An Up-To-Date Guide To Making Google Apps HIPAA Compliant
This tutorial was originally posted on the Dash SDK blog at blog.dashsdk.com. Check out our blog, to see our most up-to-date articles and tutorials on digital health development, security, and regulations.
With Google Apps (Gmail, Drive, Calendar, etc) providing a full-featured platform for email and collaboration, it’s no wonder organizations are turning to Google for many of their cloud service needs. With the regulatory requirements the healthcare space, many are wondering: Are Google Apps HIPAA compliant? How do I make Google Apps HIPAA compliant?
Email services are not inherently secure or HIPAA compliant. Many cloud services are not clear about access control or data security. Fortunately Google, along with several other services provide solutions for insuring HIPAA compliance for Google App Services. In this post we are going to dig deep into how we can secure Google Apps and insure HIPAA compliance.
Using Google Services In a Clinical Setting
By securing the Google Apps platform, your organization can use services that your team is familiar with to accomplish patient/provider tasks such as:
- Using Google Calendar to schedule patient appointments
- Sending sensitive information between providers in Gmail
- Storing protected health information (PHI) in Google Drive
Making Google Apps HIPAA Compliant
Requirements
Please review the following components with your HIPAA compliance officer/team. This guide makes the following assumptions:
- Your organization must be subscriber to Google Apps For Work.
If your team uses a custom domain with the Google Apps platform (ie. email@mydomain.com), you are most likely already a subscriber.
2. You must be the Google Apps administrator in order to follow the process below.
Sign The BAA
Google provides a Business Associates Agreement (BAA) to any organization using Google Apps For Work, for free!
The agreement currently covers Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Vault services. You can read about Google’s policies related to HIPAA and their BAA here.
In order to sign the BAA:
- Login to the admin dashboard at admin.google.com
- Go to the “Company profile” Section > Select “Profile” > Scroll to “Security and Privacy Additional Terms”
- Click the “Review and Accept” button next to HIPAA Business Associate Amendment
- Answer the questions and review/accept the agreement
General Best Practices
- Set password recovery options and require users to use strong passwords.
- For increased security, enable 2-step verification for Google Apps.
Lock Down Apps
After signing the BAA, it is time to restrict user access to Google Apps in order to limit risk.
1. Go to the admin dashboard at admin.google.com
2. Disable Google Apps not covered by the BAA
- Go to the “Apps” section.
- Select “Google Apps”.
- Select each service, by hovering over each icon and checking each box.
- In the top right bar, click on the switch icon “Turn OFF Services”.
3. Disable Google Drive Add-ons/Offline Access
- In the “Apps” section > Go to “Google Apps” > Select Drive > Data Access
- Uncheck “Allow users to enable offline Docs”.
- Uncheck “Allow users to install Google Docs add-ons from add-ons store”.
4. Disable Gmail Offline Storage/Automatic Forwarding
- In the “Apps” section > Go to “Google Apps” > Gmail > User settings
- Scroll down to the “End User Access” section.
- Uncheck “Enable Offline Gmail for my users”.
- Uncheck “Allow users to automatically forward incoming email to another address”.
5. Disable “Additional Google Apps” not covered by the BAA
- In the “Apps” section > Go to “Additional Google Apps”.
- Select each service, by hovering over each icon and checking each box.
- In the top right bar, click on the switch icon “Turn OFF Services”.
6. Disable Marketplace apps
- In the “Apps” section > Go to “Marketplace Apps”
- Select the three-dot menu in the upper right then choose “Manage Apps”.
- Select either the “Do not allow..” or “Allow users to install only whitelisted applications” option.
Audit Logging & Backup
Using Google Apps Vault:
Vault allows you retain, archive, search, and export your organization’s emails. You can receive audit reports based on user actions and place legal holds on user accounts. By default, many user functions will be audit logged automatically. You can also set custom alerts, define reporting settings in order to monitor for suspicious activity.
Google Vault is available to users that are part of Google Apps Unlimited and costs $10/month per user, rather than the typical $5/month for Google Apps For Work.
Unfortunately, Vault does not archive files from Google Drive. You can still search and create alerts for suspicious activity on Drive, but backup functionality is currently missing. I recently called Google Apps and was told that they plan to release archiving and backup features in their next release, but was not given a definitive date. (JN- Dash)
You learn more about Vault’s functionality here.
Currently, Google does not include automatic retention (for Drive), backup functions for disaster recovery and advanced auditing and file level security. There are several 3rd party providers which currently offer solutions:
Backupify offers automatic retention of Gmail, Drive, Calendar, Contacts, and Sites. The service allows your organization to retain and restore all files, emails, etc created by users. Backupify may be a great option for augmenting Google Vault’s missing functionality, or backing up all of your organization’s data for disaster recovery.
CloudLock offers advanced auditing and advanced file level security for Google Apps
Encrypting Email
Emails sent from Gmail are insecure without additional encryption measures.
Google Apps does not automatically encrypt/secure emails. This means that just signing Google’s BAA does not make Gmail secure and HIPAA compliant.
There are several services available that provide email encryption for Gmail.
- Google Apps Message Encryption (GAME), is a service offered by Google, in partnership with ZixCorp. Pricing is based on number of users.
- Virtru offers email encryption with simple browser extensions for Chrome and Firefox and support for Gmail. Their pro version provides encryption and HIPAA compliance needs for $5/m per user.
Using Other Google Apps In Your Organization
The Google BAA only covers a certain set of Google Apps (Currently: Gmail, Calendar, Drive, Sites, and Vault).
This means that protected health information (PHI) should not be sent, received, or stored within any other Google Apps services (ie. Hangouts, YouTube, Etc). In the steps above, we disabled all Google Apps & Add-ons that are not HIPAA compliant. This is the safest way to insure PHI is handled securely.
If your team is interested in using other Google App services outside of the realm of PHI and HIPAA compliance, Google supports the creation of different classes of permissions using “organizational units” that dictate which users have access to different apps. You can read more about creating user policies here.
Conclusion
Google provides any admin of Google Apps For Work the ability to sign a Business Associates Agreement (BAA). This agreement provides a framework for insuring that your Google services are secure and follow HIPAA guidelines.
Ultimately, it is up to your team to implement the appropriate protections to encrypt email communications, audit log and backup any sensitive data. For more information, review the Google Apps HIPAA Implementation Guide.
Dash is building a SDK for developers to easily implement HIPAA security protections and insure clinical level security.
See more posts/tutorials at blog.dashsdk.com & learn about our mission at www.dashsdk.com.
