Is Google Docs HIPAA Compliant?
Google Docs is HIPAA compliant and can be used by covered entities and business associates to create and transmit Protected Health Information if the service is included in a HIPAA enabled Google Workspace account which is configured to restrict sharing permissions and disable add-ons.
Google Docs is a word processing service that can be used to create, edit, and store documents online or offline. When used as an online service, documents created in Google Docs can be shared with colleagues, who โ depending on what permissions apply โ can view, comment on, or edit the document. Documents can also be shared within Google Groups and Workspace domains.
In the healthcare industry, Google Docs can be used to create and share patient care plans, manage schedules, and distribute information. In the latter use case, Google Docs can be used (for example) to inform workforces of changes to HIPAA Rules, how the changes impact workplace policies and procedures, and when HIPAA training is scheduled for those affected by the changes.
However, when using Google Docs to create and share patient care plans, it is necessary to make Google Docs HIPAA compliant before Protected Health Information is disclosed to Google. This involves subscribing to a HIPAA enabled Google Workspace account, configuring the account to support HIPAA compliance, and training members of the workforce on how to use Google Docs in compliance with HIPAA.
Making Google Docs HIPAA Compliant
The free version of Google Docs in the Chrome browser and individual Workspace plans do not support HIPAA compliance because the services in these versions do not have โcovered functionalityโ. Therefore, the first stage of making Google Docs HIPAA compliant is to subscribe to a Google Workspace Business or Enterprise plan with the capabilities to use Google Docs in compliance with HIPAA.
There is a choice of suitable plans available depending on the nature of an organizationโs activities, the size of its workforce, its non-profit status, and what security measures already exist. For example, organizations with a significant remote workforce may be better suited to a Business โPlusโ or Enterprise plan that includes the capabilities to better manage the security of data maintained on mobile devices.
In some cases, it may be beneficial to conduct a HIPAA risk assessment in order to determine whether capabilities such as S/MIME encryption, LDAP connections, and context aware access are necessary or not. The HIPAA risk assessment should not only take the level of โcovered functionalityโ into account, but also the security awareness of workforce members who will ultimately be using Google Docs.
Accepting the Google Business Associate Addendum
To make the Google Workspace account HIPAA enabled, it is necessary for a user with administrator privileges to agree to Googleโs HIPAA Business Associate Addendum. This involves navigating to the Legal and Compliance page in the account settings, reviewing the Addendum, answering three questions to confirm the organization is a HIPAA regulated entity, and clicking โOKโ.
The Addendum is a standard Business Associate Agreement inasmuch as it includes the necessary statements to comply with ยง164.308(a) and ยง164.314(a) of the HIPAA Security Rule and ยง164.504(e) of the HIPAA Privacy Rule. However, it is worth mentioning the Addendum excuses Google from two HIPAA compliance requirements:
- Clause 6(c) gives notice of unsuccessful โsecurity incidentsโ โ excusing Google from reporting future unsuccessful security Incidents as required by ยง164.314(a) of the HIPAA Security Rule.
- Clause 8 states it is the customers responsibility to maintain PHI in designated record sets โ excusing Google from responding to patients who approach Google to exercise their right of access and right of amendment.
These clauses are common in Business Associate Agreements between covered entities and software providers. Nonetheless, it may be important for covered entities to carefully review the Google HIPAA Business Associate Addendum before agreeing to it in case there are other clauses that do not align with the organizationโs compliance practices or procedures.
Configuring Google Docs to be HIPAA Compliant
The next stage of making Google Docs HIPAA compliant is to configure Google Docs and other services in the Google Workspace account to support HIPAA compliance. To help covered entities with this stage, Google has produced a HIPAA Implementation Guide which provides more information about customersโ responsibilities and details on how to configure individual services.
In the context of configuring Google Docs to be HIPAA compliant, the Guide explains how administrators can control the visibility of documents and restrict sharing permissions to ensure documents containing PHI are not shared outside of the organization. It is also advisable to disable the option to allow Google Docs add-ons, as some add-ons in the Google Workspace Marketplace do not support HIPAA compliance.
Finally it is important members of the workforce are trained on how to use Google Docs in compliance with HIPAA. The training should include an explanation of what controls have been implemented โ and why โ to discourage users from circumnavigating the controls โto get the job doneโ. Members of the workforce should also be told not to include PHI in the titles of documents and folders, and not to share login credentials to the Google Workspace account.
Conclusion
Google Docs and other services in the Google Workspace suite can help streamline collaboration and improve productivity. When using Google Docs to create and share patient care plans โ or for any other purpose in which PHI is disclosed to a Google service โ it is important to make Google Docs HIPAA compliant.
Making Google Docs HIPAA compliant involves subscribing to an appropriate plan (possibly based on a HIPAA risk assessment), accepting Googleโs Business Associate Addendum, configuring Google Docs to support HIPAA compliance, and training members of the workforce how to use Google Docs in compliance with HIPAA.
Covered entities and business associates who require assistance with selecting an appropriate plan or configuring it to support HIPAA compliance are advised to discuss their requirements with Google. Covered entities and business associates who require assistance with conducting a HIPAA risk assessment or workforce training are advised to seek independent compliance advice.