Google Docs and Google Drive are tools that facilitate document sharing, but can they be used to share documents containing protected health information (PHI)? Is using Google Docs HIPAA compliant?
Is using Google Docs HIPAA compliant?
The answer to whether using Google Docs is HIPAA compliant or not is both yes and no. Whether a tool is HIPAA compliant is less about the technology behind it and more about how it is used. Software or online storage solutions that are designed and promoted to be HIPAA compliant can still be used in ways that go against HIPAA Rules.
Google Apps – now known as G Suite – covers a range of Google tools, including Google Drive. G Suite does support HIPAA compliant solutions. Use of a G Suite service does not in itself violate HIPAA Rules, but users must ensure that they follow all applicable regulations.
G Suite has options and all the required controls to allow it to be HIPAA compliant, and it can therefore be used to share PHI by HIPAA-covered entities – so long as appropriate rules are followed, the settings are correctly applied, and appropriate security measures are implemented.
Before any software or online storage solution is used to treat or save PHI, the vendor must sign a business associate agreement (BAA) with the HIPAA-covered entity, taking into account all required aspects to comply with HIPAA. Google will sign BAAs to cover the use of G Suite services such as Google Drive, which includes Docs, Sheets, Slides, and Forms. However, this is only available to paying users.
It is important that the covered entity review and sign the BAA with Google before any PHI is entered into any Google service. The BAA may not cover all Google services, so it is essential to note which services are specifically mentioned in the BAA. The BAA will also not cover any third party services, even if they are used in conjunction with G Suite. BAAs must be obtained from each individual provider or developer of the services used.
Even with a signed BAA, a HIPAA covered entity is still responsible to ensure all settings and controls are correctly in place when using the service to treat or store PHI. Google does not accept liability for any incorrect configuration of G Suite services.
Covered entities should also be aware that even though Google encrypts all data uploaded to Google Drive and Google Docs, this encryption is server-side only. Further security is necessary to secure any files or data that are downloaded or synced. Compliance of syncing data and HIPAA is outside of the scope of this piece and it is recommended that syncing be deactivated.
In order to avoid breaking any HIPAA Rules, covered entities should:
- Sign a BAA with Google before inputting any PHI into G Suite services
- Ensure all necessary settings are correctly in place
- Enable two-factor access authentication
- Set strong passwords
- Disable syncing
- Disable link sharing
- Restrict file-sharing outside of the domain (if external access is needed, Google can advise)
- Ensure visibility of documents is private
- Do not allow offline storage for Google Drive
- Turn off third party add-ons and apps
- Do not allow access for add-ons or apps
- Conduct regular audits of access logs, account logs, and shared file reports
- Set alerts to notify administrators of any change to configurations
- Ensure all data uploaded to Google Drive is backed-up
- Ensure staff are trained in the appropriate use of Google Drive and G Suite services
- Ensure file names do not contain PHI
Google has published a HIPAA Compliance Guide for G Suite services to help HIPAA-covered entities to correctly implement and use G Suite and Google Docs.