For many companies, moving to the cloud is supposed to solve many of the headaches they have with compliance and regulatory agencies. Cloud hosting offers redundancy and protection, an area where some businesses lack. However, when it comes to the Health Insurance Portability and Accountability Act of 1996, best known as HIPAA, many cloud services are lacking, and are not ready for HIPAA IT compliance. G Suite (Google Apps) however, has worked extremely hard to be one of the few that is not one of those providers.
What this article is about:
Making G Suite HIPAA Compliant Is Easy
Google published a guide to making their G Suite service HIPAA compliant. The lengthy explanation includes share settings for Drive and calendars. They also recommend users have strong passwords with a combination of upper and lower-case letters, numbers, and special symbols. Google suggests in addition to strong passwords; all users turn on two-step sign in authentication.
To make securing G Suite accounts less confusing, here are five primary ways to ensure G Suite is HIPAA compliant.
1/ Sign an Agreement with Google
Google strives to make their service as secure as possible. However, they cannot guarantee HIPAA compliance if there is no agreement in place dictating the account need these protections.
Google’s Business Associate Agreement only covers some of the apps G Suite employs. Apps permitted by the Personal Health Information (PHI) agreements include:
- Gmail
- Calendar
- Google Hangouts (chat messaging feature only)
- Hangouts Meet
- Drive (including Docs, Sheets, Slides, and Forms)
- Keep
- Google Cloud Search
- Vault
At this time, all business associate agreements concerning PHI’s do not cover Google Groups, Contacts, or Google+.
2/ Monitor Access
HIPAA compliance is not something you can turn on and forget about it. The administrator console contains reports and logs allowing you to tell at a glance where potential security risks may be. Reports show you how frequently employees access and share data. These reports also measure user collaboration on a given file, who signs in, and even analyze administrative activity.
To help lower the risk of lost information due to unauthorized activity, Google allows for alert notifications. Whenever Google detects activity such as a suspended user, new user, or suspicious login, administrators can view the attempt. You can also set notifications for making a suspended user active and adding a new user.
Installing third-party software designed to scan for shared files with sensitive information is another way to ensure all data remains secure.
3/ Set Restricted Settings
With a signed business associate agreement, Google helps you protect HIPAA confidential information in their core applications. You can do more by setting restrictive settings when creating user accounts. In Google Drive, turn off automatic link sharing by choosing the option Specific People, which only allows invited individuals to view the document. You can then give control of link exchange to the Drive user or can retain this control with administrators only.
Gmail allows individuals to restrict shared Drive files further. The sender can choose to limit the recipient’s ability to view only rather than edit or comment on the document. Senders can also restrict access to those with Gmail accounts.
4/ Consider Separating Users within the Domain
Many companies using G Suite segregate their employees who work with HIPAA sensitive documents from those who do not. Creating different groups allows administrators to manage which groups have access to specific Google services.
Smaller companies may be able to get away with creating two groups, one which handles HIPAA sensitive documents and one that does not. Administration can limit those with sensitive documents, blocking them from services such as Google+ and YouTube. The other group has permissions for all G Suite services.
Companies can choose to create as many groups as they want, segregating their employees’ accounts further if they choose. While an entire HR department may have access to H