For Immediate Onsite or Remote Support Call: (212) 858-9022

Google Apps: Yes It Can Be HIPAA Compliant

Date: November 9, 2016 Author: Steve Dempsey Category: Uncategorized Tags: , Comments: 0

If you’re a small medical practice or covered entity that needs to be HIPPA compliant you are going to need a secure email system that is not only HIPPA compliant but a signed business associate agreement as well. Office 365 is compliant and will sign a business associate agreement and Google Apps can be made to be compliant as well with some tweaks to security.

Google Apps actually has an online guide to help you through changing your Google Apps for Work, Education and Government account to be compliant and it can be found here. Here is a quick summary of the changes that you are going to need to implement. Disclaimer: This is not a step by step guide but just a summary.



You can configure Google Apps to send alerts when Google detects suspicious activities such as login attempts, a suspended user made active, changed passwords and other activities that might expose PHI (Patient Health Information) which is a HIPPA violation. If configured correctly and using Google’s builtin activity monitor you can get a pretty good summary of trends and actions to help protect your business from being in violation.


To be compliant you should make sure any attachments containing PHI are shared only with the intended recipient. When sharing an attachment directly from Google Drive make sure the “anyone with the link” is not selected and the setting should be changed to Private which means only the person receiving the attachment can open it.

Google Drive

The Google Apps admin should make sure the share settings are secure to protect PHI. Link sharing should be restricted to make sure employees with access to PHI aren’t sharing files to anyone outside of the domain. The default visibility should be set to “Private”.

Admins should also disable the installation of any third party applications and addons to help protect PHI and make sure that a user doesn’t have a right to share another user’s files and folders.

Google Calendar

Any meetings that involve PHI should be exclude any PHI in from titles, descriptions and google Hangout. Admins should also implement “no sharing” for calendars and only display free / busy information when appointments include other people.

Google Sites

Share settings for Google Sites should be set to Private so nobody outside of your Google Apps can see the site. Of course you can get more detailed on a page by page basis when it concerns individual sharing.

Additional Notes

Setup 2-step verification for email accounts to limit the risk of a user account becoming compromised

Organizational units are a good way to keep user accounts in designated containers which can make managing security and user rights more streamline. You can also enable and disable services based on those containers so for example if a group of employees shouldn’t have access to PHI a container can have more restricted controls.

Neotech Networks is an IT consulting and services company located in New York City. Please use this contact form or call 212.858.9022 for a free consultation.