Google Drive HIPAA Compliant with Proper Configuration
Although Google encrypts data, that only includes data on their servers. A user that downloads a file to their device should ensure that there is proper security on their device. Google Drive as is, is not HIPAA compliant. Before an organization can use G Suite for PHI, they must properly configure settings to account for HIPAA compliance.
For Google Drive to be HIPAA Compliant the following must be implemented:
- Secure a Google BAA
- Implement access controls
- Enable 2-factor authentication
- Turn off link sharing and file syncing
- Sharing files outside the domain must be restricted
- Use unique passwords
- Set document visibility to private
- Disable offline storage, third-party app, and add-ons
- Regularly audit account logs, access, and shared file reports
- Ensure that ‘manage alerts’ setting is turned on to notify administrators of changes to settings
- Google Drive data must be backed up
- Train staff on how to use G Suite in a HIPAA compliant manner
- DO NOT put PHI as the title of a file
Is Google Drive HIPAA compliant? To ensure that G Suite is properly configured for HIPAA compliant usage, Google released a guide to help users implement proper controls.
Organizations working in healthcare have a responsibility to be HIPAA compliant. Before implementing a new software or technology it is important that organizations understand what needs to be done to make it HIPAA compliant. To use any software to transmit or store PHI, there must be a signed BAA. In addition, some software will need to be configured to make it HIPAA compliant.
Do You Need Help with Vendor Management?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!