Is Google Docs HIPAA compliant? Are HIPAA-covered entities allowed to upload files containing protected health information (PHI) to Google Docs without violating HIPAA Rules? Let us evaluate Google Docs and see if it is HIPAA compliant to determine whether the service can be utilized by HIPAA-covered entities or business associates in conjunction with ePHI.
Is Google Docs Encrypting Data?
For Google Docs to be considered HIPAA compliant, saved files should be encrypted. Data need to be encrypted in transit and storage. Google utilizes 128-bit Advanced Encryption Standard (AES) in its platform to secure data in transit and for files stored in its data centers.
Is Google a Conduit or Not?
The Department of Health and Human Services explained in its guidance that cloud service providers are not generally categorized as conduit. Hence, the HIPAA Conduit Exception Rule is not applicable. Rather, cloud service providers are categorized as business associates, even though the service provider doesn’t access or view the data saved in client accounts.
Is Google Willing to Sign a Business Associate Agreement for Google Docs?
Since Google Docs is considered a business associate, before using Google Docs with any ePHI, it is necessary to have a business associate agreement signed by Google. A lot of cloud service providers offer BAA’s to HIPAA-covered entities. However, it is necessary to examine the BAA to determine if a specific service is covered.
Google will sign a BAA with its customers purchasing G Suite Enterprise. The terms of the BAA specifically mention that Google Docs is part of Google Drive, and that it is covered by the BAA.
Google definitely says that healthcare providers covered by HIPAA Rules should not utilize G Suite for files with ePHI until a BAA has been signed. Google isn’t accountable for improper use of its services. The covered entity or business associate is responsible for using the service in a manner compliant with HIPAA Rules. That means access controls must be configured and taff must be trained on use of the service. Google provides a handy guide that HIPAA covered entities can use to help them set up G Suite properly.
Is Google Docs HIPAA Compliant?
No software program or cloud platform is 100% HIPAA compliant. How the service is utilized determines HIPAA compliance not the controls that are put in place by the service provider. Having said that, entities can use Google Docs without breaking HIPAA Rules.
Prior to uploading any file containing ePHI to Google Docs, it is necessary to get a signed BAA from Google first. Then, users of Google Docs must be trained on its use and the requirements of HIPAA with respect to use of the service with ePHI.
Files with ePHI should only be uploaded to private accounts. they must not be publicly accessible. Permissions must be specified to make certain only authorized people access the documents/accounts. Also, be sure not to use PHI in the names of files uploaded to Google Docs.
If following the above guidelines, Google Docs can be considered HIPAA compliant.