Can Google Drive be Deemed HIPAA Compliant?

In order to properly address the question, “Is Google Drive HIPAA compliant?” there are a number of factors to consider. This is due to the fact that HIPAA compliance is less about specific technologies and more about how technologies are utilized. Any software solution or cloud service that is labelled HIPAA-compliant can easily be used in a manner that breaches HIPAA Rules.

Google Drive is one of a number of Google Apps Core Services that can be used in compliance with HIPAA. However, if Covered Entities wish to share PHI using Google Docs, Sheets, Slides, or Forms, it is necessary for the Covered Entity to agree to a Google Apps HIPAA Business Associate Agreement (BAA) and configure the services used within Google Drive to be HIPAA compliant.

The Google Apps HIPAA BAA

The Google Apps HIPAA BAA covers only certain Core Services (i.e. Gmail, Google Drive, and Google Calendar), and not every service provided by Google. The BAA does not cover any third-party software that can be used in tandem with Google Apps and therefore third-party software must not be used with Google Drive for sharing PHI unless a separate BAA is obtained from the software provider/developer.

Furthermore, the Google Apps HIPAA BAA indemnifies Google from breaches of HIPAA if the service is not configured by a system administrator to be HIPAA compliant. Google will accept no liability for violations of HIPAA if its services is used improperly, and therefore it is responsibility of the Covered Entity to ensure the services is set up and used in compliance with HIPAA.

How to Configure Google Drive to be HIPAA Compliant

When sharing files in Google Drive, system administrators can choose who can access files, who can edit files, and who has the authority to share the files with others. System administrators should set the minimum necessary privilege levels via the “sharing permissions” setting, restrict users from sharing docs outside of Google Drive, and change the default visibility level to “private”.

It is strongly recommended that the option to allow third-party software is disabled, and that activity on Google Drive is monitored via the Admin Console. In order to be compliant with HIPAA, system administrators should configure notifications when suspicious activity is detected by Google (i.e. numerous failed login attempts, previously suspended user made active, or user granted admin privileges).

Google Drive Can be Deemed HIPAA-Compliant Under the Following Circumstances

Covered Entities should note that Google encrypts all data placed on Google Drive, but encryption is only server side and additional controls will be required to protect data on workstations and mobile devices (i.e. automatic log-off after a period of inactivity). HIPAA-compliant syncing is not covered in this article and it is recommended syncing is disabled.

To avoid a potential HIPAA violation when using Google Drive, Covered Entities should:

  • Complete a BAA from Google before sharing PHI on Google Drive
  • Set up effective access controls
  • Implement 2-factor authentication
  • Use strong passwords
  • Disable file syncing
  • Turn off link sharing
  • Do not allow files to share externally
  • Change the default file visibility to “private”
  • Disable third-party apps and add-ons
  • Turn off offline storage for Google Drive
  • Set ‘manage alerts’ to ensure administrators are alerted to any change of settings
  • Back up data saved on Google Drive in a HIPAA-compliant format
  • Ensure employees are trained how to Google Drive compliantly

 

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/