Unfortunately, the company Ted was working with to set up Google Workspace didn‘t know much about HIPAA. They helped Ted sign a HIPAA BAA, but that‘s it. Too bad Ted didn‘t get our “17-Step Guide on Gmail and HIPAA Compliance” checklist. Customers who are subject to HIPAA and wish to use Google Cloud products in conjunction with PHI must verify and accept Google‘s Trade Association Agreement. Google ensures that the Google products covered by BAA meet hipaa requirements and are based on our ISO/IEC 27001, 27017 and 27018 certifications, as well as SOC 2 reports. Administrators must verify and accept a BAA before using Google services with PHI. Find out in HIPAA which Google Workspace products can be used for HIPAA compliance. Administrators must verify and accept the BAA before using Google services with PHI. Google offers a BAA for Gmail, Google Agenda, Google Drive (including docs, tables, slides and forms), Google Hangouts (chat messaging feature only), Hangouts-Chat, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Google Groups, Google Tasks, Jamboard, Google Vault Services and Google Cloud Identity Management. It is important to note that there is no US HHS certification for HIPAA compliance and that hipAA compliance is a shared responsibility of the customer and Google. In particular, HIPAA requires compliance with the security rule, the data protection rule and the violation notification rule. Google Cloud Platform supports HIPAA compliance (as part of an association business agreement), but ultimately customers are responsible for evaluating their own HIPAA compliance. For customers with HIPAA compliance requirements, Google offers a commercial amendment service (BAA).
Many companies are making a big mistake regarding the Google and HIPAA workspace. They think all they have to do is sign a HIPAA Business Association (BAA) agreement with Google, and they suddenly comply with HIPAA. The BAA allows companies and listed business partners to enter into an agreement with Google that regulates the processing of PHI via Google Cloud. Sign in to an account with super-administrator privileges (don‘t end up in gmail.com).