Google Drive can deemed as compliant and non-compliant with HIPAA. This is due to the fact that compliance is less about technology and more about how technology is utilized on a daily basis. Even a software solution or cloud service that is found to be HIPAA-compliant can easily be used in a manner that breaches HIPAA Rules.
G Suite – previously known as Google Apps, of which Google Drive is included – does support HIPAA compliance. The service does not reach HIPAA Rules provided HIPAA Rules are followed by those using it.
G Suite includes all of the necessary controls to make it a HIPAA-compliant service and can therefore be adapted by HIPAA-covered groups to share PHI (in line with HIPAA Rules), provided the account is set up properly and standard security practices are in place.
The use of any software or cloud platform with protected health information necessitates the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) before the service being used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid subscribers only.
Before using any Google service with PHI, it is crucial for a covered group to review, sign and accept the business associate agreement (BAA) with Google. It should be remembered that PHI can only be shared or used via a Google service that is specifically included in the BAA. The BAA does not cover any third-party applications that are used in conjunction with G Suite. These must be avoided unless a separate BAA is completed with the provider/developer of that app.
The BAA does not allow a HIPAA covered entity to simply use the service with PHI. Google will accept no responsibility for any incorrect configuration of G Suite. It is down to the covered group to make sure the services are configured properly.
Covered groups should consider that Google encrypts all data saved to Google Drive, but encryption is only server side. If files are downloaded or synced, additional safety measures will be required to protect data on devices. HIPAA-compliant syncing is outside of the scope of this article and it is recommended syncing is disabled.
To prevent a HIPAA violation from occurring, covered groups should:
- Complete a BAA with Google previous to using G Suite with PHI
- Set up access controls properly
- Implement 2-factor authentication for access
- Set up strong passwords
- Disable file syncing
- Set link sharing to ‘no’
- Restrict sending of files external to the domain (Google provides advice if external access is needed)
- Turn the visibility of documents to private
- Turn off third-party apps and add-ons
- Do not allow offline storage for Google Drive
- Do not allow access to apps and add-ons
- Review access and account logs and shared file reports constantly
- Configure ‘manage alerts’ to see that the administrator is warned of any changes to settings
- Back-up all data saved to Google Drive
- Ensure staff are aware of how to use of Google Drive and other G Suite applications
- Never include PHI in the titles of saved files