Is Google Drive HIPAA Compliant?
Privacy and security are paramount in the medical profession, but many providers want to take advantage of the efficiency that comes with cloud storage platforms. So, can medical professionals use Google Drive? Is Google Drive HIPAA compliant?
Find out how you can use Google Drive to increase productivity in your practice while maintaining your HIPAA compliance in this article.
What Is Protected Under HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy expectations and rights of patients when it comes to their personal and medical information. Providers must follow all HIPAA regulations to make sure that this information is stored, shared, and used in an appropriate way.
Protected Health Information, or PHI, is the type of information that HIPAA protects. It can also be referred to as e-PHI when talking about digital information, such as what is stored in Google Drive. PHI and e-PHI can include:
- Patient claims, such as type of claim or date of claim
- Patient inquiries, including those that do not result in a claim
- Referral authorization requests, such as from a primary care physician to a specialist
- Patient’s past, present, or future medical condition, as well as any associated symptoms or diagnoses
- Payment information, including credit card information and insurance information
- Identifying patient information, such as name, date of birth, or address
It is crucial that medical providers know and understand HIPAA regulations before they start to store and/or use patient information in the cloud. Because cloud storage platforms, such as Google Drive, are such useful collaboration tools, they can also become a vulnerability to protect PHI.
One of the biggest risks with using cloud storage and failing to follow HIPAA laws is in how individual users (providers and staff) actually share, store, and use the PHI stored in their Google Drive.
If providers fail to follow HIPAA regulations, they can face serious fines, damaging their reputations and potentially losing their license.
Fortunately, Google Drive can be HIPAA-compliant with some additional user protocols in place.
How to Use HIPAA-Compliant Google Drive
The actual Google Drive platform is HIPAA-compliant, as the servers themselves are adequately secure and protected. The additional steps required to make the use of Google Drive HIPAA-compliant come in how the users themselves interact with the information stored on their Google Drive.
Before storing any PHI in Google Drive or using any of the services of the Google platform with any information that is protected under HIPAA, users must sign a Business Associate Amendment (BAA), sometimes called a Business Associate Addendum, with Google.
This is reviewed and accepted by the administrator for your Google Workspace license. The administrator can find the BAA under the main menu of their administrator console by clicking on Account Settings and going to the Legal and Compliance tab.
Under the Security and Privacy Additional Terms, look for the menu for Google Workspace/Cloud Identity HIPAA Business Associate Amendment.
The administrator will then be able to review and accept the BAA by answering three questions and clicking OK.
HIPAA and Google
HIPAA regulations require that all medical providers protect PHI and e-PHI, including that information stored in the cloud on Google Drive.
Most of Google Drive’s functionality is covered under the approved BAA, but not all services can be used with PHI.
RELATED: Is Google Meet HIPAA Compliant?
Third-party add-on applications are almost never covered under the BAA with Google. This means that providers and staff can use programs offered by Google, such as Google Docs, Google Sheets, Gmail, Calendar, and others, but they may not use add-on applications from other vendors.
How Can I Restrict Access to PHI in Google?
One of the best ways to ensure compliance with HIPAA regulations when using Google Drive is to restrict who can access certain types of files or folders within your Drive or Workspace.
The administrator can restrict access to individual files or folders, as well as regulate the type of sharing permissions that the Workspace as a whole can provide. They can also monitor for unauthorized access and use.
A lot of the protocols for the organization or practice required to follow HIPAA regulations can be put in place by the account administrator.
Some of the best steps to take include:
- Restricting sharing ability of files
- Only allow sharing within the organization
- Disable third-party apps
- Disable offline storage
- Perform periodic checks
- Train employees about HIPAA regulations
- Develop a file naming convention that does not include PHI in titles
Individuals creating Google Docs, Sheets, Slides, or folders can control who is able to view, comment, and share on their files. Files containing PHI should only be shared with those authorized to view and use that information.
This likely means that not everyone in the organization needs access to all documents.
Those in positions of leadership should also make sure that all employees are trained on HIPAA compliance. User error is one of the most common ways that organizations fall into non-compliance and have to face fines.
Best Practices for Google Drive Security
Keeping your Google account secure is a great safeguard against unauthorized access to documents containing PHI.
Some steps can be set up by an administrator, such as requiring users to use two-factor authentication when logging into their account.
Other steps are in the control of the individual user, such as using a strong password and not writing their password down on a place easily seen by unauthorized users.
Another place to be mindful when using Google Workplace and its tools, including Google Drive, is to keep PHI out of document or event titles.
While you may have the document viewing or sharing permissions correct and in accordance with HIPAA, if you include identifying information or other PHI in the title, unauthorized users can still view the title of the document.
Storing Encrypted Documents in Google Drive
Many providers ask about encryption as a way to further protect documents containing PHI within their online cloud storage platform.
Google uses encryption to protect its servers but does not provide a document encryption tool within Google Drive.
However, this does not mean that you can’t use encrypted files and store them in your Drive.
You will need to encrypt your document on your computer using a password protection feature before you upload it to Google Drive. You will not be able to edit encrypted documents within Google Drive, but you can still share them with colleagues. Just make sure that they are authorized to use and access the PHI stored in the document.
Your colleagues will also need to be able to unencrypt the document once they download it to their own computer, often by entering a password.
This is a great way to make sure that only users able to use PHI in accordance with HIPAA laws can open and view a document, and offers an added layer of security over the sharing permissions offered in Drive.
Your Google Drive HIPAA Compliance
Using Google Drive in a medical practice or other organization required to follow HIPAA regulations can boost efficiency and make the entire workplace collaborate more effectively.
While it does take some additional steps and care to ensure Protected Health Information is kept private and secure, the benefits of using an online cloud storage platform like Google Drive make it worth the effort for most providers.
If you're interested in learning how Google Workspace could work for your medical practice or office, reach out. As a Google Cloud Premier Partner, Suitebriar has the experience and know-how to assist with a flawless roll-out at your organization.