Top 10 Things to Ensure HIPAA Compliance With Google Apps for Work
HIPAA, or the Health Insurance Portability and Accountability Act, requires that any communications involving health insurance in the United States are compliant with the Act. This extends to employers, health care providers, insurance companies, and any organization which may be electronically transmitting anything to do with health records.
While the HIPAA website offers this explainer of technical safeguards, the language is murky and hard to understand, even if you are a seasoned IT professional. If you are wondering what the top items are to ensure that your communications are HIPAA compliant with Google Apps, we’ve rounded them up in simple terms here for you.
Sign The Business Associate Agreement With Google
The first step is to sign the Business Associate Agreement (BAA) that Google offers. You must request and sign the BAA before using Google Apps for Work for any Protected Health Information (PHI). You can find out more about the BAA from Google.
Disable Offline Storage for Gmail and Drive
Go into “User Settings” for Gmail and “General Settings” for Drive to turn off offline storage. This prevents important files and communications from being stored on user hard drives where they may be unsecured.
Install Google Message Encryption
Shut Off Any Google Apps Not Covered by Google’s BAA
When you receive your BAA from Google, you’ll get a list of Google Apps that are covered. Shut off the rest in Google Apps and More Google Apps by selecting each and choosing “Turn Off Services” beside each app listing.
Turn Off Marketplace Apps
Apps in Marketplace are not HIPAA-compliant. Disallow users from installing them by going to “Marketplace Apps”, “Manage Apps” and select “Do not Allow”.
Google already has a suite of reporting tools available that allow you to audit user activity. Turn on notifications when certain actions are performed so that you receive emails that may indicate suspicious activity. If you want more detailed audits than Google provides, ask us about appropriate third-party services that are HIPAA-compliant.
Add a Reliable HIPAA-Compliant Backup Tool – Backupify
You must protect PHIs from deletion. Backupify is a HIPAA-compliant backup service which offers their own BAA for clients who wish to purchase the service.
Turn Off Add-On Services
Go to Drive, General Settings and uncheck “Allow Users to install Google Docs Add-ons”.
Lock Down Admin Rights
If you’ve had Google Apps for Work installed prior to ensuring HIPAA compliance, chances are good you may have given an unqualified user admin rights. Only those fully familiar with HIPAA should have admin rights to Google Apps for Work – in some cases this may even mean revoking admin rights from top-level personnel. Department heads, for example, should probably not have admin rights unless the department is IT. Only high-level IT personnel and, in some cases, the owner/president of the company should have admin rights, and only then once they have been through some level of HIPAA training.
Switch from Free to Google Apps for Work
Google’s free services do not have the capabilities you need to ensure HIPAA compliance. You’ll need to switch from using free services to Google Apps for Work. UpCurve Cloud has installed Google Apps for Work for many satisfied clients, including clients who must adhere to HIPAA.
If you would rather have a company ensure that your Google Apps for Work suite is HIPAA-compliant, contact UpCurve Cloud – we have secured communications for many of our clients to ensure that they are falling within HIPAA standards.