Many companies are making a big mistake regarding the Google and HIPAA workspace. They think all they have to do is sign a HIPAA Business Association (BAA) agreement with Google, and they suddenly comply with HIPAA. Google Workspace and Cloud Identity offer data processing amendment (DPA) and standard contractual clauses (MCCs) to meet the adequacy and security requirements of the European Union General Data Protection Regulation (GDPR). For customers with HIPAA compliance requirements, Google offers an association business amending service. Google will enter into business association agreements with customers as far as necessary under HIPAA. The Google Cloud platform was created under the leadership of a security team of more than 700 people, larger than most local security teams. Specific details about our approach to security and data protection, including details of organizational and technical controls on how Google protects your data, can be found in google Security Whitepaper and google Infrastructure Security Design Overview. Larry – thank you for your comments. I would agree with you on the free service. The reality is that many small organizations use Gmail, Hotmail, AOL and Yahoo for free! for e-mails. We wanted to clarify that, although Google will now sign a BAA, these organizations must migrate from free services to paid services to be compliant.

We didn`t want people to hear that Google is going to sign a BAA and think that the continued use of free Gmail would make them compliant. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets data protection and security requirements for organizations responsible for the protection of personal health information (PHI). These organizations meet the definition of “covered companies” or “counterparties” under HIPAA. Administrators of Google Apps for Business, Education and Government can apply for a BAA before using Google services with PHI. Google offers Vault services for Gmail, Google Calendar, Google Drive and Google Apps. The BAA allows companies and listed business partners to enter into an agreement with Google that regulates the processing of PHI via Google Cloud. In addition to documenting our approach to security and privacy design, Google regularly submits to several independent third-party audits to allow clients to conduct an external audit (reports and certificates are linked below). This means that an independent auditor has reviewed controls in our data centers, infrastructure and operations.

Google has annual audits for the following standards: However, it should be noted that users with a free address are not part of Google`s workspace. To run a BAA, organizations that use Google Cloud need to talk to their account managers about whether they are in contact with us. Sign in to an account with super-administrator privileges (don`t end up in Hello, just wanted to clarify for those who are not familiar with Google Apps paid for business: it includes Gmail, calendar, drive, etc. (The article may have deceived some people in mind, it was another series of applications.) It should be noted, however, that users with a free address are not part of Google Workspace. In other words, from a HIPAA compliance perspective, it is important to note that Google Keep for Gmail is not HIPAA compatible, while Google Keep for Google Workspace can be configured as HIPAA compatible.