How To Make Gmail HIPAA Compliant

Right now, working remotely has never been easier. If you need a service, you can find it with a simple search.

Take Google, for example. If you want to make a phone call, you can use Voice. And if you want to send email, set up a Gmail account.

And what makes it all even better, is all of that is for free. As a business owner, what could be better than that?

Still, maybe you need something a little more sophisticated. If you want video conferencing and collaboration tools for Calendar, Meet, Chat, Docs, and Sheets, upgrading to Google Workspace for a few dollars a month can allow your entire team to work together to get things done. It’s cloud-based, which means you can work from anywhere, and have access to your data at the click of a mouse.

While that might work for some businesses, if you’re in healthcare and have to meet HIPAA compliance, think twice before bringing these free services into your practice. A lot of practices make a huge mistake and assume because Google is one of the largest companies in the world, Workspace is compliant with HIPAA regulations. They think signing a HIPAA Business Associate Agreement (BAA) is all they need to remain secure.

Don’t be fooled.

Google Workspace has hundreds of settings. If you set them up the wrong way, you’re putting your practice and your data at risk. Some of the most important settings include:

Two-factor authentication

Passwords are the easiest things hackers steal. People are creatures of habit, and prefer easy every time. Even with all we know today, one of the most common passwords is “123456789”. Two-factor authentication helps reduce the chances of being hacked. Google Workspace goes the extra mile with two-factor authentication and requires input every 30 days. It also knows if someone tries to login from an unfamiliar device.


Google has a built-in alert system that watches for things that seem a little off. Like if an employee logs in from LA, and tries again in an hour from Hong Kong. Yet this feature only works if you turn it on; it’s turned off by default.

Email security

The Google Workspace platform has dozens of email settings to offer greater control over your security. It’s important to spend time walking through and selecting the ones most important for your business. You can attach disclaimers on outbound email, beef up security for sending PHI, and establish triggers for when sensitive material is sent out via email.

Only use what you need

Google Workspace is designed to offer the most common business services to the general population as a whole. Depending on how your practice operates, chances are there are a variety of features you’ll never use. So why are they turned on? Disable all services your staff won’t use to ensure your PHI doesn’t end up in a place it doesn’t belong. Review this periodically to get the most out of what Workspace has to offer.


Google’s teleconferencing feature, Meet, is HIPAA compliant, providing you take the necessary steps. You need to accept the Business Associate Agreement, and ensure your Workspace is audited and has the appropriate settings.

No matter what tools you decide to use for your practice, two things matter most.

First, monitor the programs and ensure they remain in compliance. It’s easy for settings to change. Stay up to date with ensuring you accept patches and update technology along the way.

Second, train employees on good security practices on an ongoing basis.

In many cases, the answer to security is simple - just use your head. It starts with being proactive in your approach.

For IT Strategy, Cloud Conversion, or Help Desk Services reach out to us at Silver Linings Technology 360-450-4759.