Is Google Drive HIPAA Compliant?

Google Drive is HIPAA compliant and can be used to store, share, and collaborate on files containing Protected Health Information, provided the service is used as part of a Google Workspace subscription that supports HIPAA compliance and is configured to be used in compliance with HIPAA.

Google Drive is a cloud storage and file sharing platform that enables users to securely store Google Docs, Sheets, Slides, and Forms, and – under some plans – Google Meet video and voice recordings. Once stored, files can be shared with authorized colleagues and third parties to enhance collaboration and productivity.

As well as providing secure, managed access to files, the platform scans Google Drive files received from third parties for spam, malware, phishing, and ransomware. Other security capabilities include data protection insights reports, custom content detectors, and data loss prevention rulemaking (subject to the type of subscription).

However, in the context of answering the question is Google Drive HIPAA compliant, the platform does not support HIPAA compliance by default. In order to make Google Drive HIPAA compliant and suitable for storing or sharing Protected Health Information (PHI), covered entities and business associates must:

  • Subscribe to a Workspace Plan that supports HIPAA compliance,
  • Agree to the terms of Google’s Business Associate Addendum,
  • Configure the platform and linked services to comply with HIPAA, and
  • Train members of the workforce how to use Drive compliantly.

Subscribing to a Google Drive HIPAA Compliant Plan

Because consumer versions of Workspace services lack the “included functionality” to support HIPAA compliance, it is necessary for covered entities and business associates to subscribe to a Workspace plan. However, not all Workspace plans include services with the necessary “included functionality” to support HIPAA compliance either. Those that do include:

  • Google Workspace Business Starter.
  • Google Workspace Business Standard.
  • Google Workspace Business Plus.
  • Google Workspace Enterprise Starter.
  • Google Workspace Enterprise Standard.
  • Google Workspace Enterprise Plus.
  • Google Workspace Frontline Starter.
  • Google Workspace Frontline Standard.
  • Google Workspace for Nonprofits.

The type of Google Drive HIPAA compliant plan selected by an organization will likely depend on the number of intended users – including users that do not have access to PHI. It may also depend on what existing security measures are in place to comply with HIPAA and what other tools may be integrated with Google Drive (i.e., Slack, DocuSign, etc.).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Agreeing to Google’s Business Associate Addendum

The next stage of making Google Drive HIPAA compliant is to agree to the terms of Google’s HIPAA Business Associate Addendum. The Addendum is an add-on to the Workspace Services Agreement, and is standard for all covered entities and business associates for “core services” that have the included functionality to support HIPAA compliance.

To agree to the Addendum, an administrator must sign into the Admin Console and navigate through the “Account Settings” and “Legal and Compliance” pages to the “Security and Privacy Additional” tab. The Addendum can be accessed via the “BAA” button, and accepted via the “Review and Accept” button. Thereafter, the administrator must answer three questions to confirm the organization’s HIPAA status and finally click “OK”.

Configuring the Platform to Comply with HIPAA

Because each Workspace plan has different core services, different degrees of included functionality, and may be used with or without third party tools, there is no definitive one-size-fits-all guide for configuring the Google Drive platform to comply with HIPAA. The best option is to follow the advice in the HIPAA Implementation Guide and adjust as necessary.

For example, the Guide suggests admins apply file sharing permissions for files stored on the Drive platform to restrict or allow sharing beyond the registered domain. However, this may not be necessary if the organization has subscribed to the “Access Management” assured controls service (which will require separate configuration).

Training on How to Use Google Drive Compliantly

Workforce members should require minimal HIPAA training on how to use Google Drive compliantly, but it may be worthwhile explaining what file-sharing restrictions have been implemented – and why – to prevent users from attempting to circumnavigate the restrictions or unnecessarily raising support tickets with IT or Google support.

Covered entities and business associates who require further advice about subscribing to a Google Drive HIPAA compliant plan, configuring the platform to comply with HIPAA, or training members of the workforce on how to use Google Drive compliantly should speak with a compliance professional with experience of HIPAA compliant software.

About Daniel Lopez

Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance with over 10 years experience, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA