HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Google Keep HIPAA Compliant?

Google Keep is a cloud-based note taking application that allows notes to be shared across multiple devices, but is Google Keep HIPAA compliant? Can Google Keep be used in healthcare without violating HIPAA Rules?

Many healthcare professionals would like to use an electronic note taking app but are concerned about potential HIPAA violations. These services are certainly useful and can help to improve efficiency. If you are looking for a HIPAA compliant note application, Google Keep is a natural choice.

Google offers many products that can be used in healthcare and Google does offer a business associate agreement to healthcare organizations.

Google Keep allows notes to be taken which can be accessed on multiple devices, and these can include voice notes, photos, and other files. Information that is added to Google Keep can be accessed across multiple devices via Google Drive. Google Drive is part of G Suite (formerly Google Apps) and Google Drive is covered by Google’s BAA.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Is Google Keep HIPAA Compliant?

If you use the paid version of G Suite and you have a BAA with Google, Google Keep can be used in connection with ePHI, but there are some caveats. Simply having a BAA that covers Google Keep does not guarantee HIPAA compliance. It is up to users to ensure that Google’s services are used correctly. Even Google Drive is not HIPAA compliant by default.

Access controls must be implemented, and file-sharing permissions need to be set properly to ensure content cannot be shared outside the organization, and even then, it is important to only ever provide documents containing ePHI to individuals authorized to view the information.

Care must also be taken as while files on Google Drive are encrypted on the server, they are not when they are downloaded. Controls must be implemented on devices to ensure any downloaded content is not subject to unauthorized access, especially on mobile devices that can be easily lost or stolen. Password-protection is not sufficient.

To be compliant with HIPAA, audit trails must also be maintained, and Google’s BAA clearly states that all additional services related to Google Drive must be disabled. You can read more about making Google Drive HIPAA compliant here.

In short, Google Keep can be HIPAA compliant, but care must be taken when using the service in connection with ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.