Google Apps for Accounts with Access to HIPAA or Other Sensitive Data

This article is about Google Apps for high-security accounts. These accounts include, but are not limited to:

  • Most accounts in Health Care Components (Also referred to as the AHC)
  • Accounts that work with sensitive research data.
  • Accounts with access to sensitive personal data of students/staff.

For Quick Access In this article:

Business Associate Agreement (BAA)

For security and legal reasons, extra precautions must be put in place for anyone who might be receiving Protected Health Information (PHI) through their email. The University of Minnesota and Google have reached an agreement that will allow all Academic Health Center (AHC) colleges, centers, and departments with access to PHI to use Google Apps accounts.

This agreement, known as a Business Associate Agreement (BAA), protects PHI in accordance with HIPAA guidelines. 

Ensuring HIPAA Compliance on Your Personal Mobile Device 

If you want to access your account through a personal mobile device you must ensure HIPAA compliance on your device. To ensure HIPAA compliance on your personal mobile device you must:

Note: Further information can be found at z.umn.edu/hcc-device-security.

Which Applications Are Available For BAA Accounts?

Google Apps Websites are Available

People who fall under BAA have access to Google Apps through web interfaces, even on mobile devices without the Google Apps Device Policy App installed on them These include, but are not limited to:

Google Apps Available With Restricted Features for BAA Accounts

The University restricts certain features of available apps in order to safeguard PHI. These restrictions include, but are not limited to:

  • Google Apps are restricted for BAA members on mobile devices and desktop apps .For more information please see the Setting up Mobile Devices for Accounts with Access to HIPAA or Other Sensitive Data.
    • Gmail 
      • Access through the web (mail.umn.edu) is not restricted.
      • Access through mobile devices is restricted. You must use the official Gmail App with the Google Device Policy App installed and configured on your device.
      • Third-party Desktop and mobile email apps (such as AppleMail, Thunderbird, Outlook, and SamsungMail) are not authorized for use with BAA Accounts.
    • Google Calendar
      • Access through the web (calendar.umn.edu) is not restricted.
      • Access through mobile devices is restricted. You must use the official Google Calendar App with the Google Device Policy App installed and configured on your device.
    • Google Drive
      • Access through the web (drive.google.com) is not restricted.
      • Access through mobile devices is restricted. You must use the Google Drive App with the Google Device Policy App installed and configured on your device.
      • Storing PHI data on Google Drive is not HIPAA compliant. Please use compliant storage options such as Box.
    • Google Groups have the following limitations:
      • Hidden from the UMN Groups Directory
      • Only Group Managers can view member Email addresses.
      • Groups are only accessible through the groups.google.com website, for UMN accounts in the same domain 
        • Example: People with a University of Minnesota Duluth email address ([email protected]) or a personal Gmail email address ([email protected]) cannot access a Twin Cities Google Group ([email protected]) through the groups.google.com website. 
        • Google Apps accounts from outside the Group's domain can still sign up and send and receive emails if the group is configured that way, but they will not be able to access the group's Google Group web interface.

Google Apps That Are Not Available for BAA Accounts

Several other apps are not available for BAA users. These include, but are not limited to:

  • Google Photos
  • Google Analytics
  • Google Hangouts Meet
  • Google Hangouts Chat
  • Google Sites (sites.google.com)
  • You cannot post or edit content on YouTube
    • You cannot view content on YouTube while signed in to your account, but you can by opening and incognito/private browsing window. 
  • Third-party Desktop and mobile email apps (such as AppleMail, Thunderbird, Outlook, and SamsungMail) are not authorized for use with BAA Accounts.

Requesting Access to Additional Apps

You can request additional access be granted for your account to the following apps if you believe you have a business need to do so, you do not work with PHI, and your business need does not involve using these apps with PHI:

  • Access Google Analytics
  • Access Google Hangouts Meet 
  • Access Google Sites (sites.google.com)
  • Post/Edit YouTube/Google+ content

To request access, please review and complete the Google Apps Exception for BAA Members request form. 

Important Note: Please keep in mind that if your need involves using these apps with PHI, your request will not be granted.

Once you have submitted the form, it will be reviewed by the Privacy Office, HST,and OIT Security. You may be contacted for additional information. If you have any questions about this process, contact [email protected].

Additional Support

Please contact Technology Help. You can call 612-301-4357 (1-HELP from any campus landline phone) Chat with, or email us 24 hours a day, 7 days a week.