HIPAA IT Compliance – G Suite
For many companies, moving to the cloud is supposed to solve many of the headaches they have with compliance and regulatory agencies. Cloud hosting offers redundancy and protection, an area where some businesses lack. However, when it comes to the Health Insurance Portability and Accountability Act of 1996, best known as HIPAA, many cloud services are lacking, and are not ready for HIPAA IT compliance. Google G Suite however, has worked extremely hard to be one of the few that is not one of those providers.
Making G Suite HIPAA compliant is easy.
Google published a guide to making their G Suite service HIPAA compliant. The lengthy explanation includes share settings for Drive and calendars. They also recommend users have strong passwords with a combination of upper and lower-case letters, numbers, and special symbols. Google suggests in addition to strong passwords; all users turn on two-step sign in authentication.
To make securing G Suite accounts less confusing, here are five primary ways to ensure G Suite is HIPAA compliant.
Sign an Agreement with Google
Google strives to make their service as secure as possible. However, they cannot guarantee HIPAA compliance if there is no agreement in place dictating the account need these protections.
Google’s Business Associate Agreement only covers some of the apps G Suite employs. Apps permitted by the Personal Health Information (PHI) agreements include:
- Gmail
- Calendar
- Google Hangouts (chat messaging feature only)
- Hangouts Meet
- Drive (including Docs, Sheets, Slides, and Forms)
- Keep
- Google Cloud Search
- Sites
- Vault
At this time, all business associate agreements concerning PHI’s do not cover Google Groups, Contacts, or Google+.
Monitor Access
HIPAA compliance is not something you can turn on and forget about it. The administrator console contains reports and logs allowing you to tell at a glance where potential security risks may be. Reports show you how frequently employees access and share data. These reports also measure user collaboration on a given file, who signs in, and even analyze administrative activity.
To help lower the risk of lost information due to unauthorized activity, Google allows for alert notifications. Whenever Google detects activity such as a suspended user, new user, or suspicious login, administrators can view the attempt. You can also set notifications for making a suspended user active and adding a new user.
Installing third-party software designed to scan for shared files with sensitive information is another way to ensure all data remains secure.
Set Restricted Settings
With a signed business associate agreement, Google helps you protect HIPAA confidential information in their core applications. You can do more by setting restrictive settings when creating user accounts. In Google Drive, turn off automatic link sharing by choosing the option Specific People, which only allows invited individuals to view the document. You can then give control of link exchange to the Drive user or can retain this control with administrators only.
Gmail allows individuals to restrict shared Drive files further. The sender can choose to limit the recipient’s ability to view only rather than edit or comment on the document. Senders can also restrict access to those with Gmail accounts.
Consider Separating Users within the Domain
Many companies using G Suite segregate their employees who work with HIPAA sensitive documents from those who do not. Creating different groups allows administrators to manage which groups have access to specific Google services.
Smaller companies may be able to get away with creating two groups, one which handles HIPAA sensitive documents and one that does not. Administration can limit those with sensitive documents, blocking them from services such as Google+ and YouTube. The other group has permissions for all G Suite services.
Companies can choose to create as many groups as they want, segregating their employees’ accounts further if they choose. While an entire HR department may have access to HIPAA sensitive files, only a small few works with those documents. You may have the HR department as one group. You can create another group with just those employees handling sensitive information. You can choose to do the same with each department.
Backup Sensitive Information
Data loss is no laughing matter. When it comes to confidential information, it is even more important. You should have an HIPAA compliant backup service assisting in the protection of all your PHI files.
CloudAlly is an HIPAA compliant backup service. After becoming ISO 27001 certified, it allowed us to begin offering backup for patient sensitive documents and information. We comply with all federal guidelines concerning how to handle this information including every aspect of data handling when backing up, accessing authorization, and encryption. Companies that require a business associate agreement, we can provide one upon request.
At CloudAlly, we backup all your files automatically, giving you peace of mind that important HIPAA controlled documents are never lost or corrupted.
Try it free for 15 days, no credit card required for signup.