As customers, we want Google to secure their applications and protect our data. To some extent, we rely on Google’s public statements. Google articulates an overall corporate security philosophy on their website. The company publishes a detailed privacy policy and they offer a white paper that addresses “Google’s Approach to IT Security”.

More specifically, Google addresses common concerns on their support pages: Who owns data stored in G Suite? Who at Google can access my data? (The quick answers: you own your data, and only people at Google authorized by the privacy policy terms may access your data.)

G Suite and HIPAA Compliance

If your organization handles Protected Health Information (PHI) in the United States, you’re likely required to protect that information under the Health Insurance Portability and Accountability Act (HIPAA).

The good news is Google will sign a Business Associate Agreement for G Suite with your organization. (Actually, Google requires your organization to do so. As Google’s support page says: organizations “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI”)

However, the agreement covers just four G Suite services: Gmail, Calendar, Drive, Sites, and Vault. (Google Vault provides archiving and discovery services for compliance purposes.) Learn more from Google about HIPAA compliance and G Suite.

For more information on advanced privacy and security settings for G Suite, Gmail tips, linking and syncing best practices, and mobile device management, check out our eBook: G Suite: Advanced Security Configuration and Compliance