4 Easy Ways to be HIPAA-Compliant with Google Workspace

I know, I know. HIPAA’s not a favorite subject for most. We’d all rather run and hide. I know.

But alas, we cannot. We have some obligations to fulfill here, and I like to try from time to time to make it easier on folks to pull that off. So here are 4 easy things you can do to get more in line with HIPAA.

Let’s be clear that doing these things and these things only doesn’t mean you’re off the hook. HIPAA compliance is an ongoing set of behaviors that we as therapists need to be aware of. This post just offers some beginning steps.

Let’s go!

1. Don’t use free gmail

If your professional email address is something like awesometherapist@gmail.com, we gotta start right there. The free tier of gmail isn’t HIPAA compliant. Google has bots scanning those emails for data mining purposes. No can do.

Getting yourself a domain and email address like hello@awesometherapist.com isn’t too terribly difficult; but I know that it can be scary for the tech-averse folks out there (which is why I created this website and service to begin with). So either do a bit of research or trial and error, or reach out to me and I’ll help you get there.

(It’s also really not that expensive; could be $12 a year for the domain and $7/month for Google Workspace.)

2. Sign a BAA

A BAA is a Business Associate Agreement. This is a contract you need to have with any third party that handles your clients’ protected health information (PHI) – that would include your email provider, EHR, VOIP phone provider, etc. (In my case, all of these are Google.) It basically says that this third party guarantees they will take good care of that PHI so that it remains confidential.

Signing the BAA with Google easy to do, just tricky to find. Watch this video to see how it’s done.

3. Enable 2-step verification

This is that thing where it sends you a text message to your phone when you try to log in. It can sometimes be annoying (although Google lets you get away with doing this only once in a while), but it’s a pretty accepted standard nowadays for security, and if you don’t use this and someone hacks into your system, you’re going to have a tough time explaining why you didn’t.

Also, it’s actually a really good way to keep things secure. There are in fact bad guys out there who will try to break into your system for nefarious purposes. Without 2-step verification, that is pretty easy for them to do. With it, it’s pretty hard.

To turn it on, go to https://myaccount.google.com, click on Security & sign-in, then 2-step verification, then you’ll see a button that says “Turn on 2-step verification”. Click that one.

4. Do a regular system activity review

HIPAA requires us to do regular reviews of our systems to make sure that those bad guys aren’t succeeding at breaking in. You need to look for logins from unexpected places like Nigeria or India (unless you live there), or multiple login attempts from different locations in a short period of time, stuff like that.

The bad news is that this part really isn’t easy to do, even with a nifty screenshot.

The good news is that I’ve taken care of this for you. Check out this blog post about the automation I created that will make this task super easy for you. (After I created it and started using it, it revealed that someone WAS trying to break into my system. And 2-step verification was likely stopping them!)

So, those are a couple of quick have-tos that you can get on today. Now, here’s a couple of bonus ought-tos. Not strictly required, but these will offer further protection from some common blunders.

1. Disable file sharing

It is not a good idea to share files in your Google Drive outside your organization. The possibility for mistakenly sharing something with someone that they are not supposed to see, or even accidentally giving them edit access, is too high. If you need to share a document with someone, you can download it and email it. Much safer.

To do this, go back to your admin console (https://admin.google.com). Then on the left side menu click Apps > Google Workspace > Drive and Docs.

Select sharing settings, then the first thing you’ll see is Sharing settings. Click the little pencil on the top right then select the option that says OFF.

2. Disable Auto-Forward

You do not want to allow gmail to automatically forward your emails (or your employees’, if you have any) to, say, your personal email address. Because free gmail is not HIPAA-compliant, remember?

To do that the easiest way is just search “automatic forwarding” in the search box in the admin console and it will pop right up – then again you click the pencil on the top right and select OFF.

3. Best practice for Google Meet links

Many people recommend not using a fixed Google Meet link with client – i.e., give each client their own google meet link, or use a new one for every single meeting. If you give everyone the same link, you risk people running into each other (kind of like someone walking into the room while you’re with a client in person). That is a good option.

Personally, I prefer to use a static link (i.e., the same one every time). If you do this, do not add your client as a guest in your Google calendar event. The reason this works for me is because, since they are not added as a guest, I need to admit them to the meeting room every time. It’s like the therapy room door is locked.

If you add them as a guest, they do not need you to admit them – they can walk right in. And if they show up when you’re in the middle of another session... no good.

(I wouldn’t want to give clients that kind of access anyway – what if I’m picking my nose right when they sign in? No thank you. I’m fine go through the extra step of clicking to let them into the room, thank you very much.)

So, as I said, there is a lot more to HIPAA compliance than this. But here’s a couple easy ways you can avoid problems and be better about doing what you’re supposed to do.

If you’re looking for more guidance on these or any other aspect of HIPAA, feel free to reach out for a free consultation!