Can Google Drive be Deemed HIPAA Compliant?

In order to properly address the question, “Is Google Drive HIPAA compliant?” there are a number of factors to consider. We can say the service is both compliant and non-compliant, depending on how it is used.

This is due to the fact that HIPAA compliance is less about technology and more about how technology is implemented. Any software solution or cloud service that is labelled as HIPAA-compliant can easily be used in a manner that breaches HIPAA Rules.

HIPAA Compliance is provided by G Suite, of which Google Drive is a part. As such Google Drive does not violate HIPAA Rules as long as HIPAA Rules are followed by those utilizing it.

HIPAA-covered entities can share PHI, in accordance with HIPAA Rules, with G Suite applications as the service incorporates all of the necessary controls to make it a HIPAA-compliant service. However this is only the case is the account is use is configured correctly and standard security practices are applied.

Using any software or cloud platform in tandem with protected health information requires the provider vendor of the service to complete a HIPAA-compliant business associate agreement (BAA) before the service is put into use with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid subscribers only.

before using any Google service with PHI, it is critical that a covered body review, sign and accept the business associate agreement (BAA) with Google. It should always be remembered that PHI can only be shared or used via a Google service that is specifically covered under the terms of the BAA. The BAA does not cover any third-party applications that are used in tandem with G Suite. These must not be used unless a new BAA is obtained from the provider/developer of that application.

The BAA does not automatically mean a HIPAA covered body is then free to use the service with PHI. Google will take no responsibility for any user improperly configuring G Suite. It is the responsibility of the covered body to ensure the services are set up properly.

Covered bodies should remember note that Google encrypts all data placed on Google Drive, but encryption is only server side and additional controls will be required to protect data on devices should files be downloaded or synced. HIPAA-compliant syncing is not covered in this article and it is recommended syncing is disabled.

To prevent a HIPAA violation, covered bodies must:

  • Complete a BAA from Google before implementing G Suite with PHI
  • Set up access controls properly
  • Implement 2-factor authentication for access
  • Use detailed and strong passwords
  • Disable file syncing
  • Turn off link sharing
  • Do not allow sharing of files outside the domain (Google offers advice if external access is needed)
  • Make the visibility of documents private only
  • Switch off third-party apps and add-ons
  • Turn off offline storage for Google Drive
  • Prevent access to apps and add-ons
  • Review access and account logs and shared file reports constantly
  • Set ‘manage alerts’ to ensure the administrator is alerted to any changes to settings
  • Back up all data saved on Google Drive
  • Ensure employees are trained on how to Google Drive and other G Suite apps properly
  • Ensure that ‘PHI’ is not included in the titles of files