When it comes to using email in private practice, HIPAA needs to be top of mind for all therapists. But it’s not always clear which email options are HIPAA compliant. I’m personally a big fan of G Suite, but there’s more to making your email HIPAA secure than just signing up for G Suite. In this article, I show you each step to take in order to ensure your email is HIPAA compliant.
If you haven’t heard of G Suite, it’s Google’s suite of services (including Gmail, Google Docs, Google Calendar, Google Forms, and more) adapted for businesses.
In my opinion, G Suite is a great option for therapists in private practice.
Benefits of Using G Suite as HIPAA Compliant Email for Therapists
There are several options out there if you’re a therapist looking for HIPAA compliant email. Personally, I think G Suite is one of the best options available. Here are some of the benefits of using G Suite in private practice:
- Have your domain name in your professional email.
- Have a fully HIPAA-secure platform. This encompasses not just your email, but your professional calendar, Google Drive, Google Forms and more!
- Starting at six dollars per month, it’s an incredibly affordable option.
There are TONS of functions G Suite offers therapists in private practice beyond just email. But for the purposes of this article, let’s focus on how to make G Suite HIPAA secure so you can have HIPAA compliant email set up for private practice.
The Role of a BAA in HIPAA Compliance
In order to make any online software HIPAA-secure, you need to have a Business Associate Agreement or BAA with the software provider.
What is a Business Associate Agreement (BAA)?
BAA stands for Business Associate Agreement. A BAA is a legal contract between a healthcare provider and a contractor. HIPAA requires that all healthcare providers enter a BAA contract when exchanging protected health information (or PHI) with a contractor.
In short, if you want to use any type of software to transmit PHI, HIPAA requires that you enter a BAA contract with the contractor of that software.
This means ALL of us intending to use email to contact our clients must sign a BAA with our email service provider in order to be HIPAA compliant.
In the case of G Suite, you as the healthcare provider must enter a BAA contract with Google in order for the platform to be considered HIPAA secure.
How to Make G Suite HIPAA Compliant (step-by-step)
Google only offers the option to enter a BAA to those using the paid version of Google, called G Suite. At the time of this writing, G Suite’s introductory rate is six dollars per month. In my opinion, this is a steal of a deal considering that you have HIPAA-secure options not just for email, but for an array of apps included within G Suite.
I’m not going to lie, there are a few hoops to hop through in order to make G Suite HIPAA secure. If you don’t follow these steps, your G Suite will NOT be HIPAA secure. But have no fear, I break each step down with photos to make it as easy as possible.
Step 1: Choose a G Suite option
There are a few price points for G Suite. Pick the one that works best for you and set up an account. I’ve found the cheapest option works for my private practice needs. You can find the G Suite pricing options here.
Step 2: Continue with the setup process
I highly recommend you connect your website domain name to your email address. It’s easiest if you set this up right at the beginning. Having an email account that ends with your domain name allows you to appear more professional and builds trust with potential clients. For example, my email is email@example.com rather than firstname.lastname@example.org
Depending on where you bought your domain name, the process differs for connecting your domain to your email. If you’re interested in purchasing your domain directly from Google and getting everything set up all at once, you can do that here: Purchase domain name during sign up for G Suite
Step 3: Sign in to Google Admin Console
Now it’s time for the dirty work! This part can feel a bit tricky, so I’ve included pictures for every step. I remember that it took me forever to figure this out when I was making my G Suite HIPAA secure. So this is for all y’all who otherwise would be stuck on the internet for hours trying to sort this out (‘cuz that’s definitely what I had to do back in the day).
Sign in to the Google Admin Console
It looks like this once you get there:
Step 4: Click “Company Profile”
Step 5: Click “Show More”
Step 6: Click “Legal & Compliance”
Step 7: Accept G Suite HIPAA BAA
After scrolling to the bottom of the Legal & Compliance page, there is a section titled, “Security and Privacy Additional Terms.” In this section, select “G Suite/Cloud Identity HIPAA Business Associate Amendment” and then click “Review and Accept.”
(Note: The “review and accept” button does not appear on my page because I have already entered the BAA with G Suite before. But it appears here the first time you do it)
Step 8: Finalize BAA Agreement
After the previous step, there are a few questions to answer and after clicking “I Accept,” you’re all finished! Your G Suite is now HIPAA-secure.
Take a moment to do a little celebratory dance! *woot woot*
The Difference Between HIPAA Secure and HIPAA Compliant
Even though we often use “HIPAA secure” and “HIPAA compliant” interchangeably, they aren’t exactly synonymous. HIPAA secure refers to software that is enabled to be used in a manner that is compliant with HIPAA. It’s up to the individual therapist to use the HIPAA secure software in a HIPAA compliant way.
For example, just because my G Suite is HIPAA secure, it doesn’t mean it’s okay for me to forward an email message from a client to a friend. That is very much NOT HIPAA compliant, even though I used HIPAA secure software to do it.
To get the full rundown of what is HIPAA-secure vs. not through the G Suite BAA, I encourage you to look through Google’s Guide titled: “G Suite and Cloud Identity; HIPAA Implementation Guide.”
I know the process of finding HIPAA compliant email for therapists can be daunting! I hope you found this article helpful as you set up HIPAA-secure email through G Suite.
If you want to tag on a HIPAA secure phone line to your G Suite plan, you can do that too! Click here to watch my video walking you through the process of making Google Voice HIPAA secure.
You might also be interested in my article about HIPAA compliant credit card payment for therapists using Square.
Until next time, from one therapist to another: I wish you well!