The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA. The service does not breach HIPAA Rules, however users of the service may breach the rules themselves.
G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is configured correctly and standard security practices are in place.
The use of any software or cloud storage service in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) before the service is used with any PHI. Google provides a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.
Before using any Google service with PHI, it is essential for a covered organization to review, sign and accept the business associate agreement (BAA) with Google. It should be remembered that PHI can only be shared or used via a Google service that is specifically mentioned in the BAA. The BAA will not include any cover for third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is signed with the provider/developer of that app.
The BAA does not mean a HIPAA covered organization is then free to use the service with PHI. Google will accept no responsibility for any incorrect configuration of G Suite. It is down to the covered organization to make sure the services are configured properly.
Covered organizations should remember that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, extra controls will be needed to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is always turned off.
To avoid a HIPAA violation, covered organizations should:
- Sign a BAA with Google before to using G Suite with PHI
- Configure access controls properly
- Employ 2-factor authentication for access
- Put strong passwords in place
- Switch off file syncing
- Switch link sharing off
- Limit sharing of files outside the domain (Google offers advice if external access is required)
- Set the visibility setting of documents to private
- Block third-party apps and add-ons
- Block offline storage for Google Drive
- Turn off access to apps and add-ons
- Review access and account logs and shared file reports constantly
- Configure ‘manage alerts’ to ensure the administrator warned of any changes to settings
- Back up all files uploaded to Google Drive
- Ensure all working staff are trained on the use of Google Drive and other G Suite apps
- Never include the wording ‘PHI’ in the titles of files
To assist HIPAA-covered organizations use G Suite and Google Drive correctly, Google has issued a Guide for HIPAA Compliance with G Suite to help with putting it in place.