This article is about Google Apps for high-security accounts, including (but not limited to):
- Most accounts in Health Care Components (also referred to as the HCC or AHC)
- Accounts that work with sensitive research data, such as protected health information (PHI)
- Accounts with access to the personally identifiable information (PII) for students or staff members
In this article:
- Business Associate Agreement (BAA)
- Ensuring HIPAA Compliance on Your Mobile Device
- Which Google Applications Are Available For BAA Accounts?
- Requesting Access to Additional Apps
Business Associate Agreement (BAA)
For security and legal reasons, extra precautions must be put in place for anyone who might be receiving Protected Health Information (PHI) or other sensitive data through their email. The University of Minnesota and Google have reached an agreement that will allow all Academic Health Center (AHC) colleges, centers, and departments with access to PHI to use Google Apps accounts.
This agreement, known as a Business Associate Agreement (BAA), protects PHI in accordance with HIPAA guidelines.
Ensuring HIPAA Compliance on Your Mobile Device
To access your UMN Google Workspace account through a mobile device, you must ensure the device is HIPAA compliant.
To ensure HIPAA compliance on your personal mobile device, you must:
- Set a passcode for your device.
- You may be prompted to set a passcode after you add your University email account to your phone.
- If you are not prompted, do this manually.
- Follow the instructions in Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data to enable access Gmail and other Google Apps (Calendar, Drive, etc) on your mobile device.
- Only use your UMN Google Workspace account with work-specific applications.
Which Google Applications Are Available For BAA Accounts?
Available Google Apps & Websites
The University restricts certain features of available apps in order to safeguard protected health information (PHI) and other sensitive data. Google Apps are restricted for BAA members on both mobile and desktop devices.
Restrictions include (but not limited to) the following:
- Gmail
- Access via web browser (mail.umn.edu) is not restricted.
- Access through mobile device applications is restricted.
- You must use the official Gmail App with the Google Device Policy App installed and configured on your device.
- For more information, refer to Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data.
- Third-party Desktop and mobile email apps (such as AppleMail, Thunderbird, Outlook, and SamsungMail) are not authorized for use with BAA Accounts.
- Google Calendar
- Access via web browser (calendar.umn.edu) is not restricted.
- Access through mobile device applications is restricted.
- You must use the official Google Calendar App with the Google Device Policy App installed and configured on your device.
- For more information refer to Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data.
- Google Chat
- Access via web browser at mail.google.com and chat.google.com is not restricted.
- History for chats is disabled and cannot be turned on.
- Any Spaces you create are restricted to either Private invitation or your UMN campus domain.
- External members (including both non-University email addresses and University community members with a different Google campus domain) cannot be added.
- Google Drive
- Access via web browser (drive.google.com) is not restricted.
- Access through mobile device applications is restricted.
- You must use the Google Drive App with the Google Device Policy App installed and configured on your device.
- For more information refer to Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data.
- Storing PHI in Google Drive is not HIPAA compliant.
- Use compliant storage options instead, such as Box Secure Storage.
- Google Groups
- Groups are hidden from the UMN Groups Directory.
- Only Group Managers can view member email addresses.
- Groups are only accessible through the groups.google.com website for UMN accounts in the same campus domain.
- Users from a different University of Minnesota Google campus domain than the Google Group itself can still sign up and may be able to send and receive emails (depending on Group configuration). However, they will not be able to access the group's Google Group web interface at groups.google.com.
- Example 1: A Twin Cities Google Group ([email protected]) cannot be accessed via the Google Groups website by an individual with a University of Minnesota Duluth email address ([email protected]).
- Example 2: A Twin Cities Google Group ([email protected]) cannot be accessed via the Google Groups website by any individual using a personal email address ([email protected]).
- Google Meet
- Access is available via web browser (calendar.umn.edu) when you Add video conferencing to a scheduled meeting.
- Recording is not available to HCC members.
Google Apps & Services That Are Not Available
Several other apps and services are not available for BAA users. These include, but are not limited to:
- Google Ads
- Google Analytics
- Google Classroom (classroom.google.com)
- Google Maps
- Google Photos
- Google Sites (sites.google.com)
- Google Takeout
- Tooling that enables automated data transfer is not authorized for use with BAA accounts.
- Sync via Google Chrome web browser
- Third-party Desktop and mobile email applications
- Third-party applications for email access are not authorized for use with BAA Accounts.
- This includes applications such as AppleMail, Thunderbird, Outlook, and SamsungMail.
- For more information on how to set up access to your UMN Google Workspace account on you mobile device, refer to Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data.
- Google Translate
- YouTube
- You cannot view or post content on YouTube while signed into your UMN Google Workspace account.
Requesting Access to Additional Apps
You can request additional access be granted for your account to the following apps if you have a business need to do so, you do not work with PHI, and your need does not involve using the application(s) with PHI:
- Access to Google Analytics
- Access to Google Sites (sites.google.com)
- Post/Edit YouTube/Google+ content
Note that if your need involves using these applications and services with PHI, your request will not be granted.
To request access, review and complete the Google Apps Exception for BAA Members request form.
Once you have submitted this form, it will be reviewed by the relevant stakeholders, including the Health Information Privacy and Compliance Office (HIPCO).