Google Drive as a HIPAA Compliant Service

by | May 12, 2018

Google Drive can deemed as compliant and non-compliant with HIPAA. This is due to the fact that compliance is less about technology and more about how technology is utilized on a daily basis. Even a software solution or cloud service that is found to be HIPAA-compliant can easily be used in a manner that breaches HIPAA Rules.

G Suite – previously known as Google Apps, of which Google Drive is included – does support HIPAA compliance. The service does not reach HIPAA Rules provided HIPAA Rules are followed by those using it.

G Suite includes all of the necessary controls to make it a HIPAA-compliant service and can therefore be adapted by HIPAA-covered groups to share PHI (in line with HIPAA Rules), provided the account is set up properly and standard security practices are in place.

The use of any software or cloud platform with protected health information necessitates the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) before the service being used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid subscribers only.

Before using any Google service with PHI, it is crucial for a covered group to review, sign and accept the business associate agreement (BAA) with Google. It should be remembered that PHI can only be shared or used via a Google service that is specifically included in the BAA. The BAA does not cover any third-party applications that are used in conjunction with G Suite. These must be avoided unless a separate BAA is completed with the provider/developer of that app.

The BAA does not allow a HIPAA covered entity to simply use the service with PHI. Google will accept no responsibility for any incorrect configuration of G Suite. It is down to the covered group to make sure the services are configured properly.

Covered groups should consider that Google encrypts all data saved to Google Drive, but encryption is only server side. If files are downloaded or synced, additional safety measures will be required to protect data on devices. HIPAA-compliant syncing is outside of the scope of this article and it is recommended syncing is disabled.

To prevent a HIPAA violation from occurring, covered groups should:

  • Complete a BAA with Google previous to using G Suite with PHI
  • Set up access controls properly
  • Implement 2-factor authentication for access
  • Set up strong passwords
  • Disable file syncing
  • Set link sharing to ‘no’
  • Restrict sending of files external to the domain (Google provides advice if external access is needed)
  • Turn the visibility of documents to private
  • Turn off third-party apps and add-ons
  • Do not allow offline storage for Google Drive
  • Do not allow access to apps and add-ons
  • Review access and account logs and shared file reports constantly
  • Configure ‘manage alerts’ to see that the administrator is warned of any changes to settings
  • Back-up all data saved to Google Drive
  • Ensure staff are aware of how to use of Google Drive and other G Suite applications
  • Never include PHI in the titles of saved files

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy