The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards for the privacy and security of protected health information (PHI). PHI is any individually identifying health information such as name, birthdate, treatment history, financial information, etc. As such, healthcare organizations must adopt safeguards to secure PHI in the form of administrative, physical, and technical safeguards. Many organizations have adopted the use of G Suite as it is an easy way to collaborate and share information with organization members. However, before an organization working in healthcare chooses which technology to use, they must ensure that it is HIPAA compliant. That begs the question, is Google Drive HIPAA compliant?
In short, yes Google Drive is HIPAA compliant, however, before it can be used in a HIPAA compliant manner there must be specific controls implemented.
Google Business Associate Agreements
Before a healthcare organization can transmit PHI to a vendor, they must first have a signed business associate agreement (BAA). A BAA is a contract that states that both entities are HIPAA compliant and each organization is responsible for their own compliance. Google offers a BAA for Google Drive and other G Suite apps for the paid version of their software. Users using the free version will be unable to obtain a BAA from Google.
However, organizations must ensure that they are sharing PHI using Google services that are specified in the BAA. G Suite has the option to sync with third-party apps for ease of use. Third-party apps are not covered by a Google BAA therefore organizations wishing to use a third-party app to transmit or store PHI must secure a BAA from the third-party.
Google Drive HIPAA Compliant with Proper Configuration
Although Google encrypts data, that only includes data on their servers. A user that downloads a file to their device should ensure that there is proper security on their device. Google Drive as is, is not HIPAA compliant. Before an organization can use G Suite for PHI, they must properly configure settings to account for HIPAA compliance.
For Google Drive to be HIPAA Compliant the following must be implemented:
- Secure a Google BAA
- Implement access controls
- Enable 2-factor authentication
- Turn off link sharing and file syncing
- Sharing files outside the domain must be restricted
- Use unique passwords
- Set document visibility to private
- Disable offline storage, third-party app, and add-ons
- Regularly audit account logs, access, and shared file reports
- Ensure that ‘manage alerts’ setting is turned on to notify administrators of changes to settings
- Google Drive data must be backed up
- Train staff on how to use G Suite in a HIPAA compliant manner
- DO NOT put PHI as the title of a file
Is Google Drive HIPAA compliant? To ensure that G Suite is properly configured for HIPAA compliant usage, Google released a guide to help users implement proper controls.
Organizations working in healthcare have a responsibility to be HIPAA compliant. Before implementing a new software or technology it is important that organizations understand what needs to be done to make it HIPAA compliant. To use any software to transmit or store PHI, there must be a signed BAA. In addition, some software will need to be configured to make it HIPAA compliant.
Do You Need Help with Vendor Management?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!
Need Help with HIPAA?
Let our complete HIPAA solution handle it.