Can I use G Suite (Google Apps) and be HIPAA Compliant?

We often get asked by customers and prospects about G Suite (formerly Google Docs) and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Amazon CloudFront
• Apple iCloud
• Box
• Citrix ShareFile
• Dropbox
• FaceTime
• Google Calendar
• Google Docs
• Google Drive
• Google Forms
• Google Hangouts
• Google Slides
• Google Voice
• GoToMeeting
• Intercom
• Office 365
• OneDrive
• SharePoint
• Slack
• WhatsApp
• Yammer
• Zoho
• Zoom

The purpose of this post is to determine if Google’s G Suite offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About G Suite (Google Docs)

G Suite is Google’s brand of cloud computing, productivity and collaboration tools. It’s most popular services are Gmail, Google Calendar, and Google Drive (including Docs, Sheets, Slides, and Forms).

While these services are typically free to use for consumers, G Suite adds enterprise features such as branded email addresses at a domain (@yourcompany.com), as well as phone and email support.

Formerly known as Google Docs, Google rebranded the service to G Suite in September 2016.

G Suite and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.”

Does Google’s G Suite Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Google offers one that covers G Suite, we conclude that Google’s G Suite is a HIPAA compliant service.

It’s important to note however:

• You must sign a BAA with Google. It is not included by default.
• Google’s BAA does not cover email sent or received in transit.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: G Suite, formerly known as Google Apps, is HIPAA Compliant. Make sure you sign a BAA with Google and that you have a solution in place to address email sent in transit.

SEE ALSO: How to Make Gmail HIPAA Compliant