• Home
  • Blog
  • Contact

Call us toll free 0800 0000 900

support@hipaa.com
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact
Gmail, Google Apps for Business HIPAA Business Associate Agreements

Gmail, Google Apps for Business HIPAA Business Associate Agreements

October 21, 2013 HIPAA Law 3 Comments

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are necessary. Google’s Business Associate Agreement, introduced in September 2013, offers HIPAA compliant online services for covered entities.

Online Security: Google’s Business Associate Agreement

Many healthcare businesses use Google Business Apps. Google Business Apps are cloud-based software-as-service (SaaS) where small businesses have access to a suite of Google services such as Gmail, Google Calendar, Docs, Drive (storage), Apps etc. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication. But despite these foundational precautions, not all components of GBA have a level of security necessary for HIPAA compliance.

Enter Google’s Business Associate Agreement (BAA). Google’s Business Associate Agreement provides an additional layer of online safety by offering HIPAA compliant security for users of Google Apps Vault, Gmail, Google Calendar, and Google Drive. Businesses that opt for this agreement are precluded from using any of the other services in the Google Business Apps package (such as Google Docs, Hangouts, Marketplace, websites, etc), under the domain registered with and covered by Google’s Business Associate Agreement. Google’s BAA guidelines state “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.” The agreement requires that HIPAA covered businesses sign up for a Google Apps for Business Administrator account.

Training Reduces Human Errors

In addition to having the best online security, complete compliance requires implementation of solid procedures and policies, which includes training for staff members to prevent human errors. The Privacy and Security Rules require that healthcare businesses educate and train workers regarding policies and procedures for HIPAA compliance. Training requires experience and specialized knowledge that even the most advanced healthcare executive may not have.

When evaluating HIPAA training services, make sure the company you choose provides a complete HIPAA training package and is knowledgeable about online security strategies. Training should be affordable, but also useful in other ways. For example, HIPAA training that offers CME and CEU credits is a good way to maintain compliance with HIPAA law while helping your employees maintain valuable credentials.

Tags: American Recovery and Reinvestment ActHIPAAHIPAA Administrative SimplificationHITECH ActSecurity
3 Comments
Share
0

You also might be interested in

OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012

May 16, 2012.  The Department of Health and Human Services’[...]

Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

Feb 4, 2013

February 4, 2013.  Today, we cover the security safeguards of[...]

Safeguards Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jul 3, 2009

On December 15, 2008, the Office of the National Coordinator[...]

3 Comments

Leave your reply.
  • Wayne Henderson
    · Reply

    May 11, 2015 at 1:56 PM

    Does HIPAA require all emails containing patient information of any kind to be encrypted? Does all data stored on pc’s/servers/SAN/NAS have to be encrypted?

    thanks –

  • Dorothy Griffith
    · Reply

    July 27, 2015 at 10:12 AM

    How do I obtain a authorization ( oca) official 960 form.
    References number 150717-000704.

  • Chris Howells
    · Reply

    July 26, 2016 at 3:11 PM

    I work in an Optical store where we fill prescriptions but don’t take insurance. The customer’s Rx is stored in the computer but does not get emailed. Do we have to be Hipaa compliant?

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message

© 2023 · hipaa.com

Prev Next