In a nutshell, yes, Google Drive is HIPAA compliant; but, before it can be utilized in a HIPAA compliant way, additional controls must be applied.
Privacy and security are paramount in the medical profession, but many providers want to take advantage of the efficiency that comes with cloud storage platforms. That’s why so many people have been asking if Google Drive is safe for use by healthcare organizations and professionals.
Wheelhouse IT can help you with your Google Drive cloud storage compliance needs. We offer the best in HIPAA compliant cloud storage, so you don’t have to worry about security or privacy issues. Our team of experts will make sure that all of your data is safe and secure. In this article, we discuss the answer to the question: Is Google Drive HIPAA compliant?
What is protected under HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy expectations and rights of patients when it comes to their personal and medical information. A care provider must follow all HIPAA regulations to make sure that this information is stored, shared, and used appropriately in line with the standard security practices.
Protected Health Information, or PHI, is the type of information that HIPAA protects. It can also be referred to as ePHI when talking about digital information, such as what is stored in Google Drive. PHI and ePHI can include:
- Patient claims, such as type of claim or date of claim
- Patient inquiries, including those that do not result in a claim
- Referral authorization requests, such as from a primary care physician to a specialist
- Patient’s past, present, or future medical condition, as well as any associated symptoms or diagnoses
- Payment information, including credit card information and insurance information
- Identifying patient information, such as name, date of birth, or address
If providers fail to follow HIPAA regulations, they can face serious fines, damaging their reputations and potentially losing their license.
But, the good news is that, with some additional user protocol in place, Google Drive can be HIPAA-compliant.
HIPAA and Google
HIPAA regulations require that all medical providers protect PHI and ePHI, including the information stored in the cloud on Google Drive. Most of Google Drive’s functionality is covered under the approved BAA, but not all services can be used with PHI.
Third-party add-on applications are almost never covered under the BAA with Google. This means that providers and staff can use programs offered by Google, such as Google Docs, Google Sheets, Gmail, Calendar, and others, but they may not use add-on applications from other vendors.
How to Use HIPAA-Compliant Google Drive
The actual Google Drive platform is HIPAA-compliant, as the servers themselves are adequately secure and protected. The additional steps required to make the use of Google Drive HIPAA-compliant come in how the users themselves interact with the information stored on their Google Drive.
Before storing any PHI in Google Drive or using any of the services of the Google platform with any information that is protected under HIPAA, users must sign a Business Associate Amendment (BAA), sometimes called a Business Associate Addendum, with Google.
This is reviewed and accepted by the administrator for your Google Workspace license. The administrator can find the BAA under the main menu of their administrator console by clicking on Account Settings and going to the Legal and Compliance tab.
Under the Security and Privacy Additional Terms, look for the menu for Google Workspace/Cloud Identity HIPAA Business Associate Amendment. The administrator will then be able to review and accept the BAA by answering three questions and clicking OK.
How Can You Restrict Access to PHI in Google?
One of the best ways to ensure compliance with HIPAA regulations when using Google Drive is to restrict who can access certain types of files or folders within your Drive or Workspace.
The administrator can restrict access to individual files or folders, as well as regulate the type of sharing permissions that the Workspace as a whole can provide. They can also monitor for unauthorized access and use.
A lot of the protocols for the organization or practice required to follow HIPAA regulations can be put in place by the account administrator.
Some of the best steps to take include:
- Restricting sharing ability of files
- Only allow sharing within the organization
- Disable third-party apps
- Disable offline storage
- Perform periodic checks
- Train employees about HIPAA regulations
- Develop a file naming convention that does not include PHI in titles
Best Practices for Google Drive Security
Keeping your Google account secure is a great safeguard against unauthorized access to documents containing PHI.
Some steps can be set up by an administrator, such as requiring users to use two-factor authentication when logging into their account.
Other steps are in the control of the individual user, such as using a strong password and not writing their password down in a place easily seen by unauthorized users.
Another place to be mindful when using Google Workplace and its tools, including Google Drive, is to keep PHI out of document or event titles.
While you may have the document viewing or sharing permissions correct and in accordance with HIPAA if you include identifying information or other PHI in the title, unauthorized users can still view the title of the document.
HIPAA Compliance in the Cloud
Many individuals may mistakenly believe that health care organizations can’t take advantage of cloud technology and capabilities because of their security limitations. This is not true. However, providers have to configure their chosen cloud in a way that protects patient data and follows privacy and security rules.
If you’re interested in learning how HIPAA compliant Google Drive cloud storage could work for your medical practice or office, Wheelhouse IT is here to help. We specialize in healthcare compliance and can show you how to use Google Drive cloud storage without compromising security. With the right partner, it’s easy to stay on top of compliance regulations while still enjoying all the benefits of cloud-based storage. Let us show you how we can help your business thrive with HIPAA compliant Google Drive.
Contact us today to learn more about our services.