With the ever-growing importance of data privacy and security, it’s no wonder that many healthcare organizations are asking the question: “Is Google Drive HIPAA compliant?” As one of the world’s most popular cloud-based storage solutions, millions of people use Google Drive daily to store and share their personal and professional documents. But when it comes to handling sensitive medical information, can we trust that this platform meets the strict requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA)?
In this article, we’ll explore whether or not Google Drive is HIPAA compliant and what you need to know if you’re considering using this service for your healthcare organization.
Google Business Associate Agreements
Before a healthcare organization can transmit PHI to a vendor, they must first have a signed business associate agreement (BAA). A BAA is a contract that states that both entities are HIPAA compliant and each organization is responsible for their own compliance. Google offers a BAA for Google Drive and other G Suite apps for the paid version of their software. Users using the free version will be unable to obtain a BAA from Google.
However, organizations must ensure that they are sharing PHI using Google services that are specified in the BAA. G Suite has the option to sync with third-party apps for ease of use, begging the question, is G Suite HIPAA compliant? Third-party apps are not covered by a Google BAA therefore organizations wishing to use a third-party app to transmit or store PHI must secure a BAA from the third-party.
Google Drive HIPAA Compliant with Proper Configuration
Although Google encrypts data, that only includes data on their servers. A user that downloads a file to their device should ensure that there is proper security on their device. Google Drive as is, is not HIPAA compliant. Before an organization can use G Suite for PHI, they must properly configure settings to account for HIPAA compliance.
For Google Drive to be HIPAA Compliant the following must be implemented:
- Secure a Google BAA
- Implement access controls
- Enable 2-factor authentication
- Turn off link sharing and file syncing
- Sharing files outside the domain must be restricted
- Use unique passwords
- Set document visibility to private
- Disable offline storage, third-party app, and add-ons
- Regularly audit account logs, access, and shared file reports
- Ensure that ‘manage alerts’ setting is turned on to notify administrators of changes to settings
- Google Drive data must be backed up
- Train staff on how to use G Suite in a HIPAA compliant manner
- DO NOT put PHI as the title of a file
Is Google Drive HIPAA compliant? To ensure that G Suite is properly configured for HIPAA compliant usage, Google released a guide to help users implement proper controls.
Organizations working in healthcare have a responsibility to be HIPAA compliant. Before implementing a new software or technology it is important that organizations understand what needs to be done to make it HIPAA compliant. To use any software to transmit or store PHI, there must be a signed BAA. In addition, some software will need to be configured to make it HIPAA compliant.
Do You Need Help with Vendor Management?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!
