Is Google Keep HIPAA Compliant?

Share this article on:

Google Keep is a cloud-based note taking application that allows notes to be shared across multiple devices, but is Google Keep HIPAA compliant? Can Google Keep be used in healthcare without violating HIPAA Rules?

Many healthcare professionals would like to use an electronic note taking app but are concerned about potential HIPAA violations. These services are certainly useful and can help to improve efficiency. If you are looking for a HIPAA compliant note application, Google Keep is a natural choice.

Google offers many products that can be used in healthcare and Google does offer a business associate agreement to healthcare organizations.

Google Keep allows notes to be taken which can be accessed on multiple devices, and these can include voice notes, photos, and other files. Information that is added to Google Keep can be accessed across multiple devices via Google Drive. Google Drive is part of G Suite (formerly Google Apps) and Google Drive is covered by Google’s BAA.

Is Google Keep HIPAA Compliant?

If you use the paid version of G Suite and you have a BAA with Google, Google Keep can be used in connection with ePHI, but there are some caveats. Simply having a BAA that covers Google Keep does not guarantee HIPAA compliance. It is up to users to ensure that Google’s services are used correctly. Even Google Drive is not HIPAA compliant by default.

Access controls must be implemented, and file-sharing permissions need to be set properly to ensure content cannot be shared outside the organization, and even then, it is important to only ever provide documents containing ePHI to individuals authorized to view the information.

Care must also be taken as while files on Google Drive are encrypted on the server, they are not when they are downloaded. Controls must be implemented on devices to ensure any downloaded content is not subject to unauthorized access, especially on mobile devices that can be easily lost or stolen. Password-protection is not sufficient.

To be compliant with HIPAA, audit trails must also be maintained, and Google’s BAA clearly states that all additional services related to Google Drive must be disabled. You can read more about making Google Drive HIPAA compliant here.

In short, Google Keep can be HIPAA compliant, but care must be taken when using the service in connection with ePHI.

Author: HIPAA Journal

Share This Post On