Is Google Keep HIPAA Compliant?
Google Keep is HIPAA compliant and can be used to create notes containing Protected Health Information and share them via Google Dive provided organizations subscribe to a Google Workspace plan that supports HIPAA compliance and Google Drive is configured to control access to notes saved in Google Keep. In addition, it will be necessary to review and accept Google’s Business Associate Addendum to the Workspace Service Agreement.
Many healthcare professionals would like to use an electronic note taking app but are concerned about potential HIPAA violations. These services are certainly useful and can help to improve efficiency. If you are looking for a HIPAA compliant note application, Google Keep is a natural choice. Google Keep enables notes to be taken on one device which can be subsequently be accessed on multiple devices. The notes can include include voice notes, photos, and other files.
Information created on Google Keep can be accessed across multiple devices via Google Drive. Google Drive is part of Workspace (formerly G Suite) which supports HIPAA compliance for all Workspace services with “covered functionality” when organizations subscribe to a business account..
Is Google Keep HIPAA Compliant?
If you subscribe to a business Workspace account and agree to Google’s Business Associate Addendum to the Workspace Service Agreement, Google Keep can be used in connection with ePHI – but there are some caveats. Simply having a BAA that covers Google Keep does not guarantee HIPAA compliance. It is up to users to ensure that Google’s services are used correctly. Even Google Drive is not HIPAA compliant by default.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Access controls must be implemented, and file-sharing permissions need to be set properly to ensure content cannot be shared outside the organization, and even then, it is important to only ever provide documents containing ePHI to individuals authorized to view the information. To help organizations configure Google Keep to comply with HIPAA, Google has produce a HIPAA Implementation Guide.
Care must also be taken as while files on Google Drive are encrypted on the server, they are not when they are downloaded. Controls must be implemented on devices to ensure any downloaded content is not subject to unauthorized access, especially on mobile devices that can be easily lost or stolen. Password-protection is not sufficient. To be compliant with HIPAA, audit trails must also be maintained, and Google’s BAA clearly states that all additional services related to Google Drive must be disabled. You can read more about making Google Drive HIPAA compliant here.
In short, Google Keep can be HIPAA compliant, but care must be taken when using the service in connection with ePHI.