Is Google Docs HIPAA Compliant?

Is Google Docs HIPAA Compliant? HIPAAGuide.net

Google Docs is HIPAA compliant and can be used by covered entities and business associates to create and transmit Protected Health Information if the service is included in a HIPAA enabled Google Workspace account which is configured to restrict sharing permissions and disable add-ons.

Google Docs is a word processing service that can be used to create, edit, and store documents online or offline. When used as an online service, documents created in Google Docs can be shared with colleagues, who โ€“ depending on what permissions apply โ€“ can view, comment on, or edit the document. Documents can also be shared within Google Groups and Workspace domains.

In the healthcare industry, Google Docs can be used to create and share patient care plans, manage schedules, and distribute information. In the latter use case, Google Docs can be used (for example) to inform workforces of changes to HIPAA Rules, how the changes impact workplace policies and procedures, and when HIPAA training is scheduled for those affected by the changes.

However, when using Google Docs to create and share patient care plans, it is necessary to make Google Docs HIPAA compliant before Protected Health Information is disclosed to Google. This involves subscribing to a HIPAA enabled Google Workspace account, configuring the account to support HIPAA compliance, and training members of the workforce on how to use Google Docs in compliance with HIPAA.

Making Google Docs HIPAA Compliant

The free version of Google Docs in the Chrome browser and individual Workspace plans do not support HIPAA compliance because the services in these versions do not have โ€œcovered functionalityโ€. Therefore, the first stage of making Google Docs HIPAA compliant is to subscribe to a Google Workspace Business or Enterprise plan with the capabilities to use Google Docs in compliance with HIPAA.

There is a choice of suitable plans available depending on the nature of an organizationโ€™s activities, the size of its workforce, its non-profit status, and what security measures already exist. For example, organizations with a significant remote workforce may be better suited to a Business โ€œPlusโ€ or Enterprise plan that includes the capabilities to better manage the security of data maintained on mobile devices.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

In some cases, it may be beneficial to conduct a HIPAA risk assessment in order to determine whether capabilities such as S/MIME encryption, LDAP connections, and context aware access are necessary or not. The HIPAA risk assessment should not only take the level of โ€œcovered functionalityโ€ into account, but also the security awareness of workforce members who will ultimately be using Google Docs.

Accepting the Google Business Associate Addendum

To make the Google Workspace account HIPAA enabled, it is necessary for a user with administrator privileges to agree to Googleโ€™s HIPAA Business Associate Addendum. This involves navigating to the Legal and Compliance page in the account settings, reviewing the Addendum, answering three questions to confirm the organization is a HIPAA regulated entity, and clicking โ€œOKโ€.

The Addendum is a standard Business Associate Agreement inasmuch as it includes the necessary statements to comply with ยง164.308(a) and ยง164.314(a) of the HIPAA Security Rule and ยง164.504(e) of the HIPAA Privacy Rule. However, it is worth mentioning the Addendum excuses Google from two HIPAA compliance requirements:

  • Clause 6(c) gives notice of unsuccessful โ€œsecurity incidentsโ€ โ€“ excusing Google from reporting future unsuccessful security Incidents as required by ยง164.314(a) of the HIPAA Security Rule.
  • Clause 8 states it is the customers responsibility to maintain PHI in designated record sets โ€“ excusing Google from responding to patients who approach Google to exercise their right of access and right of amendment.

These clauses are common in Business Associate Agreements between covered entities and software providers. Nonetheless, it may be important for covered entities to carefully review the Google HIPAA Business Associate Addendum before agreeing to it in case there are other clauses that do not align with the organizationโ€™s compliance practices or procedures.

Configuring Google Docs to be HIPAA Compliant

The next stage of making Google Docs HIPAA compliant is to configure Google Docs and other services in the Google Workspace account to support HIPAA compliance. To help covered entities with this stage, Google has produced a HIPAA Implementation Guide which provides more information about customersโ€™ responsibilities and details on how to configure individual services.

In the context of configuring Google Docs to be HIPAA compliant, the Guide explains how administrators can control the visibility of documents and restrict sharing permissions to ensure documents containing PHI are not shared outside of the organization. It is also advisable to disable the option to allow Google Docs add-ons, as some add-ons in the Google Workspace Marketplace do not support HIPAA compliance.

Finally it is important members of the workforce are trained on how to use Google Docs in compliance with HIPAA. The training should include an explanation of what controls have been implemented โ€“ and why โ€“ to discourage users from circumnavigating the controls โ€œto get the job doneโ€. Members of the workforce should also be told not to include PHI in the titles of documents and folders, and not to share login credentials to the Google Workspace account.

Conclusion

Google Docs and other services in the Google Workspace suite can help streamline collaboration and improve productivity. When using Google Docs to create and share patient care plans โ€“ or for any other purpose in which PHI is disclosed to a Google service โ€“ it is important to make Google Docs HIPAA compliant.

Making Google Docs HIPAA compliant involves subscribing to an appropriate plan (possibly based on a HIPAA risk assessment), accepting Googleโ€™s Business Associate Addendum, configuring Google Docs to support HIPAA compliance, and training members of the workforce how to use Google Docs in compliance with HIPAA.

Covered entities and business associates who require assistance with selecting an appropriate plan or configuring it to support HIPAA compliance are advised to discuss their requirements with Google. Covered entities and business associates who require assistance with conducting a HIPAA risk assessment or workforce training are advised to seek independent compliance advice.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/