Google Apps for Accounts with Access to HIPAA or Other Sensitive Data

This article is about Google Apps for high-security accounts, including (but not limited to):

  • Most accounts in Health Care Components (also referred to as the HCC or AHC)
  • Accounts that work with sensitive research data, such as protected health information (PHI)
  • Accounts with access to the personally identifiable information (PII) for students or staff members

In this article:

Business Associate Agreement (BAA)

For security and legal reasons, extra precautions must be put in place for anyone who might be receiving Protected Health Information (PHI) or other sensitive data through their email. The University of Minnesota and Google have reached an agreement that will allow all Academic Health Center (AHC) colleges, centers, and departments with access to PHI to use Google Apps accounts.

This agreement, known as a Business Associate Agreement (BAA), protects PHI in accordance with HIPAA guidelines. 

Ensuring HIPAA Compliance on Your Mobile Device 

To access your UMN Google Workspace account through a mobile device, you must ensure the device is HIPAA compliant.

To ensure HIPAA compliance on your personal mobile device, you must:

  • Set a passcode for your device.
    • You may be prompted to set a passcode after you add your University email account to your phone.
    • If you are not prompted, do this manually.
  • Follow the instructions in Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data to enable access Gmail and other Google Apps (Calendar, Drive, etc) on your mobile device.
  • Only use your UMN Google Workspace account with work-specific applications. 

Which Google Applications Are Available For BAA Accounts?

Available Google Apps & Websites

The University restricts certain features of available apps in order to safeguard protected health information (PHI) and other sensitive data. Google Apps are restricted for BAA members on both mobile and desktop devices.

Restrictions include (but not limited to) the following:

  • Gmail  
    • Access via web browser (mail.umn.edu) is not restricted.
    • Access through mobile device applications is restricted.
    • Third-party Desktop and mobile email apps (such as AppleMail, Thunderbird, Outlook, and SamsungMail) are not authorized for use with BAA Accounts.
  • Google Calendar
  • Google Chat
    • Access via web browser at mail.google.com and chat.google.com is not restricted. 
    • History for chats is disabled and cannot be turned on. 
    • Any Spaces you create are restricted to either Private invitation or your UMN campus domain.
      • External members (including both non-University email addresses and University community members with a different Google campus domain) cannot be added.
  • Google Drive
  • Google Groups
    • Groups are hidden from the UMN Groups Directory
    • Only Group Managers can view member email addresses.
    • Groups are only accessible through the groups.google.com website for UMN accounts in the same campus domain. 
      • Users from a different University of Minnesota Google campus domain than the Google Group itself can still sign up and may be able to send and receive emails (depending on Group configuration). However, they will not be able to access the group's Google Group web interface at groups.google.com.
      • Example 1: A Twin Cities Google Group ([email protected]) cannot be accessed via the Google Groups website by an individual with a University of Minnesota Duluth email address ([email protected]).
      • Example 2: A Twin Cities Google Group ([email protected]) cannot be accessed via the Google Groups website by any individual using a personal email address ([email protected]). 
  • Google Meet
    • Access is available via web browser (calendar.umn.edu) when you Add video conferencing to a scheduled meeting.
    • Recording is not available to HCC members.

Google Apps & Services That Are Not Available 

Several other apps and services are not available for BAA users. These include, but are not limited to:

  • Google Ads
  • Google Analytics
  • Google Classroom (classroom.google.com)
  • Google Maps
  • Google Photos
  • Google Sites (sites.google.com)
  • Google Takeout
    • Tooling that enables automated data transfer is not authorized for use with BAA accounts.
  • Sync via Google Chrome web browser
  • Third-party Desktop and mobile email applications
  • Google Translate
  • YouTube
    • You cannot view or post content on YouTube while signed into your UMN Google Workspace account.

Requesting Access to Additional Apps

You can request additional access be granted for your account to the following apps if you have a business need to do so, you do not work with PHI, and your need does not involve using the application(s) with PHI:

  • Access to Google Analytics
  • Access to Google Sites (sites.google.com)
  • Post/Edit YouTube/Google+ content

Note that if your need involves using these applications and services with PHI, your request will not be granted.

To request access, review and complete the Google Apps Exception for BAA Members request form. 

Once you have submitted this form, it will be reviewed by the relevant stakeholders, including the Health Information Privacy and Compliance Office (HIPCO).

Last modified

Changed

TDX ID

TDX ID
3935