Google G Suite apps are commonly used by many behavioral health professionals to run their business–but when it comes to signing a proper Google BAA, there are some major misunderstandings in the market.
BAA stands for Business Associate Agreement. BAAs are contracts that are federally required by HIPAA regulation. Before any protected health information (PHI) is transmitted between two organizations, a BAA must be executed. PHI is considered any demographic information that can be used to identify a patient. This includes names, addresses, dates of birth, full facial photos, social security numbers, financial information, insurance ID numbers, and health records, to name a few.
G Suite Services is a common name for Google apps used by business owners, which includes Gmail, Google Drive, and Google Calendar. Behavioral health professionals using these services to in any way handle, store, or encounter PHI must execute a BAA with Google.
Signing a Google BAA
Because of the scope of information that can be stored in G Suite apps, it’s essential that you execute a Google BAA. Like many other cloud service providers, Google will sign a BAA if certain requirements are met.
G Suite Services allows Business users to request BAAs for their organizations. Google Apps for Business is a paid version of regular Google services. The free version is commonly used for personal emails. If your organization pays Google to use its Google Apps for Business services, your system administrator can request a BAA.
Once you sign your Google BAA, your organization will need to ensure that your G Suite services are properly configured to handle PHI. Security and privacy settings must be calibrated in order to comply with HIPAA regulation.
For more information on exactly how to make your G Suite Services and Gmail HIPAA compliant, click to read this HIPAA educational whitepaper!