If you’re a health care professional, you likely send email, save documents, and schedule appointments. In the U.S., HIPAA mandates that you take steps to secure a person’s “protected health information”, or PHI.
Too often, an organization allows people to store PHI data on laptops. When a laptop is lost or stolen, the organization is liable for the data loss. A cloud system reduces this risk: data resides online, not on the laptop.
Google Apps offers a robust set of communication and collaboration tools for healthcare professionals. Properly configured, Google Apps will let you send, save, and schedule securely.
The checklist below is not comprehensive, but it does cover much of what you’ll need to secure Google Apps for use with PHI to comply with HIPAA. Standard security practices also apply. For example, you should require strong passwords and require 2-step authentication. And, while Google provides several tools, you may need a few more.
That said, here are a few steps to take to configure Google Apps for HIPAA compliant use. (The list assumes that you are a Google Apps administrator.) Review this list with your HIPAA compliance team.
1. Sign the agreement
Google will sign a HIPAA business associate agreement (BAA) with an organization that wishes to use Google Apps to store PHI. The BAA covers Gmail, Google Calendar, Drive and Vault. (Review the terms and sign the agreement here.)
2. Limit apps
To reduce risk, disable access to apps, add-ons, and Marketplace apps from the Google Apps admin console. Login to admin.google.com to access the following items from the admin dashboard:
- Disable Google Apps not covered by the BAA (Go to “Google Apps”, select the box to the left of each service, then choose “Turn Off services” switch above the column listing).
- Disable “More Google Apps” not covered by the BAA (Go to “More Google Apps”, select the box to the left of each service not covered, then choose “Turn Off services” switch above the column listing).
- Disable add-ons (Go to “Google Apps” > Drive > General settings > uncheck “Allow users to install Google Docs add-ons”)
- Disable Marketplace apps (Go to “Marketplace Apps”, select the vertical three-dot menu in the upper right then choose “Manage Apps”; select either the “Do not allow” or “...only whitelisted applications” option)
Disable offline storage for:
- Gmail (“Google Apps” > Gmail > User settings > Offline Gmail)
- Drive (“Google Apps” > Drive > General settings > Offline)
3. Add email encryption
Google encrypts messages in transit wherever possible, but not all email providers do. So, unless otherwise confirmed, email should be considered neither private nor secure.
Purchase a third-party service to improve the confidentiality and security of email communication with patients. Google partners with ZixCorp to provide Google Apps Message Encryption. The service encrypts email between Zix users and provides a portal for secure message access by other recipients.
4. Audit access
Regularly review account access and shared file reports in the Google Apps admin console. (Login to admin.google.com, choose Reports.) You may also “Manage Alerts” to receive a notification for significant account or settings changes. Unfortunately, most of the reports are general: for example, file sharing reports only the total number of files shared.
Add a third-party service, such as CloudLock, to monitor PHI in shared Drive documents. You may configure CloudLock to scan for specific information, then take action when a Drive document matches that information. For example, CloudLock might scan for publicly shared documents containing a Social Security number; once discovered, a document with such info may either be reported or set to private.
5. Add backup
Backup Google Apps to protect patient data from accidental deletion. While Google Apps provides high-reliability and effective recovery options, people may still delete or change data accidentally. A backup ensures you can always recover data.
Backupify will sign a BAA for customers who want it. That way, your organization would have a BAA to cover your Google Apps data at both Google and Backupify. (In case you missed it, Backupify recently achieved HIPAA compliance.)
Take the time to secure Google Apps for Work today. When configured correctly, Google Apps will help protect your patients’ health information—and your organization—from a potentially costly data loss.
What additional steps have you taken to secure PHI in Google Apps?