Is Google Drive HIPAA Compliant?

With the huge range of cloud storage solution providers in the market and the increasing push for organizations to explore the possibilities offered by these services, many parties in the health care sector are asking themselves whether Google Drive is compliant with the Health Insurance Portability and Accountability Act, more widely known as HIPAA.

Given Google’s scale, wide range of services, image as a technology leader, and people’s familiarity using their products such as Gmail or Google Search in their daily lives, it is completely understandable that there would be a lot of interest in whether Google’s online storage solution, Google Drive, could be used in compliance with HIPAA. Indeed, the ubiquity of Google’s consumer and free-to-use software could easily place them top-of-mind when people try to think of an online storage provider.

Is Google Drive HIPAA Compliant?

The answer to whether Google Drive is HIPAA compliant is somewhat frustratingly both yes and no. As with the majority of software solutions and tools, HIPAA compliance for Google Drive is much more related to how it is used by the individual or team and not so much based on how the system itself is created or maintained. So long as the necessary options are present in the tool, the supplier has in a sense done their job; it is up to the user – the HIPAA covered entity – to ensure that all settings have been correctly configured and that any required monitoring is being adequately conducted.

Google Drive is part of a larger array of services known as G Suite. This was formerly known under the moniker Google Apps. G Suite can be used in a HIPAA compliant manner – it has the necessary measures to fulfil all of the relevant HIPAA requirements. Since it has these elements in place, it can be be use to store or transfer Protected Health Information (PHI).

Business Associate Agreement

Before Google Drive, G Suite, or any other service can be used in a HIPAA compliant manner, the covered entity and the service provider must enter into a Business Associate Agreement. Google has standard BAAs that cover G Suite or Google Drive, which includes Google Docs, Google Sheets, Google Slides, and Google Forms, and it is up to the covered entity to review this to ensure it meets all their requirements. It should be noted however, that Google will only enter into a BAA with paying users.

Once the BAA has been reviewed and signed by both parties, he covered entity should ensure that all the necessary settings are correctly in place and configured as well as establishing procedures to carry out any monitoring or auditing that may be required. Members of staff must also be trained in how they can use the tool in a HIPAA compliant manner to avoid potential security breaches in so far as possible. They should also be informed of various online security best practices and the dangers that van be associated with unknown files or file types.

Information that is uploaded to Google Drive is encrypted by Google, but this encryption only works when the information is on Google servers. PHI or files that are downloaded to local storage will not be protected by this encryption ad organizations should ensure that their internal servers and IT infrastructure have sufficient protections to allow this.