correctly configured for HIPAA, Vault can be used in a sanctioned way to store PHI.

Google Vault provides eDiscovery and compliance functionality to Google Workspace.

Important Google Workspace settings for HIPAA compliance

Other Google Workspace configuration changes and Google Workspace admin best practices lend themselves to good overall Google Workspace security.  The better your overall security posture across your Google Workspace environment, the easier it is to comply with compliance frameworks such as HIPAA.

The following other considerations and best practices can help secure your Google Workspace environment and protect HIPAA PHI:

  • Enable Two-factor authentication
  • Monitor account activity
  • Enable role-based access
  • Control third-party apps, systems, or databases

Let’s briefly consider each of these best practices and see how each helps to secure your Google Workspace environment and align your organization with HIPAA regulations.

Enable two-factor authentication

Enabling two-factor authentication is one of the best ways to drastically increase the data security of your Google Workspace/formerly G Suite environment.  Passwords have long been a weak point in most environments.  End-users tend to choose weak passwords.  This can very quickly place business-critical and sensitive data such as HIPAA PHI at risk.

With two-factor authentication, it requires users to verify their identity with something they know (their password) as well as something they have such as a physical key or a code that is sent to a device such as a cell phone.  It is critically important to protect your Google Workspace administrator accounts with two-factor authentication.  If an attacker cracks a G Suite administrator account, they have all the “keys to your kingdom” and can do anything they want in your environment.

With Google Workspace (formerly G Suite), there are several different ways the two-factor verification can be validated

These include:

  • Security keys
  • Google prompt
  • Google Authenticator
  • Backup codes
  • A text message or phone call

Enabling two-factor authentication is certainly a recommended best practice to improve the overall security of your Google Workspace environment.  When it comes to HIPAA compliance, HHS.gov recommends two-factor authentication for protecting electronic PHI.

Monitor Account Activity

Having visibility of the account activity is a great way to protect and monitor potential security threats in your Google Workspace environment.  Google Workspace provides the alert center to provide a place to aggregate events and alerts.  This includes account activities and alerts.

The Google Workspace alert center can send out email alerts of many different kinds of alerts that happen in the environment.  However, the alert center must be configured to send out email notifications.  To configure alert center email notifications, follow the documentation found here.

Enable role-based access (RBAC)

To follow best practices for permissions and access in Google Workspace, you want to make sure end users have permissions assigned based on their job role.  All too often, end-users have more permissions than they need.  G Suite provides administrators the ability to easily view a list of user’s roles and privileges in the Google Admin console.

This is not limited to normal end-users.  Users that serve as administrators in the Google Workspace/G Suite can be assigned those administrator permissions they actually need.  Very few will need the Super Admin role in Google Workspace. Google Workspace provides pre-built administrator roles that allow assigning administrator permissions based on the role the administrator will actually play in your organization.

Predefined Google Workspace admin roles include the following:

  • Super Admin
  • Groups Admin
  • User Management Admin
  • Help Desk Admin
  • Services Admin
  • Mobile Admin
  • Google Voice Admin
  • Reseller Admin

You can read more about the permissions and capabilities that each role has in the Google Workspace environment here.

Assigning the roles and permissions to users and especially to the users who will serve as administrators in theGoogle Workspace environment helps to ensure that permissions are scoped appropriately.  This is in line with HIPAA best practices and is part of the Administrative Safeguards that need to be put in place as part of the HIPAA security rule.

Control third-party apps, systems, or databases

Cloud Software-as-a-Service environments like G Suite allow customers to extend the native functionality by way of third-party apps found in the marketplace.  Despite providing extended functionality, third-party apps can expose PHI data as well as bring other security and data leak threats.

Left unchecked, end users can potentially install third-party apps that gain access to sensitive HIPAA PHI.  This can easily happen as end users may simply grant permissions that are requested by a third-party app that either could be malicious in nature or “leaky,” exposing sensitive information like patient data.

Monitoring and controlling third-party apps in G Suite is essential to securing your G Suite environment and ensuring the security of HIPAA PHI.

G Suite provides some native functionality to control which third-party and domain-owned apps can access sensitive G Suite. The access and restricted access to G Suite services are provided via OAuth 2.0. App access control allows organizations to:

  • Restrict or leave unrestricted access by third-party apps to G Suite
  • Whitelist apps so they can access restricted G Suite data
  • Trust domain-owned apps

How do you make sure your staff doesn’t accidentally cause a HIPAA breach?

The worst thing that can happen to protect health information (PHI) and HIPAA is a data breach. Breached PHI can mean the worst for a healthcare organization, including fines, tarnished reputation, and potential repercussions that can last for years.

HIPAA violations can lead to fines ranging from $100 to $50,000 per violation (or per record) depending on the perceived negligence that is found within your organization at the time of the HIPAA violation.  Your organization must do its due diligence to put the measures in place to ensure that PHI is protected properly.

As mentioned at the outset, this is usually a combination of people, processes, and technology to ensure that PHI is protected adequately.  How do you put all the information presented thus far together in a way that allows you to make sure that your staff doesn’t accidentally cause a HIPAA breach?

HIPAA is a very complex and delicate framework that requires a lot of planning, training, and technology solutions to allow employees to be productive and at the same time ensure that PHI is protected in line with the guidelines set forth by HIPAA.

To summarize the people, processes, and technology that is needed to make sure your staff doesn’t accidentally cause a HIPAA breach, consider the following:

  • End-user training – End-user training for HIPAA is absolutely required.  End-users need to be aware of all the aspects of how they need to interact with protected health information properly and the role they play in keeping this data safe.
  • Proper configuration of G Suite services – Paid versions of G Suite can be HIPAA compliant. However, it requires that all services used by your organization be configured correctly and restricted in certain ways to protect health information data.
  • Two-step verification – Two-step verification provides greatly enhanced security for end-users, including administrators.  It combines something you know (your password) with something you have (a code delivered via device, text, call, app, and other means).
  • OAuth 2.0 and third-party apps control – OAuth 2.0 is a mechanism that cloud service providers, including Google, are using to allow end-users to easily integrate and grant applications with G Suite data without disclosing their password.  However, this can present security concerns as “leaky” or outright malicious apps can be integrated into the G Suite environment with just a few clicks on an end-user device.
  • Information rights management (IRM) – With IRM, you can disable actions that are risky to HIPAA PHI such as downloading, printing, and copying from G Suite.
  • Proper monitoring, auditing, and alerting – Monitoring, auditing, and alerting are key administrative security tasks that help G Suite admins keep on top of potential security events in G Suite.  To bring your organization in line with HIPAA privacy and security controls, these are essential activities. Setting Google DLP rules and acquiring data loss prevention software can help you automate these tasks and perform them more efficiently.
  • Email security and advanced protection – Email is often the gateway to security breaches or malware attacks.  Taking the proper steps to secure Gmail allows your organization to ensure data is protected between the sender/receiver, as well as malware and other types of malicious email such as phishing attacks, are filtered and minimized as much as possible.
  • Encryption – Encrypting data makes certain that sensitive data is unreadable outside of sanctioned users.  Make sure that information is encrypted both in-flight and at rest will guarantee that PHI data is protected from prying eyes or those outside of the business associate agreement.
  • Mobile device management (MDM) – If you have mobile devices that are tied into the G Suite environment, using G Suite’s MDM solution allows enforcing policies, encrypting data, and remotely wiping or locking stolen or lost devices.
  • Backup G Suite – Backing up your G Suite environment containing protected health information (PHI) is critical to protecting PHI and other business-critical data from data loss.  G Suite is limited in what it can natively provide in terms of proper backups of your data. Your organization will want to bolster the data protection of G Suite with a capable third-party solution that can protect your data across all G Suite services.

Outside of the above, your organization will want to have a bullet-proof process that includes the technical processes needed to ensure that all access to HIPAA and other business-critical data is immediately terminated if an employee leaves the company.

By effective training of your end-users, putting processes in place to help provide the “guard rails” for daily business activities involving PHI, and having the technology solutions in place, will help to greatly minimize the risk that any staff will accidentally cause data breaches.

Let’s take a look at a technology solution that can help bolster your organization’s efforts to ensure that protected health information is secured appropriately and effectively.

How to make G Suite HIPAA compliant with SpinOne

While G Suite has many great built-in technology capabilities and features to help secure your G Suite environment and align with HIPAA regulations, it can fall short in and of itself in protecting PHI.  Google G Suite native security solutions fall short in  the following ways:

  1. Ransomware protection
  2. Backups of your data
  3. Third-party apps protection and auditing
  4. Consolidated ease of use
  5. Automated responses

Let’s take a look at each area and see how SpinOne allows us to meet and exceed HIPAA compliance regulations in G Suite much more easily and boost G Suite cyber security.

1.  Google Workspace Ransomware Protection

Ransomware is one of the biggest threats to your organization’s data, both on-premises and in cloud SaaS environments such as G Suite.  Modern ransomware can hold your cloud data hostage and new variants are even releasing sensitive data as part of the threat and leverage for a ransom payment.

Think about the consequences of your cloud SaaS environment data encrypted with ransomware and threats of releasing this data, potentially including HIPAA PHI.  This would be a nightmare scenario.  SpinOne allows effectively countering ransomware in the cloud with a seamless, automated solution that requires no administrator interaction.

SpinOne’s automated ransomware protection provides automatic responses to ransomware infections.  This includes:

  1. SpinOne’s AI-powered solution automatically detects the ransomware infection underway using effective file-behavior analysis
  2. It automatically blocks the attack source in real-time
  3. SpinOne automatically identifies the files that have been infected/encrypted with ransomware
  4. It automatically recovers damaged files from the latest good backup of your G Suite environment taken with Spinbackup

Imagine as a G Suite administrator, waking up to a notification that Spin detected a ransomware infection, blocked it, and completely remediated the effects of the ransomware, all without requiring a single interaction by G Suite administrators.

2.  Backups of your data

Part of the shared responsibility model that Google maintains with G Suit customers is that customers are responsible for protecting their data.  There is no official backup solution provided by Google that allows for enterprise-grade backups of your G Suite data, including PHI.

According to HHS.gov, being able to SLAs can include provisions that address such HIPAA concerns as…

  • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency).
  • Automatic backups 1-3x daily
  • Encrypted backups both in-flight and at-rest
  • Deletion and version control
  • Fast search
  • Analytics and reports

3.  Third-party apps protection

With SpinAudit as part of SpinOne, you get a total apps risk assessment that helps to identify applications that are risky to your data and which applications have read, write, and delete permissions to your sensitive data.  This also helps to reduce the risk of  shadow IT applications being installed by end-users that bypass organizational policies and other best practices.

SpinAudit provides a database of 55,000+ (and growing) apps and browser extensions that have passed Spin’s AI-based scoring.  This allows your organization to have a completely automated auditing and risk assessment platform for any application that end users attempt to integrate with the G Suite environment containing PHI information.

SpinAudit contains:

  • Application whitelisting and blacklisting
  • Custom security policies
  • Visibility to app permissions granted in G Suite
  • The business risk level of G Suite apps

4.  Consolidated ease of use

Even though many of the cloud service providers have security solutions built into their platform, many of the different security dashboards and consoles are disaggregated and are configured in their own administrative interface.

This means that you have to configure various aspects of your security in different UIs and interfaces.  This can lead to confusion, more administrative overhead, and can even lead to security vulnerabilities as events can get missed. With SpinOne, the solution provides a single-pane-of-glass UI for configuring the security of your G Suite environment.

5.  Automated responses

In your fast-moving, complex environment involving HIPAA PHI in your G Suite cloud SaaS environment, you don’t have time for manual processes.  Your organization is no doubt moving too fast to be held back by legacy approaches to security and other operational processes.

SpinOne is built around artificial intelligence (AI) and machine learning (ML) architecture that allows the solution to be intelligent  and provide a high-level of  automation.  This takes a great deal of the administrative burden from the administrator so time can be better spent elsewhere.

When it comes to HIPAA PHI and the complex and dangerous security threats that target healthcare and other organizations today, you want to have an automated security intelligence watching and protecting your environment 24x7x365.  This is exactly what SpinOne was designed to do.

With automated intelligence, SpinOne protects your HIPAA PHI from ransomware and other dangerous threats with automated threat detection, visibility, and remediation.

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Why You Need an Extra Layer of Security in your M365

Why You Need an Extra Layer of Security in your M365

Microsoft 365 (M365) is one of the leading collaboration and communications platforms among organizations today. Companies have been migrating in […]

A Deep Dive into Spin.AI’s New Risk Assessment for Slack

A Deep Dive into Spin.AI’s New Risk Assessment for Slack

Any user in your organization can connect an application to Slack – but without a streamlined, automated process in place […]

Stolen Microsoft Key: An Open Door to Malicious SaaS Apps?

Stolen Microsoft Key: An Open Door to Malicious SaaS Apps?

Recently, Microsoft disclosed a Chinese hacker group had compromised a low-level encryption key within Microsoft’s Azure Active Directory infrastructure. While […]