HIPPA Compliance and Google Apps


Supporting HIPPA Compliance


Supporting HIPPA Compliance in Google Apps is relatively straightforward. Google will provide the Business Associate Agreement (BAA) upon request. This ensures protection of Personal Health Information (PHI) data. Google also provides additional documentation specific to implementation across the full suite of services. All Gmail-to-Gmail communications, so typically all internal communication, are encrypted by default. Organizations can also configure the Gmail Data Loss Prevention service. For Users communicating with external parties, we recommend Virtru (also handy for CJIS compliance) which provides end-to-end encryption within the Google Apps environment regardless of the recipient's system(s). Google Apps allows the implementation of an extremely secure environment with minimal implementation and support cost. There's no service in the world that can offer the same level of ongoing security per dollar invested. 

Command and Control

Contrary to the popular sales pitch from legacy on-premises software and hardware providers, Google Apps actually gives you more control over organizational data than ever before. The critical attribute of the modern cloud computing service is centralization of both data and the administrative controls over that data. Bank cards serve as a useful analogy. One organization hands out bank cards, the other cash. The bank cards provide the organization's CFO a range of benefits compared to cash. The CFO has access to real time reports specific to spending by user, category, vendor, amount, frequency, date, etc. The CFO also has the ability to freeze a single card or multiple cards at anytime. The CFO doesn't have any of these controls over cash. Beyond cash, the bank card is simply another abstraction of the true asset - money. From shiny rocks, to shiny metal, to paper, to plastic, and increasingly to software on your smartphone. Obviously the cash analogy isn't perfect as we can have some control over our client-side environment. However, this control is limited and, more importantly, not typically implemented or fully supported because of the tremendous costs of implementation and support. Today we also have an average of 5 operating systems to support - making the task of centralized client-side controls impossible. Often the answer is to simply block employees from working.  

In the legacy on-premises client-server architecture, data is spread and saved all over the place. This is by design, the foundation of the client-server architecture. This drastically increases the amount of potential data exposure. The Horizon Blue Cross Blue Shield data breach of 840,000 members for example, was the result of two stolen laptops. In the client-server world, we keep our "cash" on our laptops. In the Google Apps world the laptops, like our bank cards, are just plastic methods of access to the true asset. 

Security above and beyond

Today an organization of any size and financial means has access to the very best enterprise security. Google Apps also provides 2-Step Verification, Mobile Device Management, excellent security and audit reports, compliance and eDiscovery, DLP, and the modern APIs only a true cloud computing service can offer which enables even more transparency through world-class partner services like CloudLock and BetterCloud