Google Keep is a cloud-based note taking application that allows notes to be created and shared across multiple devices. The platform is popular, but can healthcare organizations use Google Keep? Is Google Keep HIPAA compliant or would use of the platform with ePHI be considered a HIPAA violation?
Google has developed a wide range of products that can be used in healthcare. Google is willing to enter into a business associate agreement (BAA) with healthcare organizations and the BAA covers many of the company’s most popular software solutions and cloud services.
Google Keep allows notes to be recorded and to have files attached, including images, audio files, and video files. The notes and attached files are accessible across multiple devices by connecting to Google Drive. Google Drive is part of G Suite (previously Google Apps) and Google Drive is included in Google’s BAA.
Is Google Keep HIPAA Compliant?
If a healthcare organization uses G Suite’s paid version after having a signed BAA with Google, it is possible to use Google Keep in connection with ePHI without violating HIPAA Rules. However, there are a few caveats. The signed BAA covers Google Keep, but it does not guarantee HIPAA compliance. Users are responsible for making sure Google’s services are configured correctly and are used in a manner that does not violate HIPAA Rules.
That means access controls must be properly implemented, file-sharing permissions must be set correctly, and healthcare organizations should also ensure that files cannot be shared outside the organization. Users must be trained on HIPAA compliance and care must be taken to ensure that any files containing ePHI are only shared with individuals authorized to view the information.
Although files are encrypted on Google Drive, they are not once the files are downloaded. Devices must therefore have proper access controls to ensure that any downloaded content cannot be accessed by unauthorized persons, particularly on mobile devices which could easily be lost or stolen. To be HIPAA-compliant, a covered entity must also maintain audit logs.
Google Keep can be considered HIPAA compliant as is Google Drive – Additional information on Google Drive and HIPAA is available here.