Is Google Drive HIPAA Compliant?
Google Drive is HIPAA compliant if it is used as part of a paid-for Google Workspace plan with the capabilities to support HIPAA compliance, or if it is used as part of a Google Workspace plan that is combined with other security measures to support HIPAA compliance. The free version of Google Drive cannot be used to store or share Protected Health Information (PHI)
What is Google Drive?
Google Drive is a file storage and synchronization service that enables Google customers to store files in the cloud so they can be accessed and shared remotely. The service automatically synchronizes changes to files stored in the cloud to facilitate multi-user collaboration and multi-user editing. It can also be configured to enable teams to work on a project simultaneously.
The service can be used as a standalone service or as a key component of a Google Workspace plan. Workspace plans include productivity tools such as Google Docs, Sheets, and Slides, and communication tools such as Google Meet, Chat, and Gmail. Depending on which plan is subscribed to, businesses also benefit from security and user management tools.
Google Drive for Healthcare
Because of the wide range of productivity, collaboration, security, and user management tools – and because of user familiarity with many of the tools – Google Workspace is a popular choice for healthcare organizations who can (for example) use the service to provide healthcare to patients remotely and coordinate patient care plans across multiple care providers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
With regards to how Google Drive is used in healthcare, organizations can create a patient folder in a shared drive and populate it with notes, test results, diagnoses, and treatment plans than can be accessed by individual care providers with the appropriate permissions. However, in order to use Google Drive for this purpose, Google Drive has to be HIPAA compliant.
Is Google Drive HIPAA Compliant?
In order for any software to be HIPAA compliant, it must include capabilities to support compliance with the Technical Safeguards of the Security Rule. In the context of answering the question is Google Drive HIPAA compliant, the service must include access controls, automatic logoff capabilities, audit and event logs, and integrity controls. It must also encrypt data at rest and in transit.
Not all Workspace plans have these capabilities. So, if a healthcare organization is going to use Google Drive to create or store patients’ health information, it must either upgrade to a Workspace plan with the necessary capabilities, or implement additional security measures that fill the gaps. It must also enter into a Business Associate Agreement with Google.
Google’s Business Associate Agreement
Google’s Business Associate Agreement is an “Addendum” to its service agreement that covers certain services in the Workspace suite of tools. Like many Business Associate Agreements offered by software companies, it is a “one-size-fits-all” agreement that lists Google’s responsibilities and customers’ obligations (i.e., to limit PHI to covered services, manage user access, etc.).
To enter into the Addendum, plan administrators have to log into the Admin console, navigate to the Legal and Compliance section, and accept the Addendum before any Workspace service is used to create, collect, store, or transmit PHI. It is also advisable to download a copy of the document to file offline in the event of a compliance review by HHS’ Office for Civil Rights.
Making Google Drive HIPAA Compliant
Once the Addendum to the service agreement has been reviewed and accepted, it will be necessary to make Google Drive HIPAA compliant by configuring each component of the Workspace suite so it can be used in compliance with HIPAA. Google provides a HIPAA Implementation Guide to help administrators with this process, but notes that the Guide does not guarantee HIPAA compliance.
The final stage of making Google Drive HIPAA compliant is to train members of the workforce to use the service in compliance with HIPAA. The level of training required will depend on how stringently the administrative controls have been applied, but it may still be necessary to warn members of the workforce against sharing passwords or sharing files outside the controlled domain.
Get Help if Further Help is Required
The configuration of Google Drive and other tools in the Workspace suite should be straightforward depending on how the service is going to be used and what other solutions are integrated into the suite. Training members of the workforce to use Google Drive in compliance with HIPAA should also be straightforward, as many will have had experience of using Drive in a personal account.
However, if your organization experiences difficulties making Google Drive HIPAA compliant or using Google Drive in compliance with HIPAA, it is advisable to seek further help from a compliance expert. The failure to make Google Drive HIPAA compliant or use the service in compliance with HIPAA could have serious consequences if a misconfiguration or misuse results in a data breach.
