Super-Easy HIPAA Boost!

Is your HIPAA compliance in good shape?

I know, I know - It’s kind of a scary question. I don’t know any therapists who don’t feel like they’re falling short in one way or another. We all try our best, but look, we're not lawyers or security experts. It's not easy!

The good news is, the HIPAA gods don’t demand perfection; they want to see that you are doing your best to comply with the (very many) rules. One of the explicit rules is that you need to do a System Activity Review on a regular basis.

The problem with that is, you probably don’t even know what that means. 😬

In short, it means you need to see who’s logging into your system to make sure no bad guys are messing around in there and no good guys are doing bad things (intentionally or unintentionally). This is relevant whether you're a solo practitioner or a group practice owner!

Sounds reasonable. Except it’s really not easy to figure out how to do. And it can be laborious. Not to mention boring.

So I have some good news: I have solved this problem for you!

I’ve created a new automation called autoLog that scans your Google Workspace at regular intervals and then emails you the results (and saves a log of the audit in your google drive so you can show documentation that’s it’s been done).

This is a HUGE win for improving your compliance (not to mention actually protecting your system and your data in case someone ever did try to hack in).

Here is what this tool actually checks for you:

What autoLog Monitors

This script automates the System Activity Review required by HIPAA. In plain English, it performs four specific security checks every week to ensure your digital "office" remains secure and that you are the only one with the keys.

1. Security Breach Detection (Suspicious Logins)

The tool scans Google’s internal security signals for any login attempt that looks out of the ordinary. This includes signing in from a foreign country, an unrecognized device, or an internet address associated with malicious activity.

• The Risk: If a staff member’s password is stolen, a hacker will often try to log in from a remote location.

• The Compliance Fix: This satisfies the requirement to monitor for "unauthorized access" to your patient data.

2. Third-Party App "Backdoors" (OAuth Audit)

Many therapists use "Sign in with Google" for various tools (PDF editors, productivity apps, or scheduling aids). When you do this, you are often giving that app permission to "see" and "edit" your Google Drive or Email.

• The Risk: If you link an app that isn't HIPAA-compliant, you have effectively created a "backdoor" where patient data can be accessed by an unvetted third party.

• The Compliance Fix: This tool lists every new app granted access to your workspace so you can ensure you have a Business Associate Agreement (BAA) in place for each one.

3. Administrative & "Master Key" Changes

This check monitors changes made to your core system settings—such as changing passwords, adding new users, or modifying file-sharing permissions.

• The Risk: If an intruder gains access, their first move is often to escalate their own permissions or change your password so you are locked out of your own files.

• The Compliance Fix: HIPAA requires you to track "administrative actions" to ensure that only authorized personnel are making high-level changes to your security infrastructure.

4. The "Orphaned Account" Scan (Inactivity Review)

One of the biggest security holes in a private practice is an active account belonging to a former employee, intern, or biller who has left the practice.

• The Risk: An unmonitored, active account is an easy target for a breach. If a person is no longer working with you, their access must be revoked immediately.

• The Compliance Fix: The tool identifies users who haven't logged in and haven't opened a single file in 30 days. This allows the Security Officer to identify and "offboard" those users to close the security gap.

5. Automated Record Keeping (The Audit Trail)

Finally, the tool generates a date-stamped text file of the entire report and saves it to a specific "Audit Vault" folder in your Google Drive.

• The Risk: During a HIPAA audit, saying "I check my security" isn't enough. You must provide a "long-term record" of your reviews.

• The Compliance Fix: HIPAA requires security logs to be kept for 6 years. This tool builds that archive automatically, so you always have proof of your consistent security oversight.

Using autoLog

This tool is simple to use – you’ll just input your email address, domain, and frequency for reports, click install, and you’re done! Then, of course, you’ll need to actually look at the emailed reports and address any security concerns (the email will notify you if there are any and what they are!).

And now, some important disclaimers!

• Not Legal Advice: This tool and its documentation do not constitute legal advice or a formal legal opinion.

• Partial Compliance Only: Use of this script addresses only a specific subset of the HIPAA Security Rule [§164.308(a)(1)(ii)(D) - System Activity Review]. Implementing this tool does not, by itself, make an organization "HIPAA Compliant." Full compliance requires a comprehensive risk analysis, written policies, staff training, and physical/administrative safeguards.

• No Business Associate Relationship: The author of this script is providing a template for your internal use only. The author does not have access to your data, does not store your Protected Health Information (PHI), and is not a "Business Associate" as defined by HIPAA.

• User Responsibility: The Privacy/Security Officer of your organization is responsible for manually reviewing these reports and taking appropriate action on any flagged anomalies. A report that is generated but never reviewed does not satisfy HIPAA requirements.

• Consult Professionals: We strongly recommend consulting with a qualified healthcare attorney or a HIPAA compliance professional to ensure your entire Workspace configuration and organizational policies meet federal and state requirements.

Note also that this tool only scans your Google Workspace – if you have an EHR or other systems containing PHI, you may be responsible to review those as well.

In short, just having this tool in your toolbox doesn’t absolve you of all your HIPAA duties – but it takes one of the big ones and makes it much, much easier! (Important note: the auditing that is done by this tool is not HIPAA-optional. It is HIPAA-required. We are all expected to be doing this regularly, tool or no tool!)

There is really no reason not to buy this automation. For a one-time fee you get a serious boost in your HIPAA compliance - not to mention the fact that you'll actually be protecting yourself and your clients from potential have data leaked out of your system.

The other automations on this site are helpful. This one is crucial.

Buy autoLog today to improve and simplify your HIPAA compliance!

P.S. If you have any trouble with it, or need a specific customization for your organization, reach out to info@workspaceEHR.com!

Update: a week after posting this, I discovered that someone was trying to gain access to my system! Probably some kind of malicious bot or ransomware:

I consulted with AI and learned that admin@ emails are frequently targeted for this kind of attack so I changed that email address. I also checked to make sure none of the login attempts were successful (check 👍🏻) and I documented the review and changes I had made. Major win!

FAQ