If you're in healthcare and want to use cloud services, it's okay. That's the short version of the US Department of Health and Human Service's (HHS) Guidance on HIPAA & Cloud Computing.
The longer, more detailed version is that organizations that need to comply with HIPAA (the US Health Insurance Portability and Accountability Act) may choose to use CSPs (cloud service providers) to store ePHI (electronic protected health information) as long as the organization and CSP sign a BAA (business associate agreement). That's good news for healthcare organizations that adopted Google Apps back in 2013, when Google first offered to sign BAAs.
Of course, your organization can't just sign up for G Suite, sign the G Suite HIPAA BAA, and call HIPAA compliance done. Your G Suite administrator still has to take several steps to secure your setup. As the HHS document puts it, "...certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP [cloud services provider] business associate." Google has responsibilities—and so do you.
You'll need to customize your G Suite setup for HIPAA compliance. Be sure to read Google's implementation guide, HIPAA Compliance & Data Protection with Google Apps, to help you choose appropriate settings. In my experience, the following decisions and settings are too often overlooked.
1. Identify the people in your organization who handle PHI
In a large healthcare organization, you've probably already done this as part of a previous HIPAA or risk management process. But you really do need to think through the question: "Who has access to PHI?" In a solo or small practice office, this might be everyone in the organization.
SEE: IT Communication Plan: Raise security awareness with regular emails (Tech Pro Research)
2. Decide if you need to create Organizational Units for HIPAA compliance
G Suite allows you to disable services for groups of people, based on organizational units. For example, you might choose to turn access to Blogger "ON" only for people who do not manage PHI. To do this, you would create an organizational unit—say, "Non-PHI users"—then put everyone in that unit who does not have access to PHI. (Note: if everyone handles PHI, you probably don't need organizational units for HIPAA compliance purposes.)
3. Review all additional Google services
Login to your G Suite admin console (https://admin.google.com), go to Apps, then Additional Google Services. To modify a setting for a service, select the vertical three-dot menu to the right, then choose either "OFF," "ON for some organizations," or "ON for everyone."
- For services that no one in the organization needs, choose OFF.
- For services that you want to restrict only to people who do not handle PHI, choose "ON for some organizations," then select the organizational unit (or units) you created that do not manage PHI.
- To allow access to a service for all, choose "ON for everyone."
4. Review a few core G Suite apps
Carefully consider Contacts, Groups, and Talk/Hangouts. Google doesn't permit people to use PHI in any of these services. You may choose to enable these services, as long as people don't use PHI in them. Be sure to communicate and verify that every person understands that absolutely no PHI is allowed in any of these apps. (Note: Google+ recently became a core app. I would tend to treat it much like Contacts, Groups, and Talk/Hangouts. Disable it if your organization doesn't use it. And if you do use Google+, make sure to keep any PHI out of it.)
5. Configure core services settings
Next, review and configure the administrative settings for each of the following core apps (access these in https://admin.google.com/ > Apps > G Suite > then choose the app):
- Drive and Docs
Take a look at Google's HIPAA implementation guide. It suggests specific settings to review to protect your organization's data. Many of the settings determine default sharing and visibility options for files, for attachments, for pages on Sites, and for calendars and calendar events.
SEE: Create an IT risk assessment program for SMBs (Tech Pro Research)
6. Secure your devices
The HHS Guidelines state that you can access CSP data from mobile devices, "...as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI." The document links to a page with several standard mobile security guidelines.
In practice, this means you might also use the G Suite tools to manage and secure your mobile devices, too. I recommend that you:
- Require two-step authentication for account access
- Require a login on mobile devices
- Configure your systems to remotely lock, locate, or erase devices.
The point of all of this, of course, is to take every step you can to secure PHI. Unlike a few years ago, it is no longer an unusual thing to use a cloud service provider to store sensitive data.
What do you think?
What customizations, changes, or additions have you made to G Suite for HIPAA compliance purposes?
- Also see
- Yes: Healthcare can balance mobility and BYOD with with HIPAA compliance (TechRepublic)
- Healthcare IT's battle to keep sensitive data safe (TechRepublic)
- 4 vital elements in a robust healthcare IT security strategy (TechRepublic)
- Security breaches: How small businesses can avoid a HIPAA lawsuit (TechRepublic)
- Google agrees to sign BAA as means to HIPAA compliance (TechRepublic)
Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.