GReminders is HIPAA Compliant with a BAA.
TLDR, Yes GReminders, Google Calendar (part of Google’s Workspace), Microsoft Outlook Calendar (part of Microsoft Office 365 Suite or Outlook.com) are ALL HIPAA Compliant with a BAA (Business Associates Agreement).
Do the following to get HIPAA Compliant:
for Google Calendar / Google Workspace:
- Sign in to your Google Admin console https://admin.google.com/
- Sign in using an account with super administrator privileges (does not end in @gmail.com).
- From the Admin console Home page, go to Account settings and then Legal & compliance.
- From the Legal and Compliance page, scroll to Security and Privacy Additional Terms.
- Click Google Workspace/Cloud Identity HIPAA Business Associate Amendment to view the amendment.
- To start the review, click Not Accepted, and then click Review and Accept.
- Answer all three questions, and if you are confirmed as a HIPAA covered entity, click I accept to accept the HIPAA BAA.
For more please visit: https://support.google.com/a/answer/3407074?hl=en
You can also read more about the HIPAA Implementation Guide for Google Cloud/Workspace: https://services.google.com/fh/files/misc/gsuite_cloud_identity_hipaa_implementation_guide.pdf
Please note Google Contacts Feature is NOT HIPAA compliant. This is a feature that is excluded from Google’s BAA and thus not recommended to be used for users who need HIPAA compliance.
for Microsoft Office 365
All Microsoft Office 365 are automatically covered by the default Microsoft BAA that you enter into when you use/license their Office 365 Servies. You can download the Microsoft BAA found here: https://aka.ms/BAA
For more information please visit: https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech?view=o365-worldwide
Please email [email protected] to get a BAA Executed (We will send you a Business Associates Agreement for E-signature). You must be on a HIPAA supported paid plan.
Note: You do not need to use Contact Matching with GReminders (Even though your BAA will cover your Contacts in GReminders, but may not when used with Google Contacts). Nonetheless, you still need to accept the permissions request when signing into GReminders via Google; if you do not enable this feature in GReminders, GReminders will not sync or touch your Contacts.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
In short it protects consumers and their medical information, and how this information can be shared ONLY with their consent. If you do not share medical information with other providers, HIPAA does not apply to you.
What is a BAA?
A BAA is a Business Associate Agreement. A BAA satisfies HIPAA regulations and creates a bond of liability between you the customer and us the service provider.
If for example you use GReminders to schedule a meeting or send a reminder with a customer and that Calendar event includes a name, phone number, medical procedure information, etc… and GReminders for some reason leaks this information to another provider, GReminders is in breach of a BAA. Assuming you executed a BAA with GReminders, GReminders is on the hook for this breach.
So, if you are a medical/professional office that is using Google, Microsoft Calendars and GReminders, it is a good idea to execute a BAA with all service providers you do business with.
Here is a great article on things you should do to stay HIPAA compliant.
If you have any questions please contact [email protected]