Assess the Risk of Browser Extensions Installed in Your Browser. Add to Chrome.×
Home » Spin.AI Blog » Cybersecurity » Google Workspace » Is Google Workspace HIPAA Compliant?
July 8, 2020 | Updated on: April 23, 2024 | Reading time 27 minutes

Is Google Workspace HIPAA Compliant?

Author:
Avatar photo

CEO and Founder

As your business moves into the cloud, compliance regulations must be your top priority. An extremely important compliance regulation today is the Health Insurance Portability and Accountability Act (HIPAA).

What is HIPAA? If you fall under HIPAA compliance and use Google Workspace, is Google Workspace HIPAA compliant? What about Google Workspace services like Gmail, Calendar, Keep, Hangouts, Vault, and others?

What is the Health Insurance Portability and Accountability Act (HIPAA)?

The main stated purpose of Health Insurance Portability and Accountability (HIPAA) is to protect healthcare coverage for individuals who lose or change jobs. However, HIPAA Title II, part of the Administrative Simplification defines how electronically protected health information (PHI) should be protected and secured.

HIPAA includes the following five main directives:

1. Privacy rule – Defines how the privacy of PHI data should be maintained by health care providers and safeguards PHI information disclosure

2. Security rule – HIPAA PHI data should be secured at all times. This includes security across administrative, physical, and technical systems.

3. Unique identifiers rule – The Unique Identifiers Rule provides a standard for identification of healthcare providers

4. Transactions and code set rule – This rule outlines standards for code sets. It is based on the following: International Classification of Diseases, 9th Edition, Current Procedural Terminology, HCFA Common Procedure Coding System, HCFA Common Procedure Coding System (HCPCS), Code on Dental Procedures and Nomenclature 2nd Edition, and National Drug Codes.

5. Enforcement rule – The HIPAA Enforcement Rule relates to compliance and investigations, as well as penalties for non-compliance.

The official resource for HIPAA standards and information is the hhs.gov site. You will want to reference this resource to fine-tune your understanding and implementation of HIPAA throughout your environment, including in cloud environments like Google Workspace.

Are you migrating your data to the cloud? If you have decided that Google Workspace is the SaaS environment that makes the most sense for your business, is it compliant with HIPAA regulations?

Is Google Workspace HIPAA compliant?

Google’s official statement is that it is compliant with HIPAA and is compatible with this important compliance framework for protected health information (PHI). It is important to note that Google Workspace (G Suite) is noted as HIPAA compliant as long as certain requirements are met.

These include the following:

  1. You use a paid Google Workspace version
  2. You signed a Business Associate Agreement (BAA) with Google
  3. Your Google Workspace is configured correctly to support HIPAA compliance

Which Google Workspace plan can be HIPAA compliant?

To become HIPAA certified when using Google Workspace (G Suite), the Google Workspace plan your organization chooses must be a paid plan. This means that any of the free Google Workspace offerings are not allowed as options if you must align with HIPAA regulations.

Google has historically scanned content for advertising purposes. While it has stopped doing this circa 2017, there is nothing to prevent Google from doing this again in the future with a free Google Workspace plan.

With the paid version, and to be compliant with the protected health information (PHI), Google does not scan content for advertising purposes. Are there differences or features in terms of HIPAA compliance between the paid Google Workspace plans? Yes.

When thinking about making Gmail email compliant with HIPAA, organizations need to use end-to-end encryption for email communications. This ensures that information contained in emails is secured as it is transmitted across the Internet.

Google does offer S/MIME email encryption. However, S/MIME encryption relies on your organization using the Google Workspace Enterprise plan as documented in Google’s S/MIME administration guide. Without the end-to-end encryption of the Enterprise plan, you will need to look at a third-party solution.

There are some settings that may benefit your organization when configuring Google core services to be HIPAA compliant that are limited to certain Google Workspace plans. As an example, you may want to restrict sharing outside your organization to an organizational unit or configuration group.

You can only select a child OU or group if you have Google Workspace Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition as detailed here. It is important to understand that between the various plans, there may be limitations to certain types of configurations for getting a HIPAA compliance certification.

As mentioned above, you need to sign a Business Associate Agreement (BAA) with Google to be HIPAA compliant. What is the BAA and what role does it play in HIPAA?

In the world of HIPAA, the regulation only applies to covered entities which include health care providers, plans, clearinghouses, and others. However, if these covered entities use the services of another person or business, these are considered to be business associates of the health care providers.

These business associates provide assurances that any PHI (Protected Health Information) they have access to will be utilized solely for the purposes explicitly defined in the agreement established between the provider and the business associate.

In other words, if your organization uses a third-party that will in some way interact with PHI that falls under HIPAA, you will need to sign a Business Associate Agreement with them. Since Google’s Google Workspace will be housing information that may contain PHI data, the BAA needs to be signed with Google.

How is the BAA signed with Google? Google makes the process to review and accept the Business Associate Agreement fairly easily. To sign the HIPAA Business Associate Agreement for Google Workspacee, you sign in to your paid Google Workspace account as an administrator and opt into the HIPAA BAA. As outlined in the official Google Workspace Admin help, to do this:

  1. Sign in to the Google Workspace Admin console
  2. Click Company Profile
  3. Click Show more > Legal & compliance
  4. In the Security and Privacy Additional Terms next to HIPAA Business Associate Amendment, click Review and Accept.
  5. Answer the three questions presented and if you are confirmed as a HIPAA covered entity, click I accept to accept the HIPAA BAA.

Does technical support from Google help you make your Google Workspace HIPAA compliant?

Does Google technical support deal with HIPAA related issues? No. It is important to understand the technical support provided by Google is not part of the included HIPAA compliant services they provide. With that being said, you do not need to disclose PHI to Google with technical support cases.

How to make Google Workspace HIPAA compliant

After you have signed the Business Associate Agreement (BAA), you are in a position to begin configuring Google Workspace (G Suite) under the regulation of HIPAA compliance. When considering how to make Google Workspace HIPAA compliant, it is important to note that Google Workspace services must be used and configured in such a way that it satisfies HIPAA requirements.

An important methodology when it comes to ensuring your Google Workspace environment is HIPAA compliant comes down to the People, Processes, and Technology triangle. It will generally be a mix of all three elements to ensure that end users are trained in a manner that aligns with HIPAA compliance. This includes the proper use of technology systems like Google Workspace, as well as the implementation of processes and technology to support the security of PHI (Protected Health Information).

Google lists certain core services that can be used by your organization in conjunction with HIPAA and PHI information. Additionally, there may be services in the list below that require certain features or functionality either to be used or not used for PHI purposes as listed. What are these core services that are PHI compliant? These include the following:

  • Gmail
  • Calendar
  • Drive (including Docs, Sheets, Slides, and Forms)
  • Tasks
  • Keep
  • Sites
  • Jamboard
  • Hangouts classic (chat messaging features only)
  • Hangouts Chat
  • Hangouts Meet
  • Google Cloud Search
  • Google Groups
  • Google Voice (managed users only)
  • Cloud Identity Management
  • Vault

Are there Google services that are not permitted for use under HIPAA regulations and PHI information? Yes. These include:

It is also important to understand that by default Google Workspace users may have access to other Google services that are not permitted for use with HIPAA PHI. These other Google services that are not listed in the core services and for which Google has not made available a separate Business Associate Agreement (BAA) are not permitted for use with HIPAA PHI information. These include:

  • YouTube
  • Blogger
  • Google Photos

Google offers a Google Workspace Admin Help guide that details how you can access the list of additional Google Workspace services and provides instructions on how to disable these services to achieve HIPAA compliance. This resource assists administrators in managing the availability of services in accordance with HIPAA requirements. It is important to review this article and make sure that all services that have not been approved for use for those who manage PHI within your organization have been disabled.

From a management perspective, you can manage different users in your organization by creating what is referred to as organizational units in Google Workspace (G Suite). You can segregate users who interact with PHI from users who do not and adjust the services they see based on the organizational unit they are a member of.

What about the configuration and tweaks needed for specific Google services? Let’s take a look at those.

Google Drive (including Docs, Sheets, Slides, and Forms)

Google Drive provides cloud storage for your organization when using the Google Workspace (G Suite) SaaS service. With Google Drive, there are configuration and administration items that you want to make sure to give attention to for safeguarding your HIPAA PHI. There will be a mix of user training as well as technical items that you want to have in place.

Users need to be made aware of the following:

  • Do not put PHI into the titles of files, folders, or Team Drives
  • Do not attempt to share information in an unsanctioned way outside the Google Drive

The Google Workspace administrator will play an integral part in making sure the Google Workspace (G Suite) Google Drive configuration is sufficient to protect HIPAA PHI. There are two main components of making sure from a technical perspective that HIPAA PHI is protected appropriately. This includes configuring visibility and permissions appropriately.

The following list of items details configuration settings the Google Workspace admin will want to enforce with Google Drive to ensure PHI is safeguarded appropriately:

  • Google Workspace admins will want to see the visibility level appropriately for the Google Workspace account.
  • Restrict how employees can share information outside the sanctioned Google Workspace domain
  • When you set this setting to off“Prevents users from sharing Google Drive files with people outside your organization through invitations, links, and email attachments. Users outside of your organization will not be able to view new published sites. Also, prevents users from submitting Google Forms that require them to share documents outside your organization”
  • Change the default visibility to Private
  • Limit and restrict content sharing even with Team Drives
  • Restrict having external members as team members
  • Restrict who can download, copy, or print files in the Team Drive
  • Make use of the file exposure report in Google Workspace
  • Disable the installation of third-party apps

Gmail

Gmail is an extremely important part of your Google Workspace (G Suite) core services that you want to make sure you configure correctly to align with HIPAA email rules. Any time end users have the ability to send information and potentially the wrong types of information (PHI) outside your domain, it deserves extra scrutiny.

Google Workspace Gmail provides the controls needed to help ensure that information as well as attachments are only sent to the intended, sanctioned recipients. The last thing you want to happen is PHI to be sent out intentionally or unintentionally, outside your organization.

What are some of the controls in place that can help to ensure that Gmail messages and attachments are not inadvertently sent containing PHI?

Is Google Workspace HIPAA Compliant

Google Workspace Gmail provides powerful email capabilities that can align with HIPAA

Admins use the following Google Workspace (G Suite) controls:

  • Make sure users only share messages and attachments with the intended recipients
  • Create DLP policies that scan emails for PII/PHI identifiers and act appropriately to prevent transmission or sharing

It’s also important to understand that Google Workspace cloud storage and Gmail work hand-in-hand as employees will most likely be choosing attachments from the Google Drive storage. Having the aforementioned controls in place for Google Drive is necessary to ensure HIPAA compliance. Let’s now look at another important consideration for Gmail message transmission itself – encryption.

TLS and S/MIME Gmail encryption

So, is Gmail HIPAA compliant? For Gmail email to be compliant with HIPAA regulations, it needs to be encrypted. Encrypted communication has long been a way to prevent prying eyes from having visibility to information. Configuring and making use of Google Workspace email encryption with Gmail is an extremely important part of ensuring that protected health information is secured appropriately.

All Gmail uses what is known as TLS (Transport Layer Security) encryption. However, it is important to understand with the default TLS implemented by Google for Gmail is that it is basically optional. Without administrative rules to enforce it, if the email server of the sender/recipient does not support TLS encryption, Gmail will be exchanged without TLS encryption.

An additional drawback of TLS encryption is that it does not guarantee the email message will be secure after it reaches its destination. While encrypted in-transit, anyone can open an email that has been encrypted by TLS once it has been received.

As you step up into the paid Google Workspace accounts, Google Workspace administrators can create transport rules that disallow any email to be exchanged if TLS isn’t supported. Google does offer a step up from the basic TLS encryption that is provided by default. This is called S/MIME (Secure/Multipurpose Internet Mail Extensions). As mentioned earlier, S/MIME is only available with the paid accounts at the Enterprise plan level. What advantage over TLS does S/MIME bring to the table?

With S/MIME encryption, the email is encrypted with encryption keys specific to a user so that only that intended user recipient can open the email. This ensures the email stays encrypted and is only readable in-transit and at-rest with the destination recipient.

S/MIME has some of the same limitations as TLS does such as the requirement for both parties having email systems that can support the encryption mechanism. In addition, it requires some work to be carried out on the frontend by the organizations that you wish to exchange information with. This includes exchanging encryption keys in advance so emails can be encrypted and decrypted properly by both parties.

You can set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME. Using S/MIME routing rules at the Google Workspace organization level ensures that even if end users turn off encryption, the routing rules override this action.

There are third-party solutions that allow implementing easier and more thorough encryption solutions for your Google Workspace environment. Your organization will need to weigh out the pros and cons of each solution and the costs involved to see which encryption implementation makes sense.

Calendar

Sharing calendars between users and teams in Google Workspace is a great way to enhance collaboration and team productivity. However, the Google Workspace Calendar is another service that needs to be configured properly for ensuring that PHI is protected accordingly in line with HIPAA guidelines.

Again, proper end user sharing processes and technology controls in place can help make sure that PHI is not exposed. Like many of the other core Google Workspace services, the calendars in Google Workspace share all information with everyone in the Google Workspace organization.

End users can set calendar entries to Private for any event related to PHI. Additionally, Google Workspace admins can change the default behavior with visibility and sharing options that can change the default behavior across the entire Google Workspace domain.

Keep

Google Keep allows your end-users to take notes and create lists and other items that could possibly contain PHI. With Keep, Google Workspace administrators need to make sure that the Google Drive sharing settings are set for restricting information appropriately. Google Workspace administrators can set the sharing options to either Restrict or Allow sharing outside the organization.

With Keep, many of the default sharing settings are in line with HIPAA configurations since Keep by default sets notes to Private regardless of Drive settings.

Sites

Google Sites allows easily creating team sites to share content between team members in Google Workspace. When thinking about PHI information, it is important to understand that Google Sites can be visited by members outside your Google Workspace organization.

According to the main Google Sites page:

  • Can external visitors access a company site?

Yes. People outside your company can access your site, even without a Google Workspace account. You can also opt to restrict access through sharing settings.

Google Sites easily allows creating websites. Care must be taken with HIPAA compliance

Since Google’s “bread and butter” is advertising, Google Adsense can be added to Google Sites websites for advertising purposes. This needs to be turned off for sites that include HIPAA PHI.

Other considerations to make and change:

  • Limit who has access to edit the information on the site
  • Do not include text, images, or other content such as calendar information that may contain PHI
  • Limit publishing sites externally, perhaps limiting to the internal domain

Google Cloud Search

Google cloud search offers built-in applications that can be used out-of-the-box. Connectors are made available that can pull in information from other systems such as CRM, Google Workspace documents, and others. Using Google’s patented search technology, information can be found much more efficiently.

Information intensive industries like healthcare deal with an overwhelming amount of information. So, Google Cloud Search technology can be extremely helpful for healthcare organizations.

Google Cloud Search brings Google search technology to your organization’s data

To ensure that your organization uses Google Cloud search in line with HIPAA policies, admins will want to control how search history is used and who has search history turned on or off. This can be limited for everyone or it can be turned on or off for specific organizational units (must have Google Workspace Enterprise).

Additionally, part of the shared responsibility model that customers have when using Google Workspace in regards to HIPAA is making sure third-party connectors or other connections that allow aggregating data for search indexing is properly secured with appropriate permissions.

Google Hangouts and Meet

Google Hangouts is now Google Meet. Google Meet provides secure videos meetings for your business that allows effective collaboration and communication. It’s important to note that the classic Google Hangouts video calls are not compliant with Google’s Business Associate Agreement.

Instead of the classic Hangouts, you will want to make sure you are using the new Google Meet platform. Users can be prevented from starting video calls from the classic Hangouts application. See how to do this here.

Google Meet allows Google Workspace team members to communicate and collaborate

Another important consideration to make with Meet is whether external guests can participate in your Hangouts Meet video meetings. The organizers of the Hangouts Meet video call have to decide whether or not to allow anonymous guests to join or to allow only internal Google Workspace organization users to join the call.

If your organization uses Google Workspace Enterprise, it allows the ability to record meetings in MP4 format to Google Drive. Will the recording potentially have PHI subject matter? This is functionality that Google Workspace admins can control as well through policies set to control whether Google Workspace Enterprise users have the ability to record their meetings to Drive.

Vault

Vault is Google’s eDiscovery and compliance solution for Google Workspace. It is used to retain, hold, search, and export data to support retention and eDiscovery activities. Vault is only included in the Google Workspace enterprise plan. It is an additional add-on for the other Google Workspace plans if your organization chooses to purchase licenses for your users.

Google does not provide a great deal of information regarding specific settings or configurations of vault related to HIPAA. In fact, in the recent HIPAA guide from Google, Vault is only briefly mentioned. However, it is included in the services that Google defines as HIPAA compliant.

When Vault is used with the other Google core Google Workspace services that are correctly configured for HIPAA, Vault can be used in a sanctioned way to store PHI.

Google Vault provides eDiscovery and compliance functionality to Google Workspace

Other important Google Workspace settings for HIPAA compliance

Other Google Workspace configuration changes and Google Workspace admin best practices lend themselves to good overall Google Workspace security. The better your overall security posture across your Google Workspace environment, the easier it is to comply with compliance frameworks such as HIPAA.

The following other considerations and best practices can help secure your Google Workspace environment and protect HIPAA PHI:

  • Enable Two-factor authentication
  • Monitor account activity
  • Enable role-based access
  • Control third-party apps, systems, or databases

Let’s briefly consider each of these best practices and see how each helps to secure your Google Workspace environment and align your organization with HIPAA regulations.

Enable two-factor authentication

Enabling two-factor authentication is one of the best ways to drastically increase the security of your Google Workspace environment. Passwords have long been a weak point in most environments. End users have a tendency to choose weak passwords. This can very quickly place business-critical and sensitive data such as HIPAA PHI at risk.

With two-factor authentication, it requires users to verify their identity with something they know (their password) as well as something they have such as a physical key or a code that is sent to a device such as a cell phone. It is critically important to protect your Google Workspace administrator accounts with two-factor authentication. If an attacker cracks a Google Workspace administrator account, they have all the “keys to your kingdom” and can do anything they want in your environment.

With Google Workspace, there are several different ways the two-factor verification can be validated. These include:

  • Security keys
  • Google prompt
  • Google Authenticator
  • Backup codes
  • A text message or phone call

Enabling two-factor authentication is certainly a recommended best practice to improve the overall security of your Google Workspace environment. When it comes to HIPAA compliance, HHS.gov recommends two-factor authentication for protecting electronic PHI.

Monitor Account Activity

Having visibility of the account activity is a great way to protect and monitor potential security threats in your Google Workspace environment. Google Workspace provides the alert center to provide a place to aggregate events and alerts. This includes account activities and alerts.

The Google Workspace alert center can send out email alerts of many different kinds of alerts that happen in the environment. However, the alert center must be configured to send out email notifications. To configure alert center email notifications, follow the documentation found here.

Enable role-based access (RBAC)

To follow best practices for permissions and access in Google Workspace, you want to make sure end users have permissions assigned based on their job role. All too often, end-users have more permissions than they need. Google Workspace provides administrators the ability to easily view a list of user’s roles and privileges in the Google Admin console.

This is not limited to normal end-users. Users that serve as administrators in the Google Workspace can be assigned those administrator permissions they actually need. Very few will need the Super Admin role in Google Workspace. Google Workspace provides pre-built administrator roles that allow assigning administrator permissions based on the role the administrator will actually play in your organization.

Predefined Google Workspace admin roles include the following:

  • Super Admin
  • Groups Admin
  • User Management Admin
  • Help Desk Admin
  • Services Admin
  • Mobile Admin
  • Google Voice Admin
  • Reseller Admin

You can read more about the permissions and capabilities that each role has in the Google Workspace environment here.

Assigning the roles and permissions to users and especially to the users who will serve as administrators in the Google Workspace environment helps to ensure that permissions are scoped appropriately. This is in line with HIPAA best practices and is part of the Administrative Safeguards that need to be put in place as part of the HIPAA security rule.

Control third-party apps, systems, or databases

Cloud Software-as-a-Service environments like Google Workspace allow customers to extend the native functionality by way of third-party apps found in the marketplace. Despite providing extended functionality, third-party apps can expose PHI data as well as bring other security and data leak threats.

Left unchecked, end users can potentially install third-party apps that gain access to sensitive HIPAA PHI. This can easily happen as end users may simply grant permissions that are requested by a third-party app that either could be malicious in nature or “leaky”, exposing sensitive data.

Monitoring and controlling third-party apps in Google Workspace is essential to securing your Google Workspace environment and in ensuring the security of HIPAA PHI.

Google Workspace provides some native functionality to control which third party and domain-owned apps can access sensitive Google Workspace. The access and restricted access to Google Workspace services are provided via OAuth 2.0. App access control allows organizations to:

  • Restrict or leave unrestricted access by third-party apps to Google Workspace
  • Whitelist apps so they can access restricted Google Workspace data
  • Trust domain-owned apps

How do you make sure your staff doesn’t accidentally cause a HIPAA breach?

The worst thing that can happen to protect health information (PHI) and HIPAA is a data breach. Breached PHI can mean the worst for a healthcare organization, including fines, tarnished reputation, and potential repercussions that can last for years.

HIPAA violations can lead to fines ranging from $100 to $50,000 per violation (or per record) depending on the perceived negligence that is found within your organization at the time of the HIPAA violation. Your organization must do its due diligence to put the measures in place to ensure that PHI is protected in a suitable manner.

As mentioned in the outset, this is usually a combination of people, processes, and technology to ensure that PHI is protected adequately. How do you put all the information presented thus far together in a way that allows you to make sure that your staff doesn’t accidentally cause a HIPAA breach?

HIPAA is a very complex and delicate framework that requires a lot of planning, training, and technology solutions to allow employees to be productive and at the same time ensure that PHI is protected in line with the guidelines set forth by HIPAA.

To summarize the people, processes, and technology that is needed to make sure your staff doesn’t accidentally cause a HIPAA breach, consider the following:

  • End-user training – End-user training for HIPAA is absolutely required. End-users need to be aware of all the aspects of how they need to interact with protected health information properly and the role they play in keeping this data safe.
  • Proper configuration of Google Workspace services – Paid versions of Google Workspace can be HIPAA compliant, however, it requires that all services used by your organization be configured correctly and restricted in certain ways to protect health information data.
  • Two-step verification – Two-step verification provides greatly enhanced security for end-users including administrators. It combines something you know (your password) with something you have (a code delivered via device, text, call, app, and other means).
  • OAuth 2.0 and third-party apps control – OAuth 2.0 is a mechanism that cloud service providers including Google are using to allow end-users to easily integrate and grant applications with Google Workspace data without disclosing their password. However, this can present security concerns as “leaky” or outright malicious apps can be integrated into the Google Workspace environment with just a few clicks on an end-user device.
  • Information rights management (IRM) – With IRM, you can disable actions that are risky to HIPAA PHI such as downloading, printing, and copying from Google Workspace.
  • Proper monitoring, auditing, and alerting – Monitoring, auditing and alerting are key administrative security tasks that help Google Workspace admins keep on top of potential security events in Google Workspace. To bring your organization in line with HIPAA privacy and security controls, these are essential activities.
  • Email security and advanced protection – Email is often the gateway to security breaches or malware attacks. Taking the proper steps to secure Gmail allows your organization to ensure data is protected between the sender/receiver, as well as malware and other types of malicious email such as phishing attacks, are filtered, and minimized as much as possible.
  • Encryption – Encrypting data makes certain that sensitive data is unreadable outside of sanctioned users. Make sure that information is encrypted both in-flight and at-rest will guarantee that PHI data is protected from prying eyes or those outside of the business associate agreement.
  • Mobile device management (MDM) – If you have mobile devices that are tied into the Google Workspace environment, using Google Workspace’s MDM solution allows enforcing policies, encrypting data, and remotely wiping or locking stolen or lost devices.
  • Backup Google Workspace – Backing up your Google Workspace environment containing protected health information (PHI) is critical to protecting PHI and other business-critical data from data loss. Google Workspace is limited in what it can natively provide in terms of proper backups of your data. Your organization will want to bolster data protection of Google Workspace with a capable third-party solution that can protect your data across all Google Workspace services.

Outside of the above, your organization will want to have a bullet-proof process that includes the technical processes needed to ensure that all access to HIPAA and other business-critical data is immediately terminated if an employee leaves the company.

By effective training of your end-users, putting processes in place to help provide the “guard rails” for daily business activities involving PHI, and having the technology solutions in place, will help to greatly minimize the risk that any staff will accidentally cause a data breach.

Let’s take a look at a technology solution that can help bolster your organization’s efforts to ensure that protected health information is secured appropriately and effectively.

How to make Google Workspace HIPAA compliant with SpinOne

While Google Workspace has many great built-in technology capabilities and features to help secure your Google Workspace environment and align with HIPAA regulations, it can fall short in and of itself in protecting PHI. Google Google Workspace native security solutions fall short in the following ways:

  1. Ransomware protection
  2. Backups of your data
  3. Third-party apps protection and auditing
  4. Consolidated ease of use
  5. Automated responses

Let’s take a look at each area and see how SpinOne allows us to meet and exceed HIPAA compliance regulations in Google Workspace much more easily.

1. Ransomware protection

Ransomware is one of the biggest threats to your organization’s data, both on-premises and in cloud SaaS environments such as Google Workspace. Modern ransomware can hold your cloud data hostage and new variants are even releasing sensitive data as part of the threat and leverage for a ransom payment.

Think about the consequences of your cloud SaaS environment data encrypted with ransomware and threats of releasing this data, potentially including HIPAA PHI. This would be a nightmare scenario. SpinOne allows effectively countering ransomware in the cloud with a seamless, automated solution that requires no administrator interaction.

SpinOne’s automated ransomware protection provides automatic responses to ransomware infections. This includes:

  1. SpinOne’s AI-powered solution automatically detects the ransomware infection underway using effective file-behavior analysis
  2. It automatically blocks the attack source in real-time
  3. SpinOne automatically identifies the files that have been infected/encrypted with ransomware
  4. It automatically recovers damaged files from the latest good backup of your Google Workspace environment taken with Spinbackup

Imagine as a Google Workspace administrator, waking up to a notification that Spin detected a ransomware infection, blocked it, and completely remediated the effects of the ransomware, all without requiring a single interaction by Google Workspace administrators.

2. Backups of your data

Part of the shared responsibility model that Google maintains with G Suit customers is that customers are responsible for protecting their data. There is no official backup solution provided by Google that allows for enterprise-grade backups of your Google Workspace data, including PHI.

According to HHS.gov, being able to SLAs can include provisions that address such HIPAA concerns as…

  • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation).
  • Automatic backups 1-3x daily
  • Encrypted backups both in-flight and at-rest
  • Deletion and version control
  • Fast search
  • Analytics and reports

3. Third-party apps protection

SpinOne’s SpinAudit feature provides a total apps risk assessment, enabling you to identify applications that pose a risk to your data. It helps you determine which applications have read, write, and delete permissions to your sensitive data, ensuring better control and security. This also helps to reduce the risk of shadow IT applications being installed by end-users that bypass organizational policies and other best practices.

SpinAudit provides a database of 55,000+ (and growing) apps and browser extensions that have passed Spin’s AI-based scoring. This allows your organization to have a completely automated auditing and risk assessment platform for any application that end users attempt to integrate with the Google Workspace environment containing PHI information.

SpinAudit contains:

  • Application whitelisting and blacklisting
  • Custom security policies
  • Visibility to app permissions granted in Google Workspace
  • The business risk level of Google Workspace apps

4. Consolidated ease of use

Despite cloud service providers offering built-in security solutions, the issue lies in the fragmented nature of security dashboards and consoles. These are configured separately within their own administrative interfaces, leading to a lack of integration and centralized management.

This means that you have to configure various aspects of your security in different UI’s and interfaces. This can lead to confusion, more administrative overhead, and can even lead to security vulnerabilities as events can get missed. With SpinOne, the solution provides a single-pane-of-glass UI for configuring the security of your Google Workspace environment.

5. Automated responses

In a dynamic and intricate environment like your Google Workspace cloud SaaS setup, which involves HIPAA PHI, manual processes can be time-consuming and impractical. Your organization is no doubt moving too fast to be held back by legacy approaches to security and other operational processes.

SpinOne is built around artificial intelligence (AI) and machine learning (ML) architecture that allows the solution to be intelligent and provide a high level of automation. This takes a great deal of the administrative burden from the administrator so time can be better spent elsewhere.

When it comes to HIPAA, ensuring the security of PHI (Protected Health Information) and protecting against the complex and dangerous threats targeting healthcare organizations and other entities, automated security intelligence is essential. With 24x7x365 monitoring, it provides continuous oversight and protection for your environment. This is exactly what SpinOne was designed to do.

With automated intelligence, SpinOne protects your HIPAA PHI from ransomware and other dangerous threats with automated threat detection, visibility, and remediation.

Get a free trial or request a demo now!

Learn more about compliance:

1. GDPR Compliance Checklist for Businesses

2. The Financial Impact of Non-Compliance On Businesses

3. SOX Compliance Checklist and Requirements

4. Cloud Data Security and Compliance Best Practices

Frequently Asked Questions

Is Google Forms HIPAA Compliant?

Google Forms doesn’t automatically meet HIPAA compliance requirements. This is because the features in Google Drive don’t ensure HIPAA compliance unless you have a Google Workspace or Cloud Identity package that includes these capabilities. However, you can achieve HIPAA compliance for Google Forms by subscribing to an appropriate Google Workspace/Cloud Identity package, signing a Business Associate Agreement (BAA), configuring the service to comply with HIPAA, and training personnel on how to properly use Google Forms.

How do I make Google Workspace HIPAA compliant?

As far as Google Workspace is not HIPAA compliant by default, it is a customer’s responsibility to ensure it meets the HIPAA requirements. To make Google Workspace HIPPA compliant, do the following:

  1. Select a HIPAA-compliant Google Workspace plan;
  2. Sign a business associate agreement (BAA) with Google;
  3. Configure Google Workspace services including security settings, access controls, and data retention policies to ensure they are HIPAA compliant;
  4. Implement security measures by enabling two-factor authentication (2FA), enforcing strong password policies, and setting up mobile device management (MDM) to secure mobile access;
  5. Ensure that data at rest and in transit is encrypted. Google Workspace services use encryption by default, but you should verify that encryption is enabled for all relevant services;
  6. Educate your employees about HIPAA regulations and the proper use of Google Workspace when handling ePHI;
  7. Audit and monitor your Google Workspace environment on a regular basis to identify and address security vulnerabilities or compliance issues;
  8. Develop a clear incident response plan for dealing with data breaches or security incidents involving PHI in your Google Workspace;
  9. Review and assess your HIPAA compliance efforts periodically to ensure ongoing adherence to regulations and to make any necessary adjustments.

Are all Google Workspace services HIPAA compliant?

For customers who are subject to HIPAA, Google Workspace can support HIPAA compliance for almost all services. Gmail, Calendar, Drive (including Docs, Sheets, Slides, and Forms), Google Chat, Google Meet, Keep, Google Cloud Search, Google Voice (managed users only), Sites, Google Groups, Jamboard, Cloud Identity Management, Tasks, and Vault – all these services can be used in compliance with HIPAA providing that users signed a BAA and configured those services to be HIPAA compliant.

Google Contacts cannot be used in compliance with HIPAA, because ePHI is not permitted in this service.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

CEO and Founder at Spin.AI

Dmitry Dontov is the CEO and Founder at Spin.AI.

He is a tech entrepreneur and cybersecurity expert with over 20 years of experience in cybersecurity and team management.

He also has a strong engineering background in cybersecurity and cloud data protection, making him an expert in SaaS data security.

He is the author of 2 patents and a member of Forbes Business Council.

Dmitry was Named 2023 Winner in the BIG Award for Business and Small Business Executive of the Year.


Featured Work:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

SaaS backup and application governance

Why a Reliable Backup Plan is Your Best Defense Against Cybersecuri...

…and the Most Boring Way to Protect Your Organization I’ve written about the importance of...

Avatar photo

Google Workspace Ambassador

Read more

Why Google Drive Backups Are Important

Google Drive offers customers a unique blend of robust security features to keep their data...

Courtney Ostermann - Chief Marketing Officer Spin.AI

Chief Marketing Officer

Read more
SaaS backup and application governance

Evaluating the Best Backup Services: What to Look For and Popular O...

If you’re here right now you’ve probably realized how important it is to backup your...

Avatar photo

Product Manager

Read more