Share this article on:
Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.
Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.
Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.
Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.
How to Make Google Slides HIPAA Compliant
The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.
As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.
It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.
Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.