Is Google Docs HIPAA Compliant?

by

Can Google Docs be considered as HIPAA compliant? Is uploading of files with protected health information (PHI) to Google Docs allowed? This post will evaluate the HIPAA compliance of Google Docs and determine if HIPAA-covered entities or business associates can use it in conjunction with ePHI.

Does Google Docs Encrypt Files?

To be HIPAA compliant, the saved files on Google Docs must be encrypted. Stored and transmitted information must be encrypted. This platform of Google uses 128-bit Advanced Encryption Standard (AES) to protect data in transit and stored files in its data servers.

Is Google Classified as a Conduit?

According to the Department of Health and Human Services, cloud service providers aren’t classified as conduit. Therefore, the HIPAA Conduit Exception Rule does not apply to cloud service providers. Instead, cloud service providers are classified as business associates, even if the service provider does not view or access the saved data in client accounts.

Will Google Sign a Business Associate Agreement for Google Docs?

Given that Google Docs is viewed as a business associate, a signed business associate agreement between Google and the HIPAA-covered entity is required prior to using Google Docs with any ePHI. Other cloud service providers also sign BAA’s with HIPAA-covered entities. Nonetheless, the BAA must be reviewed to ascertain if a particular service is covered.

When clients purchase G Suite Enterprise, Google signs a BAA with them. It is stated in the terms and conditions of the BAA that Google Docs is included with Google Drive and is covered by the BAA.

Google warns HIPAA-covered healthcare providers not to use G Suite in connection with files having ePHI until Google signs a BAA. Any misuse of services is not the responsibility of Google. The covered entity or business associate should make sure to use the service in such a way that complies with HIPAA Rules. Configure access controls properly. Train your staff on the proper use of G Suite. There’s a handy guide provided by Google to HIPAA covered entities to assist with setting up G Suite correctly.

Is Google Docs HIPAA Compliant?

There is no software program or cloud service that is 100% HIPAA-compliant. HIPAA compliance is determined by the way the service is used and not by the controls available. With that in mind, entities may use Google Docs without HIPAA Rules violation.

Remember to enter into a BAA with Google before adding any file with ePHI to Google Docs. Subsequently, training must be provided to users of Google Docs concerning the requirements of HIPAA when using the service with ePHI.

Files containing ePHI ought to be uploaded only to private accounts and must not be open to the public. Be sure to set up specific permissions to authorize people in accessing the documents/accounts. Additionally, don’t use PHI when naming files for upload to Google Docs.

When all guidelines mentioned are followed, for sure Google Docs is considered HIPAA compliant.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]