TC Technology Knowledge Base

Data Protection Best Practices for using your Google HIPAA account

Updated on

  • Gmail

If Gmail is used to email groups of individuals or mailing lists, it's advised to use the “Bcc:” field instead of the “To:” field so recipients of the email are hidden from each other. Additionally, recipients in the “Bcc” field are not copied in subsequent “Reply” and “Reply All” threads.

  • Calendar

To limit exposure of PHI within the domain, users should consider setting calendar entries to “Private” for calendar entries that contain PHI. Calendar provides a feature that can add a link to a Hangout video meeting to the Calendar entry.

  • Drive

Users can choose how visible files and folders are, as well as the editing and sharing capabilities of collaborators, when sharing files in Google Drive (including Docs, Sheets, Slides, and Forms). When creating and sharing files in Google Drive (including Docs, Sheets, Slides, and Forms) it is recommended that users avoid putting PHI in titles of such files, folders, or Shared (Team) Drives

  • Hangouts Chat

It is recommended that users start a new conversation when adding multiple members to a chat conversation. Additionally, users should refrain from using PHI in group chat naming. New members that are added to group chats will be able to see previous chat history.

  • Meet

Meet allows users to record meetings which are then saved to the Drive of the meeting owner. The recording is saved in MP4 format and is a regular file in Drive with all Drive controls available. The recording is automatically shared with guests invited to the Calendar event. Chat messages sent during a recorded call are preserved as a .txt file alongside the recording.

  • Google Groups

Individual group owners can access additional permissions located under the “Manage > Permissions” section of the group’s settings. These elections further control access to who can join and view, post, edit, and delete posts within a specific group. 

Groups posts are stored until deleted by a user. The email archive of a group can be deleted via “Manage > Information > Advanced” section. Note that deleting a group is permanent and deletes everything related to the group including memberships.

If creating groups to manage mailing lists, careful consideration should be made when naming and emailing the group so it does not expose the PHI of the members of the group. Using the “to:” field instead of the “bcc:” field when emailing groups (i.e. mailing lists) will expose any individual that “Reply all” to the email as other recipients on the email thread will be able to see the individual's response.

If Groups is used as a collaborative inbox, note that all collaborators will be able to see emails sent to the collaborative inbox and access should be restricted accordingly. Any PHI that is sent to or from the collaborative inbox will be visible to all collaborators and may expose an individual's PHI. Careful consideration should be made when naming the collaborative inbox so PHI would not be exposed when individuals receive emails from such inboxes.

Previous Article Record Meet sessions in your Google HIPAA account