Is Google Docs HIPAA Compliant?
Google Docs is HIPAA compliant provided that, before using the service to create, receive, maintain, or transmit PHI, organizations subscribe to a Google Workspace business plan, configure the service to comply with HIPAA, and sign Google’s Business Associate Addendum. It is not possible to use a free Google Docs account to create, receive, maintain, or transmit PHI as the free service does not include the features required to support HIPAA compliance.
Does Google Docs Encrypt Data?
In order for Google Docs to be HIPAA compliant, stored data must be encrypted. Data must also be encrypted during uploading and downloading. We can confirm that Google uses 128-bit or stronger Advanced Encryption Standard (AES) to protect data in transit to the platform, and between and in its data centers.
Is Google Considered a Conduit?
The Department of Health and Human Services has made it clear in recent guidance that cloud service providers are not – in the vast majority of cases – considered conduits, so the HIPAA Conduit Exception Rule does not apply. Instead, cloud service providers are classed as business associates, even if the service provider does not access data stored in customer accounts.
Will Google Sign a BAA for Google Docs?
As a business associate, prior to the use of Google Docs for sharing or storing documents containing PHI, a business associate agreement must be entered into with Google. Many cloud companies offer BAA’s to covered entities, but it is important to check that a particular product is listed as covered by the BAA prior to use.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Google automatically issues a business associate addendum (BAA) to it service agreement with healthcare providers that subscribe to a Workspace business plan or cloud identity account. We have checked the terms of the BAA and Google Docs is specifically mentioned as part of Google Drive, and is covered by its BAA.
Google clearly states that healthcare organizations covered by HIPAA Rules must not use Workspace service in connection with PHI until a business associate addendum to the service agreement has been signed. Once the BAA has been signed, Google is not liable for misuse of its service. It is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed. That means configuring access controls to comply with the HIPAA Rules. Google offers a useful guide for HIPAA covered entities to help them configure Workspace services correctly.
Is Google Docs HIPAA Compliant?
Our opinion is no software or cloud platform can be called HIPAA compliant. HIPAA compliance depends on how a service is used. That said, it is possible to use Google Docs without violating HIPAA Rules.
Before any documents containing PHI are uploaded to Google Docs, the covered entity or business associate must first sign the business associate addendum to the service agreement. Once the BAA has been signed, workforce members using Google Docs must receive HIPAA training on its use and should be made aware of the restrictions in place with respect to PHI.
Documents containing PHI must only be uploaded to accounts that are not publicly accessible, and permissions must be set to ensure only authorized individuals can access the documents/account. Any PHI included in files uploaded to Google Docs must be in the document itself, and should not be used in the file name.
Provided these precautions are taken, Google Docs is HIPAA compliant.
FAQs
What is Google Docs?
Google Docs is an online service that allows users to create, share, and edit documents in real time. The service is a convenient alternative to emailing documents to work colleagues and waiting for them to respond, and has multiple use cases in the healthcare industry for collaboration – particularly for patient care plans and the execution of those plans.
Why is necessary to obtain a BAA to use Google Docs?
It is necessary to obtain a BAA to use Google Docs when PHI is disclosed in documents, sheets, slides, or other shared services. This is because the Google Docs service saves documents on Google’s servers, which means Google has “persistent access” to any PHI in the content of the documents – even though the documents are encrypted and Google may not have the decryption key.
Is it possible to use the free Google Docs service in compliance with HIPAA?
It is not possible to use the free Google Docs service in compliance with HIPAA because the free service lacks the capabilities required to comply with the Security Rule (access controls, event logs, audit reports, etc.). In addition, Google will not enter into a BAA for its free services – meaning that, if a user discloses PHI in a free Google Docs account, it will be a violation of HIPAA.
Will Google sign my organization’s Business Associate Agreement?
Google will not sign your organization’s Business Associate Agreement as it offers a standard “one size fits all” Addendum to its service agreement for all healthcare providers. It would be too complicated for Google to review and accept or decline every covered entity’s Business Associate Agreement and covered entities and business associates that wish to use Google’s services to collect, receive, maintain, or transmit PHI must agree to Google’s Business Associate Addendum.
Who is responsible for ensuring HIPAA rules are followed when using Google Docs for storing or sharing PHI?
The individual responsible for ensuring HIPAA rules are followed when using Google Docs for storing or sharing PHI is the HIPAA Security Officer. However, every member of the workforce has a responsibility to ensure the communication and collaboration tools in the Google Workspace suite are used in compliance with HIPAA to prevent avoidable and impermissible disclosures of PHI.
