Is Google Docs HIPAA Compliant?

Google Docs is HIPAA compliant and can be used to create, store, or share PHI (via Google Drive) when the service is used as part of an enterprise Google Workspace account that is configured to support HIPAA compliance and covered by a Business Associate Addendum to the Workspace terms of Service. In all other cases – for example, if used as part of a personal Workspace account – Google Docs is not HIPAA compliant.

Does Google Docs Encrypt Data?

For Google Docs to be considered HIPAA compliant, saved files should be encrypted. Data need to be encrypted in transit and storage. Google utilizes 128-bit Advanced Encryption Standard (AES) in its platform to secure data in transit and for files stored in its data centers.

Is Google a Conduit or Not?

The Department of Health and Human Services explained in its guidance that cloud service providers are not generally categorized as conduit. Hence, the HIPAA Conduit Exception Rule is not applicable. Rather, cloud service providers are categorized as business associates, even though the service provider doesn’t access or view the data saved in client accounts.

Is Google Willing to Sign a Business Associate Agreement for Google Docs?

Since Google Docs is considered a business associate, before using Google Docs with any ePHI, it is necessary to have a business associate agreement with Google. Google does not enter into individual business associate agreements, but offers a standard one-size-fits-all HIPAA compliant Business Associate Addendum to the Workspace Terms of Service which specifically covers Google Docs as part of Google Drive.

Google states healthcare providers covered by HIPAA must not disclose ePHI on any Workspace service until a BAA has been signed. Google isn’t accountable for improper use of its services. The covered entity or business associate is responsible for using the service in a manner compliant with HIPAA Rules. That means access controls must be configured and members of the workforce must be trained on use of the service. Google provides a handy implementation guide that HIPAA covered entities can use to help them configure Workspace services compliantly.

Is Google Docs HIPAA Compliant?

No software program or cloud platform is 100% HIPAA compliant. How the service is configured and utilized determines HIPAA compliance not the default controls that are put in place by the service provider. Having said that, entities can use Google Docs without breaking HIPAA Rules.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Prior to uploading any file containing ePHI to Google Docs, it is necessary to get a signed BAA from Google first. Then, users of Google Docs must be trained on its use and the requirements of HIPAA with respect to use of the service with ePHI.

Files with ePHI should only be uploaded to managed accounts. they must not be publicly accessible. Permissions must be specified to make certain only authorized people access the documents/accounts. Also, be sure not to use PHI in the names of files uploaded to Google Docs.

If following the above guidelines, Google Docs can be considered HIPAA compliant.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/