15 Steps for Making Your Gmail, Google Calendar, and Entire G-Suite HIPAA Compliant (2nd Edition)

15 Steps for Making Your Gmail, Google Calendar, and Entire G-Suite HIPAA Compliant

In February of 2016, Google announced that over 1 billion people now use Gmail. Just two years later, that number was 1.5 billion.

Gmail and Google’s suite of productivity apps like Google Calendar, Google Docs and Google Drive, may be the most used productivity tools on the planet.

And that means, if you use them, you need to be very careful that yours are up to HIPAA regulations.

Here’s how to make sure your G-Suite is “up to code.”

STEP 1. The first thing you have to do is make sure you are using the paid version of G-Suite.

Google will not sign a HIPAA BAA unless you are on their paid version. On the paid version, Google can scan of advertising. The paid version is more secure.

If a patient notices you’re using the free (non-secure) version, they may file a complaint. And that’s the last thing you want.

Gmail recommends that you only use their free version if you are 100% certain you’ll never have PHI in your emails. So, in other words, don’t use the free version! It’s not worth the risk.

STEP 2.  Next, sign your HIPAA BAA.

Good news: Google makes it super easy to do this online.


STEP 3.  Get your patients consent IN WRITING.

Do not skip this step!

STEP 4. Put a “not secure” message in your email signature. Below is a great example. Yes, it’s long. And no, most of your recipients probably won’t read it. But it will protect you! Do not skip this.

Breach of confidentiality

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Here’s how to add a signature automatically to all outbound emails…


STEP 5.  Make sure that the connection between your computers and Gmail is secure. With most browsers this is automatic (Edge, Explorer, Safari, Chome, etc).

But here’s how to check. Go to your browser search bar (the top of your screen below your tabs in most settings). Now is the “https” green? Or do you see a padlock symbol?

If yes, you have secure connection. If not, who knows?

STEP 6. Make sure you have a secure connection between G-Suite and EVERY SINGLE DEVICE that might transmit emails or customer data. Tablets, phones, laptops, everything.

STEP 7. Training. This is a MUST. For every employee, even if you only have one employee. You must have clear, written policies about how to use email and texting.

They need to prove they understand your policies on how to email, how to text, how to recognize PHI, how recognize virus threats, ransomware threats, phishing threats, and much more.

PHI is coveted by hackers. Medical information, insurance information, and personal information fetch a high price on the “dark web.”

You are a target. Even if you’re a small office or clinic. You’re a target specifically because of your size. Criminals are lazy. They will go after the easy targets. And since many large hospitals and universities have locked down their information systems, hackers are not turning to the “low hanging fruit” of small, less-secure offices and clinics. Don’t let yours be one of them.

Gmail is pretty secure. But there are additional layers or protection you should add to really lock out the phishers, hackers and criminals.

Contact us if you’d like to know more about these additional, affordable layers.

STEP 8. Pay particular attention to the Phishing threat. Phishing attacks are the most sophisticated and most difficult to detect. Be sure your training provides a deep education about identifying phishing.

Want to quickly assess how prepared your staff is against phishing? Google has their own quiz you can have them take. Just search for Google Phishing Quiz

STEP 9. Secure every single device. Again, every phone, every laptop, every tablet.

Petronella Technology Group, Inc. specializes in managed security services to almost any type of device. Even legacy devices.

STEP 10. Lock down your Google passwords and Use 2-Factor Authentication. Your password must be unique. In fact, it should be so unique that you can’t even remember it!

The best-case scenario is that you didn’t even generate your password. The best passwords are generated by password managers like Lastpass enterprise or Roboform. Then all you have to remember is the one password that unlocks the encrypted password manager. The password manager then generates and remembers all the passwords for you. If you use it correctly, YOU don’t even know the passwords to your systems. You just know how to access them through the password manager. Pair this system with a hardware token such as a Yubikey and you have a security hardened password management system that makes it very difficult for hackers to penetrate.

Two-factor authentication is very important in HIPAA compliance and very easy to set up.


This is hyper important when it comes to HIPAA compliance. You MUST do this.

STEP 11. Use sender identity management

One trick that hackers use is to make an email LOOK like it comes from a trusted source.

And this is SUPER easy to do.

In fact, you could learn how to do yourself with a simple Google search. And if you can do it, hackers can do it in their sleep!

One of their favorite tricks is to make it look like an email is coming from someone IN YOUR OWN OFFICE.

There are solutions you can apply that will identify these kinds of attacks. Research them or contact us if you’d like to learn more about our solutions.

STEP 12. Strictly manage fire-sharing permissions. Google Drive and Google Docs are great for sharing documents and files. But it’s very easy to make PHI mistakes that lead to HIPAA fines.

File sharing has to be set up the right way. Access must be limited. Employees must know how to share files so they don’t fall into the wrong hands.

Huge HIPAA fines await companies that slip up in this area.

STEP 13.  Watch your users! Monitor the reports that Google makes available about your G-Suite usage. Look for indications of phishing, hacking or anything suspicious.

In G-Suite you can track:

  • External Link Shared Files — any files your people shared which might be viewable by people OUTSIDE your organization
  • External Apps – any apps that are linked to your G-Suite…these could pose a threat
  • Verification in 2 Step Enrollment – This ensures that all your users are on 2 Factor Authentication
  • Full email audit log – a full list of every single email sent

Log in once a month or more and check for anything suspicious or not “up to code.”

STEP 14. Read “G Suite and Cloud Identity HIPAA Implementation Guide Google has written a 26-page PDF that covers most of what you need to know. https://static.googleusercontent.com/media/gsuite.google.com/en//intl/en/terms/2015/1/hipaa_implementation_guide.pdf

STEP 15. Get help if you need it.

Following all of these steps can be daunting.

And when the risks are so high, why not let an expert help you through the process.

If doing it yourself sounds confusing and time-consuming (it is), then we’re ready to help.

Call Petronella Technology Group, Inc. Today at 877-468-2721.