In order to properly address the question, “Is Google Drive HIPAA compliant?” there are a number of factors to consider. This is due to the fact that HIPAA compliance is less about specific technologies and more about how technologies are utilized. Any software solution or cloud service that is labelled HIPAA-compliant can easily be used in a manner that breaches HIPAA Rules.
Google Drive is one of a number of Google Apps Core Services that can be used in compliance with HIPAA. However, if Covered Entities wish to share PHI using Google Docs, Sheets, Slides, or Forms, it is necessary for the Covered Entity to agree to a Google Apps HIPAA Business Associate Agreement (BAA) and configure the services used within Google Drive to be HIPAA compliant.
The Google Apps HIPAA BAA
The Google Apps HIPAA BAA covers only certain Core Services (i.e. Gmail, Google Drive, and Google Calendar), and not every service provided by Google. The BAA does not cover any third-party software that can be used in tandem with Google Apps and therefore third-party software must not be used with Google Drive for sharing PHI unless a separate BAA is obtained from the software provider/developer.
Furthermore, the Google Apps HIPAA BAA indemnifies Google from breaches of HIPAA if the service is not configured by a system administrator to be HIPAA compliant. Google will accept no liability for violations of HIPAA if its services is used improperly, and therefore it is responsibility of the Covered Entity to ensure the services is set up and used in compliance with HIPAA.
How to Configure Google Drive to be HIPAA Compliant
When sharing files in Google Drive, system administrators can choose who can access files, who can edit files, and who has the authority to share the files with others. System administrators should set the minimum necessary privilege levels via the “sharing permissions” setting, restrict users from sharing docs outside of Google Drive, and change the default visibility level to “private”.
It is strongly recommended that the option to allow third-party software is disabled, and that activity on Google Drive is monitored via the Admin Console. In order to be compliant with HIPAA, system administrators should configure notifications when suspicious activity is detected by Google (i.e. numerous failed login attempts, previously suspended user made active, or user granted admin privileges).
Google Drive Can be Deemed HIPAA-Compliant Under the Following Circumstances
Covered Entities should note that Google encrypts all data placed on Google Drive, but encryption is only server side and additional controls will be required to protect data on workstations and mobile devices (i.e. automatic log-off after a period of inactivity). HIPAA-compliant syncing is not covered in this article and it is recommended syncing is disabled.
To avoid a potential HIPAA violation when using Google Drive, Covered Entities should:
- Complete a BAA from Google before sharing PHI on Google Drive
- Set up effective access controls
- Implement 2-factor authentication
- Use strong passwords
- Disable file syncing
- Turn off link sharing
- Do not allow files to share externally
- Change the default file visibility to “private”
- Disable third-party apps and add-ons
- Turn off offline storage for Google Drive
- Set ‘manage alerts’ to ensure administrators are alerted to any change of settings
- Back up data saved on Google Drive in a HIPAA-compliant format
- Ensure employees are trained how to Google Drive compliantly