A comprehensive guide to implementing HIPAA compliance for Google Workspace, based on Google's official HIPAA Implementation Guide (February 2024) and industry best practices.
This information is provided for general educational and informational purposes only. It should not be considered as legal advice or a definitive guide for HIPAA compliance.
Important Notes:
- The information shared is based on Google's official HIPAA Implementation Guide (February 2024) and general best practices
- Each healthcare organization has unique compliance requirements and should:
- Consult with qualified legal counsel and compliance experts
- Conduct their own risk assessments
- Develop policies and procedures specific to their needs
- Ensure proper implementation and ongoing monitoring
- HIPAA regulations and Google Workspace features may change over time
- Organizations are solely responsible for their own HIPAA compliance
- Having technical controls in place does not guarantee HIPAA compliance
Always refer to the latest official documentation from Google and consult with appropriate professionals before implementing any HIPAA-related configurations or policies.
| # | Task |
|---|---|
| 1 | Sign a BAA with Google |
| 2 | Configure OUs and restrict Non-Core Services for PHI users |
| 3 | Apply sharing and access controls for Gmail, Drive, Calendar, and other Core Services |
| 4 | Implement DLP rules to prevent PHI exposure |
| 5 | Train users on HIPAA compliance and Google Workspace security |
| 6 | Monitor audit logs and configure alerts for suspicious activity |
| 7 | Maintain documentation and evidence for audits |
| 8 | Regularly review and update policies |
Objective: Confirm whether your organization needs a Business Associate Agreement with Google.
Steps:
- Confirm whether your organization is a HIPAA-covered entity or business associate
- If required, sign a Business Associate Addendum (BAA) with Google Workspace
- This is mandatory for using Google Workspace with Protected Health Information (PHI)
Objective: Document how PHI will be handled in your organization.
Steps:
- Document how PHI will be used, stored, and transmitted within Google Workspace
- Identify which users, departments, and workflows will handle PHI
Objective: Establish clear ownership of compliance efforts.
Steps:
- Designate a HIPAA Compliance Officer and Google Workspace Administrator to oversee compliance efforts
- Ensure all users handling PHI are trained on HIPAA requirements
Objective: Select the appropriate Google Workspace subscription.
Considerations:
- Take into account Google Workspace capabilities such as:
- Data Loss Prevention (DLP)
- Security Health checks
- Security Investigation tool
- Google Vault
- And other security features
π Reference: Detailed comparison of Google Workspace Subscriptions
Objective: Restrict services to only those covered under the BAA.
Steps:
- Use the Admin Console to disable Non-Core Services for users handling PHI
- Create Organizational Units (OUs) to separate users who handle PHI from those who do not
- Configure service access for each OU to ensure only HIPAA-compliant services are enabled for PHI users
- Gmail
- Calendar
- Drive (Docs, Sheets, Slides, Forms)
- Google Chat
- Google Meet
- Keep
- Sites
- Jamboard
- Tasks
- Vault
- Google Cloud Search
- Google Voice (managed users only)
- Disable all Non-Core Services (e.g., YouTube, Google Photos, Blogger)
- Disable any Core Services where PHI is not permitted (e.g., Google Contacts)
Objective: Implement proper data sharing controls.
Steps:
- Configure sharing settings for each service in the Admin Console
- Periodically review sharing reports in the Security Center to ensure compliance
- Set default file visibility to Private
- Restrict external sharing of files and folders
- Disable sharing with external domains unless explicitly required
- Use Data Loss Prevention (DLP) rules to prevent PHI from being shared inappropriately
- Set default sharing to Only free/busy information for external users
- Encourage users to mark calendar entries containing PHI as Private
- Disable external communication for users handling PHI
- Create separate Chat Spaces for PHI-related discussions
- Avoid using PHI in room names
- Restrict external guest access to meetings involving PHI
- Disable anonymous guest participation
- Restrict publishing of Sites containing PHI to internal users only
- Restrict sharing of Jamboard files to internal users only
Objective: Establish robust security measures.
Steps:
- Use the Security Health Tool to identify and address security gaps
- Regularly review audit logs and configure alerts for suspicious activity
- Enforce 2-Step Verification (2SV) for all users
- Use Security Keys for high-risk accounts
- Use Context-Aware Access to restrict access based on user location, device, and IP address
- Limit admin privileges to only those who need them
- Enable and monitor audit logs for all services, including Gmail, Drive, and Admin activity
- Ensure data is encrypted in transit and at rest (Google Workspace provides this by default)
Objective: Segregate PHI and non-PHI users.
Steps:
- Set up OUs in the Admin Console
- Test configurations to ensure proper access restrictions
- Separate users who handle PHI into a dedicated OU
- Configure service access and sharing settings specific to each OU
- Disable services like YouTube, Google Photos, and other Non-Core Services for the PHI OU
- Use the Admin Console to apply security and sharing policies to each OU
Objective: Prevent unauthorized PHI exposure.
Steps:
- Configure DLP rules in the Admin Console
- Train users on how DLP policies work
- Configure DLP rules to detect and prevent sharing of PHI in Gmail, Drive, and Chat
- Use predefined templates for HIPAA compliance or create custom rules to identify sensitive data (e.g., Social Security Numbers, medical record numbers)
- Simulate DLP rules to ensure they are correctly identifying and blocking PHI
- Regularly review DLP reports to identify potential violations
Objective: Ensure all users understand their compliance responsibilities.
Steps:
- Develop a training program for HIPAA compliance
- Track user completion of training
- Provide mandatory HIPAA training for all users handling PHI
- Include specific training on Google Workspace security and sharing settings
- Conduct regular refresher training sessions
- Share updates on new features or changes to Google Workspace policies
Objective: Maintain continuous compliance monitoring.
Steps:
- Set up alerts in the Admin Console
- Schedule periodic audits and document results
- Configure alerts for suspicious activity, such as unauthorized access or data sharing
- Use the Admin Console to set up notifications for key events (e.g., password changes, new admin accounts)
- Regularly review audit logs for Gmail, Drive, and Admin activity
- Use the Security Center to identify trends and potential risks
- Perform regular internal audits to ensure compliance with HIPAA policies
- Document findings and corrective actions
Objective: Prepare for audits and maintain compliance documentation.
Steps:
- Create a compliance documentation repository
- Periodically download and archive audit reports
- Maintain written policies for Google Workspace configurations and HIPAA compliance
- Include details on how PHI is protected and monitored
- Store audit logs and DLP reports for the required retention period (e.g., 6 years for HIPAA)
- Use the Compliance Reports Manager to download Google Workspace audit reports (e.g., SOC 2, ISO 27001)
- Maintain evidence of user training and security configurations
Objective: Keep policies current with regulatory and platform changes.
Steps:
- Subscribe to Google Workspace updates
- Schedule regular policy reviews
- Regularly review updates to Google Workspace services and HIPAA regulations
- Adjust configurations as needed to maintain compliance
- Periodically test security and sharing settings to ensure they are functioning as intended
- Revise policies and procedures to reflect changes in Google Workspace or HIPAA requirements
| File | Description |
|---|---|
README.md |
This implementation guide |
google-workspace-hipaa-implementation.xlsx |
Detailed implementation checklist spreadsheet |
- Google Workspace HIPAA Compliance
- Google Workspace BAA
- Compare Google Workspace Editions
- Google Workspace Security Center
- Data Loss Prevention (DLP) for Google Workspace
- Google Workspace Admin Help
This guide is provided for informational purposes. Please consult with legal and compliance professionals for your specific implementation needs.
Contributions to improve this guide are welcome. Please submit issues or pull requests with suggested improvements.