G Suite and HIPAA Compliance: Are You Taking the Right Steps?

For those who are yet unfamiliar, the term “HIPAA compliant emails” refers to emails that contain sensitive medical information yet are also in compliance with specific HIPAA regulations, which help to safeguard said information. Indeed, in an age in which technology is helping to make a vast array of medical services and procedures easier and more accessible than ever, finding ways to secure every patient’s information is vital. With the increased potential for hacks and other security breaches must come increased security efforts as a means of preventing these breaches. That said, the following is at HIPAA compliance as it pertains to G Suite accounts.


[RELATED: Find out how to find the best HIPAA compliant web host for your business.]

HIPAA and G Suite

Simply put, a G Suite account is an account containing an assortment of applications that are most commonly used for professional email purposes but also provide an array of tools for building and strengthening your business. If your business regularly or even occasionally handles an array of sensitive medical information, HIPAA compliance is the best way to protect your business, employees, and customers. Despite the fact that these applications are relatively safe and secure, there are steps that must be taken in order to ensure your account is HIPAA compliant.

  • Identi-PHI — The first step to making your emails HIPAA compliant is to identify everyone who has access to PHI, or personal health information. This is the best way to know whose accounts need extra attention.
  • Create Organizational Units for Compliance (or Not) — From there, you will then decide whether it’s necessary to create organizational units in order to promote/protect this compliance. This means you may make certain apps or features available to only certain employees. These employees would be added to “units” as a means of making sure only certain people have access to sensitive information.
  • Review Additional Services — You will then need to review the other additional services. After uncovering unused apps, be sure to set those to "Off." On the flip side, if there are additional apps that will only be used by certain members, set those to “restricted.”
  • Review Core Apps — You will also want to give some consideration to items such as “contacts,” “groups,” “hangouts” and other similar apps. Since Google does not permit the use of PHI with these services, you may want to restrict if not get rid of them (by making them off-limits) altogether.
  • Configure Core Settings — Next, you will want to review and configure the settings for the core apps. These include the calendar, Gmail, Drive and Docs, and Sites. Yet another step in securing your company’s data, changing the configuration for these services is vital as it also allows you to manage visibility options for files, attachments, calendar events and pages on sites.
  • Secure Devices — Lastly, you will want to secure all devices that may have access to your company’s data. For instance, requiring two-step authentication, requiring login info on mobile devices, and configuring your systems to virtually lock, locate and erase information are all great ways to secure associated devices.
There are plenty of reasons your company might want to gain and maintain HIPAA compliance. Following these steps is essential to securing your system and data for the long haul.

Your FREE Guide to HIPAA Compliant Hosting


Not to scare you, but the federal government takes the protection of health information very seriously. So serisouly, in fact, that if you violate HIPAA regulations, you can face a major fine or even jail time. Yikes! Luckily, this guide tells you everything you need to know about HIPAA Compliant Hosting.

Download Now