Last week we wrote about Google Workspace and how it compares to Paubox for its ability to provide HIPAA compliant email.
Our research concluded that while Google Workspace can be configured to be HIPAA compliant, it lacks functionality and even introduces a security vulnerability when it comes to actually sending HIPAA compliant email.
Read more: Comparing Google Workspace to Paubox for HIPAA compliant email (2023 update)
Up next, this post will answer the question: How do I actually go about getting a BAA signed with Google?
HIPAA and the BAA
As a recap, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information.
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
Google BAA
Complete information on the Google business associate agreement can be found here. More specifically, the HIPAA Included Functionality page outlines each Google product that is considered in scope for the Google BAA.
In addition, another helpful resource is the Google Workspace and Cloud Identity | HIPAA Implementation Guide.
Signing a BAA with Google
Unlike the Microsoft BAA where extra steps are not required, Google does require customers to do a bit more extra work to enter into a BAA with them.
The steps to enter into a BAA with Google are outlined here.
In a nutshell, they are:
- Go to Menu Account > Account settings > Legal and compliance.
- Go to the Security and Privacy Additional Terms section.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to review the amendment.
- Click Review and Accept and answer all three questions to confirm that you are a HIPAA covered entity.
- To accept the HIPAA BAA, click OK .
Can Google use my organization's business associate agreement?
No, Google will not use a customer's business associate agreement.
Conclusion
There are a few additional steps to take to obtain a business associate agreement with Google.
Be aware that:
- Google will not sign a customer's BAA
- The list of solutions that are in scope of the Google BAA are here
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.