Trying to decipher the HIPAA Compliance of Google Drive can be confusing. HIPAA compliance relates less about technology and more about how technology is operated. Even a software solution or cloud service that is presented as being HIPAA-compliant can simply be used in a fashion that breaches HIPAA Rules.
G Suite – previously Google Apps, of which Google Drive is a part of – does adhere with HIPAA requirements. The service does not breach HIPAA Rules as long as HIPAA Rules are followed by users.
G Suite includes all of the required controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered bodies to transmit PHI (in accordance with HIPAA Rules), if the account is implemented properly and standard security practices are in place.
Using any software or cloud platform to manage protected health information requires the vendor of the service to complete a HIPAA-compliant business associate agreement (BAA) before the service is used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid subscribers only.
Before using any Google service with PHI, it is important for a covered group to review, sign and accept the business associate agreement (BAA) with Google. It should be remembered that PHI can only be sent or used via a Google service that is specifically referred to in the BAA. The BAA does not include any third-party apps that are used along with G Suite. These must be avoided unless a completely separate BAA is completed with the provider/developer of that app.
The BAA does not mean a HIPAA covered entity is then free to implement the service with PHI. Google will take no responsibility for any improper configuration of G Suite. It is the responsibility of the covered entity to ensure the services are configured properly.
Covered entities should remember that Google encrypts all data saved on Google Drive, but encryption is only server side. If files are downloaded or synced, additional controlmeasures will be required to safeguard data on devices. HIPAA-compliant syncing is outside the scope of this article and it is recommended syncing is switched off.
To prevent a HIPAA violation, covered groups must:
- Obtain a BAA from Google before using G Suite to manage PHI
- Configure access controls properly
- Use 2-factor authentication for accessing purposes
- Use strong and safe passwords
- Switch off file syncing
- Turn link sharing to off
- Limit sharing of files outside the domain (Google offers advice if external access is needed)
- Turn visibility of documents settings to private
- Switch off third-party apps and add-ons
- Do not allow offline storage for Google Drive
- Do not allow access to apps and add-ons
- Review access and account logs and shared file reports constantly
- Configure ‘manage alerts’ to make sure the administrator is made aware of any changes to settings
- Back up all data saved on Google Drive
- Make sure employees are trained properly on the use of Google Drive and other G Suite apps
- Never use ‘PHI’ in the titles of files
To assist HIPAA-covered bodies to use G Suite and Google Drive properly, Google has published a Guide for HIPAA Compliance with G Suite to help with implementation.